Move dyndns into separate module

flake.nix

@@ -147,6 +147,7 @@
 
       nixosModules = {
         common = ./modules/common;
+        dyndns = ./modules/dyndns;
         immich = ./modules/immich.nix;
         monitoring = ./modules/monitoring;
         netbox = ./modules/netbox.nix;

modules/dyndns/default.nix

@@ -0,0 +1,52 @@
+{ inputs
+, config
+, pkgs
+, lib
+, ...
+}:
+let
+  cfg = config.dyndns;
+in
+{
+  options.dyndns = {
+    enable = lib.mkOption {
+      default = false;
+    };
+    IPv4 = lib.mkOption {
+      default = false;
+    };
+    IPv6 = lib.mkOption {
+      default = false;
+    };
+    hostname = lib.mkOption {
+      default = "";
+    };
+    zone = lib.mkOption {
+      default = "";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops.secrets."dyndns/environment" = {
+      sopsFile = "${inputs.self}/secrets/common.yaml";
+    };
+
+    systemd.timers."dyndns" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "1m";
+        OnUnitActiveSec = "1m";
+        Unit = "dyndns.service";
+      };
+    };
+
+    systemd.services."dyndns" = {
+      serviceConfig = {
+        EnvironmentFile = config.sops.secrets."dyndns/environment".path;
+        script = "${./dyndns.sh} ${lib.mkIf cfg.IPv4 "-4"} ${lib.mkIf cfg.IPv6 "-6"} -h ${cfg.hostname} -z ${cfg.zone}";
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+  };
+}

modules/dyndns/dyndns.sh

@@ -0,0 +1,50 @@
+#! /usr/bin/env bash
+
+while getopts 46h:z: opt
+do
+  case $opt in
+    4) declare -r FLAG_IPV4=true;;
+    6) declare -r FLAG_IPV6=true;;
+    h) declare -r HOSTNAME=${OPTARG}
+    z) declare -r ZONE=${OPTARG}
+  esac
+done
+
+[ -n $HOSTNAME -o -n $ZONE] || (echo 'Argument missing please set hostname and domain using -h and -z flag'; exit 1)
+[ -v $FLAG_IPV4 -o -v $FLAG_IPV6 ] || (echo 'No IP version selected. Please set IP version using -4 and/or -6'; exit 1)
+
+ZONE_ID=$(curl -s "https://dns.hetzner.com/api/v1/zones" -H "Auth-API-Token: $HETZNER_API_KEY" | jq -r --arg ZONE $ZONE '.zones.[] | select(.name==$ZONE) | .id')
+
+if [ -v $FLAG_IPV4 ]; then
+  RECORDID_V4=$(curl -s "https://dns.hetzner.com/api/v1/records?zone_id=$ZONE_ID" -H "Auth-API-Token: $HETZNER_API_KEY" | jq -r --arg HOSTNAME $HOSTNAME '.records.[] | select(.name==$HOSTNAME) | select(.type=="A") | .id') || (err=$?; printf "Get recordid A failed with %s" "$err"; exit 1)
+  CURRENT_V4=$(curl -s4 https://ip.hetzner.com) || (err=$?; printf "Get current IPv4 failed with %s" "$err"; exit 1)
+  DNS_V4=$(curl -s "https://dns.hetzner.com/api/v1/records/$RECORDID_V4" -H "Auth-API-Token: $HETZNER_API_KEY" | jq ".record.value") || (err=$?; printf "Get A record failed with %s" "$err"; exit 1)
+  if [ $CURRENT_V4 = $DNS_V4 ]
+  then
+    echo "IPv4 already up to date"
+  else
+    echo "$DNS_V4 => $CURRENT_V4"
+    curl -s -X "PUT" "https://dns.hetzner.com/api/v1/records/$RECORDID_V4" \
+      -H 'Content-Type: application/json' \
+      -H "Auth-API-Token: $HETZNER_API_KEY" \
+      -d $'{"value": "'$CURRENT_V4'", "ttl": 60, "type": "A", "name": "'$HOSTNAME'", "zone_id": "'$ZONE_ID'"}' \
+      || (err=$?; printf "Updating A record failed with %s" "$err"; exit 1)
+  fi
+fi
+
+if [ -v $FLAG_IPV6 ]; then
+  RECORDID_V6=$(curl -s "https://dns.hetzner.com/api/v1/records?zone_id=$ZONE_ID" -H "Auth-API-Token: $HETZNER_API_KEY" | jq -r --arg HOSTNAME $HOSTNAME '.records.[] | select(.name==$HOSTNAME) | select(.type=="AAAA") | .id') || (err=$?; printf "Get recordid A failed with %s" "$err"; exit 1)
+  CURRENT_V6=$(curl -s6 https://ip.hetzner.com) || (err=$?; printf "Get current IPV6 failed with %s" "$err"; exit 1)
+  DNS_V6=$(curl -s "https://dns.hetzner.com/api/v1/records/$RECORDID_V6" -H "Auth-API-Token: $HETZNER_API_KEY" | jq ".record.value") || (err=$?; printf "Get A record failed with %s" "$err"; exit 1)
+  if [ $CURRENT_V6 = $DNS_V6 ]
+  then
+    echo "IPv6 already up to date"
+  else
+    echo "$DNS_V6 => $CURRENT_V6"
+    curl -s -X "PUT" "https://dns.hetzner.com/api/v1/records/$RECORDID_V6" \
+      -H 'Content-Type: application/json' \
+      -H "Auth-API-Token: $HETZNER_API_KEY" \
+      -d $'{"value": "'$CURRENT_V6'", "ttl": 60, "type": "AAAA", "name": "'$HOSTNAME'", "zone_id": "'$ZONE_ID'"}' \
+      || (err=$?; printf "Updating AAAA record failed with %s" "$err"; exit 1)
+  fi
+fi

nodes/heptifili/default.nix

@@ -3,6 +3,7 @@
 }:
 {
   imports = [
+    inputs.self.nixosModules.dyndns
     inputs.self.nixosModules.syncthing
     inputs.self.nixosModules.restic-server
     ./disko.nix

nodes/heptifili/networking.nix

@@ -13,6 +13,13 @@ in
     physicalConnections = [ (mkConnectionRev "Fritz!Box" "*") ];
   };
 
+  dyndns = {
+    enable = true;
+    IPv6 = true;
+    hostname = "ip.heptifili";
+    zone = "xnee.net";
+  };
+
   networking = {
     domains = {
       enable = true;

secrets/common.yaml

@@ -6,9 +6,9 @@ backup:
     hetzner-s3: ENC[AES256_GCM,data:ATrXrFnhuguwqkwf7rYh3QmVY5tWpz0imaLdVIYwROX6MunZsX5WhKOoWsH5aXnBaxOw4a0PQ2l6c8E67dXnF4i1qEMF0nXb+LX2jCH0ZWhDVLrjSXC5QL8kvDpVBxb1Cu990VdYgHYa,iv:oAVASEl9Cc/TTEH/ShaAeLcjwYKBOJjyJN8EsrrqGSg=,tag:inZoJR7Hbvz2ArjyBiOEag==,type:str]
     heptifili: ENC[AES256_GCM,data:8ZFwfxOPZfZTTZu4ZfQBMFLAj9tKSFSCOw/be7/EipboTJvEobCwVETvDQcDUnS76LVYEqRndY0lrYVR2d2+PvXaPWSMCEIePpH9XVX/EiqNsv8Ls8XKVQGkOSiOPLzb7ct2QmN5/3++hEpap6WT+AognGLcAsGaMEZijUZkxtLOXUZfbA02U1zS3FvQeasB350iL2zl9SknVQAmtD5hFwmDu+23scRCS5u0jOth/YMRyez1hRKoUXBl,iv:LZtBGbtH98wHBiQGWqjLY8n1f3dXW/4H05+ONIfATwA=,tag:k06uBxDFIKSTqyNYFrFHXQ==,type:str]
 acme:
-    environment: ENC[AES256_GCM,data:i2hyFlAb1qANvqMyDsMZsGgJWbaYRkzPZqAGH6bfSJSKaf8oPVUe5zMSy+IiDI7idw==,iv:DmPZPemgw/e7hfCTRfQhWKoJJiJQcVMh+PVKcLu10Vw=,tag:6tg4cnZKBg2EasQ/Hekyfg==,type:str]
+    environment: ENC[AES256_GCM,data:wI1/TLI9DEriFBkZs2pacgOGph9bEm9g5W5wsI2YHzlGFyj4szfOTnq2/LpLykJO5Gx8,iv:n24nXZJ1frM6Pu0zyMNtj6suuIbkHsO5Io8WsETwGyw=,tag:e7KIT1klon2Ab9pW+rHvww==,type:str]
