Skip to content

Commit

Permalink
nixos/server/duckdns-updater: refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
thiagokokada committed Sep 18, 2023
1 parent b5de849 commit e073a38
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 11 deletions.
2 changes: 1 addition & 1 deletion hosts/hachune-nixos/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ in
tailscale.enable = true;
duckdns-updater = {
enable = true;
enableCerts = true;
certs.enable = true;
domain = "hachune-nixos.duckdns.org";
};
};
Expand Down
6 changes: 4 additions & 2 deletions hosts/mirai-vps/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,12 @@
tailscale.enable = true;
duckdns-updater = {
enable = true;
enableCerts = true;
useHttpServer = true;
domain = "mirai-vps.duckdns.org";
onCalendar = "daily"; # fixed IP, mostly for health checking
certs = {
enable = true;
useHttpServer = true;
};
};
};
system.smart.enable = false;
Expand Down
20 changes: 12 additions & 8 deletions nixos/server/duckdns-updater.nix
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,15 @@ let
inherit (config.meta) username;
group = config.users.users.${username}.group;
cfg = config.nixos.server.duckdns-updater;
httpPort = 80;
in
{
options.nixos.server.duckdns-updater = {
enable = lib.mkEnableOption "DuckDNS config";
enableCerts = lib.mkEnableOption "generate HTTPS cert via ACME/Let's Encrypt";
useHttpServer = lib.mkEnableOption "use Lego's built-in HTTP server instead a request to DuckDNS";
certs = {
enable = lib.mkEnableOption "generate HTTPS cert via ACME/Let's Encrypt";
useHttpServer = lib.mkEnableOption "use Lego's built-in HTTP server instead a request to DuckDNS";
};
domain = lib.mkOption {
# TODO: accept a list of strings
type = lib.types.str;
Expand Down Expand Up @@ -90,14 +93,14 @@ in
};
};

security.acme = lib.mkIf cfg.enableCerts {
security.acme = lib.mkIf cfg.certs.enable {
acceptTerms = true;
certs.${cfg.domain} = {
inherit group;
email = "[email protected]";
dnsProvider = lib.mkIf (!cfg.useHttpServer) "duckdns";
credentialsFile = lib.mkIf (!cfg.useHttpServer) cfg.environmentFile;
listenHTTP = lib.mkIf cfg.useHttpServer ":80"; # any other port needs to be proxied
dnsProvider = lib.mkIf (!cfg.certs.useHttpServer) "duckdns";
credentialsFile = lib.mkIf (!cfg.certs.useHttpServer) cfg.environmentFile;
listenHTTP = lib.mkIf cfg.certs.useHttpServer ":${toString httpPort}"; # any other port needs to be proxied
postRun = ''
${lib.getBin pkgs.openssl}/bin/openssl pkcs12 -export -out bundle.pfx -inkey key.pem -in cert.pem -passout pass:
chown 'acme:${group}' bundle.pfx
Expand All @@ -107,9 +110,10 @@ in
};

systemd.services."acme-${cfg.domain}" = {
after = lib.mkIf cfg.useHttpServer [ "duckdns-updater.service" ];
after = lib.mkIf (cfg.certs.enable && cfg.certs.useHttpServer) [ "duckdns-updater.service" ];
};

networking.firewall.allowedTCPPorts = lib.mkIf cfg.useHttpServer [ 80 ];
networking.firewall.allowedTCPPorts =
lib.mkIf (cfg.certs.enable && cfg.certs.useHttpServer) [ httpPort ];
};
}

0 comments on commit e073a38

Please sign in to comment.