-
- Rasmus Kirk Jakobsen
-
$if(date)$
$date$
$endif$
diff --git a/docs/wiki/ddns/njalla/domain.png b/docs/wiki/ddns/njalla/domain.png
new file mode 100644
index 0000000..d198b5c
Binary files /dev/null and b/docs/wiki/ddns/njalla/domain.png differ
diff --git a/docs/wiki/ddns/njalla/index.md b/docs/wiki/ddns/njalla/index.md
new file mode 100644
index 0000000..3c5c812
--- /dev/null
+++ b/docs/wiki/ddns/njalla/index.md
@@ -0,0 +1,68 @@
+---
+title: DDNS Using Njalla
+---
+
+Go to your domain on njalla:
+
+
+
+Then press "Add record" and select "Dynamic" and write your subdomain in
+the input box. It should now be added to your records. Click on the record,
+you should now see something like the following:
+
+
+
+With this, then your JSON file should contain:
+
+```json
+ {
+ "jellyfin.example.com": "48esqclnvqGiCZPbd"
+ }
+```
+
+Add this as a secret file to your secrets (See [this page](/wiki/secrets)
+for secrets management). This could be done, for example, in the following way:
+
+- Writing the specified JSON to `/data/.secret/njalla/keys-file.json`
+- Setting the owner as root: `sudo chown root:root
+ /data/.secret/njalla/keys-file.json`)
+- Setting the permissions to 700 (read, write, execute for file owner, root):
+ `sudo chmod 700 /data/.secret/njalla/keys-file.json`)
+
+And finally adding it to your nix configuration:
+
+```nix
+ nixarr.ddns.njalla = {
+ enable = true;
+ keysFile = "/data/.secret/njalla/keys-file.json";
+ };
+```
+
+After rebuilding, you can check the output of the DDNS script:
+
+```sh
+ sudo systemctl status ddnsNjalla.service
+```
+
+Where you should see something like:
+
+```
+ Mar 03 21:05:00 pi systemd[1]: Starting Sets the Njalla DDNS records...
+ Mar 03 21:05:02 pi ddns-njalla[26842]: {"status": 200, "message": "record updated", "value": {"A": "93.184.216.34"}}
+ Mar 03 21:05:02 pi ddns-njalla[26845]: {"status": 200, "message": "record updated", "value": {"A": "93.184.216.34"}}
+ Mar 03 21:05:02 pi systemd[1]: ddnsNjalla.service: Deactivated successfully.
+ Mar 03 21:05:02 pi systemd[1]: Finished Sets the Njalla DDNS records.
+ Mar 03 21:05:02 pi systemd[1]: ddnsNjalla.service: Consumed 560ms CPU time, received 11.7K IP traffic, sent 3.0K IP traffic.
+```
+
+Then run the following to get your public IP address:
+
+```sh
+ curl https://ipv4.icanhazip.com/
+```
+
+And if you check your njalla domain page, you should see your public IP on
+your Dynamic DNS record!
+
+And after waiting a little you should be able to connect to your ip, using
+the set domain.
diff --git a/docs/wiki/ddns/njalla/record.png b/docs/wiki/ddns/njalla/record.png
new file mode 100644
index 0000000..53fafd6
Binary files /dev/null and b/docs/wiki/ddns/njalla/record.png differ
diff --git a/docs/wiki/index.md b/docs/wiki/index.md
new file mode 100644
index 0000000..df6814a
--- /dev/null
+++ b/docs/wiki/index.md
@@ -0,0 +1,9 @@
+---
+title: Welcome to the Nixarr Wiki!
+---
+
+This is a list of existing articles:
+
+- **[Recommended Secrets Management](/wiki/secrets)**
+- **DDNS**
+ - **[Njalla](/wiki/ddns/njalla)**
diff --git a/docs/wiki/secrets/index.md b/docs/wiki/secrets/index.md
new file mode 100644
index 0000000..377690a
--- /dev/null
+++ b/docs/wiki/secrets/index.md
@@ -0,0 +1,52 @@
+---
+title: Recemmended Secrets Management
+---
+
+Secrets in nix can be difficult to handle. Your Nixos configuration is
+world-readable in the nix store. This means that _any_ user can read your
+config in `/nix/store` somewhere (_Not good!_). The way to solve this is to
+keep your secrets in files and pass these to nix. Below, I will present two
+ways of accomplishing this.
+
+**Warning:** Do _not_ let secrets live in your configuration directory either!
+
+## The simple way
+
+The simplest secrets management is to simply create a directory for all you
+secrets, for example:
+
+```sh
+ sudo mkdir -p /data/.secret
+ sudo chmod 700 /data/.secret
+```
+
+Then put your secrets, for example your wireguard configuration from your
+VPN-provider, in this directory:
+
+```sh
+ sudo mkdir -p /data/.secret/vpn
+ sudo mv /path/to/wireguard/config/wg.conf /data/.secret/vpn/wg.conf
+```
+
+And set the accompanying Nixarr option:
+
+```nix
+ nixarr.vpn = {
+ enable = true;
+ wgConf = "/data/.secret/vpn/wg.conf";
+ };
+```
+
+**Note:** This is impure, meaning that since the file is not part of the
+nix store, a nixos rollback will not restore a previous secret. This also
+means you have to rebuild Nixos using the `--impure` flag set.
+
+## Agenix - A Path to Purity
+
+The "right way" to do secret management is to have your secrets
+encrypted in your configuration directory. This can be accomplished using
+[agenix](https://github.com/ryantm/agenix). I won't go into the details of how
+to set it up since it's a more complex solution than the one above. However,
+including the right way doing it should help you if you're a more advanced
+user and want to do things the "right way".
+
diff --git a/mkDocs.nix b/mkDocs.nix
index 4d2d79c..f45c7f1 100644
--- a/mkDocs.nix
+++ b/mkDocs.nix
@@ -31,6 +31,32 @@ in
# Generate md docs
cat ${optionsDocNixos.optionsCommonMark} > "$tmpdir"/nixos-options.md
+ buildwiki () {
+ file_path="$1"
+ filename=$(basename -- "$file_path")
+ dir_path=$(dirname "$file_path" | sed 's|^docs/||')
+ filename_no_ext="''${filename%.*}"
+
+ mkdir -p "$out"/"$dir_path"
+
+ pandoc \
+ --standalone \
+ --metadata date="$(date -u '+%Y-%m-%d - %H:%M:%S %Z')" \
+ --highlight-style docs/pandoc/gruvbox.theme \
+ --lua-filter docs/pandoc/lua/anchor-links.lua \
+ --css /docs/pandoc/style.css \
+ --template docs/pandoc/template.html \
+ -V lang=en \
+ -V --mathjax \
+ -f markdown+smart \
+ -o $out/"$dir_path"/"$filename_no_ext".html \
+ "$file_path"
+ }
+
+ find docs/wiki -type f -name "*.md" | while IFS= read -r file; do
+ buildwiki "$file"
+ done
+
pandoc \
--standalone \
--metadata title="Nixarr - Option Documentation" \