-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bfb6223
commit d071e1a
Showing
8 changed files
with
161 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
--- | ||
title: DDNS Using Njalla | ||
--- | ||
|
||
Go to your domain on njalla: | ||
|
||
![Njalla Domain](docs/wiki/ddns/njalla/domain.png) | ||
|
||
Then press "Add record" and select "Dynamic" and write your subdomain in | ||
the input box. It should now be added to your records. Click on the record, | ||
you should now see something like the following: | ||
|
||
![Njalla Record](docs/wiki/ddns/njalla/record.png) | ||
|
||
With this, then your JSON file should contain: | ||
|
||
```json | ||
{ | ||
"jellyfin.example.com": "48esqclnvqGiCZPbd" | ||
} | ||
``` | ||
|
||
Add this as a secret file to your secrets (See [this page](/wiki/secrets) | ||
for secrets management). This could be, for example, | ||
|
||
- Writing the specified JSON to `/data/.secret/njalla/keys-file.json` | ||
- Setting the owner as root: `sudo chown root:root | ||
/data/.secret/njalla/keys-file.json`) | ||
- Setting the permissions to 700 (read, write, execute for file owner, root): | ||
`sudo chmod 700 /data/.secret/njalla/keys-file.json`) | ||
|
||
And finally adding it to your nix configuration: | ||
|
||
```nix | ||
nixarr.ddns.njalla = { | ||
enable = true; | ||
keysFile = "/data/.secret/njalla/keys-file.json"; | ||
}; | ||
``` | ||
|
||
After rebuilding, you can check the output of the DDNS script: | ||
|
||
```sh | ||
sudo systemctl status ddnsNjalla.service | ||
``` | ||
|
||
Where you should see something like: | ||
|
||
``` | ||
Mar 03 21:05:00 pi systemd[1]: Starting Sets the Njalla DDNS records... | ||
Mar 03 21:05:02 pi ddns-njalla[26842]: {"status": 200, "message": "record updated", "value": {"A": "93.184.216.34"}} | ||
Mar 03 21:05:02 pi ddns-njalla[26845]: {"status": 200, "message": "record updated", "value": {"A": "93.184.216.34"}} | ||
Mar 03 21:05:02 pi systemd[1]: ddnsNjalla.service: Deactivated successfully. | ||
Mar 03 21:05:02 pi systemd[1]: Finished Sets the Njalla DDNS records. | ||
Mar 03 21:05:02 pi systemd[1]: ddnsNjalla.service: Consumed 560ms CPU time, received 11.7K IP traffic, sent 3.0K IP traffic. | ||
``` | ||
|
||
Then run the following to get your public IP address: | ||
|
||
```sh | ||
curl https://ipv4.icanhazip.com/ | ||
``` | ||
|
||
And if you check your njalla domain page, you should see your public IP on | ||
your Dynamic DNS record! | ||
|
||
And after waiting a little you should be able to connect to your ip, using | ||
the set domain. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
title: Welcome to the Nixarr Wiki! | ||
--- | ||
|
||
This is a list of existing articles: | ||
|
||
- **[Recommended Secrets Management](/wiki/secrets)** | ||
- **DDNS** | ||
- **[Njalla](/wiki/ddns/njalla)** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
title: Recemmended Secrets Management | ||
--- | ||
|
||
Secrets in nix can be difficult to handle. Your Nixos configuration is | ||
world-readable in the nix store. This means that _any_ user can read your | ||
config in `/nix/store` somewhere (_Not good!_). The way to solve this is to | ||
keep your secrets in files and pass these to nix. Below, I will present two | ||
ways of accomplishing this. | ||
|
||
**Warning:** Do _not_ let secrets live in your configuration directory either! | ||
|
||
## The simple way | ||
|
||
The simplest secrets management is to simply create a directory for all you | ||
secrets, for example: | ||
|
||
```sh | ||
sudo mkdir -p /data/.secret | ||
sudo chmod 700 /data/.secret | ||
``` | ||
|
||
Then put your secrets, for example your wireguard configuration from your | ||
VPN-provider, in this directory: | ||
|
||
```sh | ||
sudo mkdir -p /data/.secret/vpn | ||
sudo mv /path/to/wireguard/config/wg.conf /data/.secret/vpn/wg.conf | ||
``` | ||
|
||
And set the accompanying Nixarr option: | ||
|
||
```nix | ||
nixarr.vpn = { | ||
enable = true; | ||
wgConf = "/data/.secret/vpn/wg.conf"; | ||
}; | ||
``` | ||
|
||
**Note:** This is impure, meaning that since the file is not part of the | ||
nix store, a nixos rollback will not restore a previous secret. This also | ||
means you have to rebuild Nixos using the `--impure` flag set. | ||
|
||
## Agenix - A Path to Purity | ||
|
||
The "right way" to do secret management is to have your secrets | ||
encrypted in your configuration directory. This can be accomplished using | ||
[agenix](https://github.com/ryantm/agenix). I won't go into the details of how | ||
to set it up since it's a more complex solution than the one above. However, | ||
including the right way doing it should help you if you're a more advanced | ||
user and want to do things the "right way". | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters