move ddns setup to hetzner

6 files changed, 46 insertions, 7 deletions

diff --git a/flake.lock b/flake.lock
index 22560e3..a4523a9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -101,7 +101,8 @@
         "agenix": "agenix",
         "disko": "disko",
         "impermanence": "impermanence",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "unstable": "unstable"
       }
     },
     "systems": {
@@ -118,6 +119,22 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "unstable": {
+      "locked": {
+        "lastModified": 1763283776,
+        "narHash": "sha256-Y7TDFPK4GlqrKrivOcsHG8xSGqQx3A6c+i7novT85Uk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "50a96edd8d0db6cc8db57dab6bb6d6ee1f3dc49a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index a56ed31..166805d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,7 @@
 {
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
     disko.url = "github:nix-community/disko/latest";
     disko.inputs.nixpkgs.follows = "nixpkgs";
@@ -15,6 +16,7 @@
     inputs@{
       self,
       nixpkgs,
+      unstable,
       disko,
       impermanence,
       agenix,
diff --git a/router.nix b/router.nix
index 20d07c1..3cc17bc 100644
--- a/router.nix
+++ b/router.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
 {
   boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
 
@@ -113,7 +113,11 @@
   };
   services.resolved.enable = false;
 
-  services.networkd-dispatcher = {
+  services.networkd-dispatcher =
+  let
+    logPath = "/home/mathias/networkd-dispatcher-run";
+  in
+  {
     enable = true;
     rules."ddns" = {
       onState = [ "routable" ];
@@ -124,8 +128,13 @@
           exit 0
         fi
 
-        ${pkgs.curl}/bin/curl "$(cat "${config.age.secrets."dyndns-url.txt".path}")"
-        printf "%s: %s\n" "$(date)" "$ADDR" >> /home/mathias/networkd-dispatcher-run
+        {
+          echo
+          printf "%s: %s\n" "$(date)" "$ADDR"
+          HCLOUD_TOKEN="$(cat "${config.age.secrets."hcloud-token.txt".path}")" \
+            ${inputs.unstable.legacyPackages.${pkgs.system}.hcloud}/bin/hcloud \
+            zone rrset set-records 0m.nu @ A --record "''${ADDR%% *}" 2>&1
+        } >> "${logPath}"
 
         exit 0
       '';
@@ -197,5 +206,5 @@
 
   age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age;
   age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age;
-  age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age;
+  age.secrets."hcloud-token.txt".file = ./secrets/hcloud-token.txt.age;
 }
diff --git a/secrets/dyndns-url.txt.age b/secrets/dyndns-url.txt.age
deleted file mode 100644
index dbf3c3a..0000000
--- a/secrets/dyndns-url.txt.age
+++ /dev/null
diff --git a/secrets/hcloud-token.txt.age b/secrets/hcloud-token.txt.age
new file mode 100644
index 0000000..701a063
--- /dev/null
+++ b/secrets/hcloud-token.txt.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA wxZ09LiaTQpcdLKOKIQqcE3/CdInswNAJ35sd/Pt22I
+375f2Xnso9H2G6C+5aHRn2NYa5wFqf5CqPBPQYmbD40
+-> piv-p256 Ddzw4A A0Kb2sXQpRfcGcbH6y7AOP7BcFmfqIvdGXYq3/FVRk4j
+8ayXqPGcsziJE9JYXwX1fYNXp05GI5LVs4ECKLNhE4I
+-> piv-p256 9aSbLw A9HL79joXH6caWdS10Xs9WE8O9Ge/+TWi7tJ0OT4SFI1
+MlrtoF7177oEsTeFu6EFGHKNs1j2ryAEfSbEAmGHeOE
+-> ssh-ed25519 YS7/yg H0+P1FqpX7kyWXOJgGw08MR8MoSD1knH3CFFNMzdi0g
+1+vMosdhLLulrGwMfspuZKeDSlSZq1YBbXpjLxofPxk
+--- 65Ii7+Abj6Y4RlMMXkheq6bU41gj9on/Oc8qDnTvRyE
+
Bb™$Ç6訣+ŸÀLU’݇ú¦„?³ûwÍ:·z#&ù†Óìíª Ìœk*éû·‰ˆÉ!ß¾øJAô}™Ôœ4Þ—#³}†Ö3+âw%»%ëdÀ¼ÑŸùnmµÑ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index be661f8..acb5d8d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,7 +10,7 @@ let
     "wifi-password-staff.txt.age"
     "wifi-password-guest.txt.age"
     "password-hash.txt.age"
-    "dyndns-url.txt.age"
+    "hcloud-token.txt.age"
   ];
 in
 builtins.listToAttrs (