 dyndns:
-    hetzner_api_key: ENC[AES256_GCM,data:Sk22uZ14QCX8B3yzNQ5WbI8Qgj3Y5B+v8Lyy4R/XqeY=,iv:WXt9iddmNYGCwNkSfbEKwa7L1ZgVHedwqVuUJhnrm+4=,tag:cb4jSwRzhbM2iuLnRmmgIA==,type:str]
+    environment: ENC[AES256_GCM,data:Yb5UBt4AvYDc5T/KS5UFKkLwWZjmCaUukiwpcJkH8PNlzbNSyCB9JIioSTJXoPsaDc6y,iv:A9pMyNadzquRmYPv12WGp2UUhAwwPDWs1AJ3K2EnI7o=,tag:odopcgXWz0+QfLOKd9Cc0Q==,type:str]
 tailscale:
     authkey: ENC[AES256_GCM,data:W7GhMn7lqpt9dYI1L0Oq+dVGebu9xgmDuo422/YaY7UQTSvwgsE7WpsUs8hqvf0ukFCf73SG1jNC0jgyuQ==,iv:KTbGN3tvl1CiKgxNGmizW1TWVZzOl5PgZ2RDgQIKZnc=,tag:Y6uv1iCXwuebXUzZNXTzsA==,type:str]
 sops:
@@ -80,8 +80,8 @@ sops:
             T0x3YkxyQUlGdEpPRnR4UVBzYy9FOTQKRyLlelSHBSwTZ5Ue6ADXCgD0nnVIwVSz
             b8zYn1j5JSYpxKt9jt7qC8vEI3zHgAMhHzMwO03dc4TjdkApFaAu6A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-02T19:16:05Z"
-    mac: ENC[AES256_GCM,data:BAN5CT6YEq/Uvuqu9LtjOQwsdcY1ac30C6RLGHimyvGwFMW85TXG+63ThBv6SQdRDIke1WfZv4jj/U/cxIeIvMclqaS5YcDYcmqR/MvCl0LF6CJaMM2dtGgpuDiXKb4BUj9KvhfRZVyRtaRd3mvrh3XTp/GRKkwg6oT3GTSP3cU=,iv:2Q0vMfbJEl4XY6IwEnpyFwo02o/qWm7o8C4hduV/QSk=,tag:yh3QlJlTvAAoAtPPMdsTJg==,type:str]
+    lastmodified: "2025-02-02T14:06:00Z"
+    mac: ENC[AES256_GCM,data:A6/YnsASL/PqOCCSFxQ1NVP3LLc9mBN8bDbwBd4V8Cloebl7xUoCF6taWCHCf0yN/zC3E2m7TOFuUjQn/szeddCm60USuPUE9n5Nh7DnTmHFlo/um5tMwXk98a50yDFIz397fx97ji/63dWPKtMOnxDOEFu20ELR/AaibD1BCmk=,iv:ASIzas9DL2Ideq8uwWbTNOwnQh0p5f5OIAhR8WSSwws=,tag:EN4E3CIm39QE01rryfbT4g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.3