diff --git a/nixos/modules/ddns.nix b/nixos/modules/ddns.nix index 3b6abb2..807949e 100644 --- a/nixos/modules/ddns.nix +++ b/nixos/modules/ddns.nix @@ -17,7 +17,20 @@ with lib; let systemd.services = listToAttrs (forEach domains (domain: nameValuePair "ddns-${domain}" { - serviceConfig.Type = "oneshot"; + serviceConfig = { + Type = "oneshot"; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + PrivateMounts = true; + PrivateIPC = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectKernelTunables = true; + BindReadOnlyPaths = [ credentialsPath ]; + NoNewPrivileges = true; + CapabilitBoundingSet = [ ]; + }; script = '' function url() { echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3" diff --git a/secrets/ddns-credentials.age b/secrets/ddns-credentials.age index f7b00b0..bd19e1d 100644 --- a/secrets/ddns-credentials.age +++ b/secrets/ddns-credentials.age @@ -1,11 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw BhBy5hKm+udUmCgQOhVnFFaGSGOOKqxOkaZUcp7Wy3k -itvOOCUKNo0IseolH//6Uj1zEDt207HleT1YWnDogAg --> ssh-ed25519 Otklkw /5YCYZwTZ//JfGJzIIizcwhqem1P/ZTDdhJFfEjQQX4 -z7WS/uHDKGyuUP+ZKVVVc8b4bybsaQH6XrxOO3vOg1Q --> n\fdBI(-grease -PZuR<|s w,[Y J* h~ -mwA80O5+Q8KqYJSYneiqKcP5tbDgA0GI9AuDOjbFPFcb8evizd0RJxHdw9lDtIf1 -EBddBaL+m0/JjzvGE+Y ---- ybCpT9fTz498c//mW49ziO5Qcpl+hJGly/qm9lzZR4s -7#:EPb52@KUVMUAP_J x0>3 --f \ No newline at end of file +-> ssh-ed25519 J6ROvw GVvNIMXLPbV2vCUusgXXhbX5NiFBHiDEKcsKfmoyzkU +5DPaglRaORrOfzNkjUCSxGEUxxFb4+4LKU/AZlBvUa8 +-> ssh-ed25519 Otklkw 6OI2jcEMolDqSXT/lDDn/Bmzl7TuSi3nzSjJPr1Fyno +evOwwYz0VNf+CSlQBv9M/M+BgW2+VffXk3Oei6rJJzE +-> 'v-grease X +ZsnRwQ1kbRM6a34 +--- E7ofwcMOJacS72nThz3xl/kOvgy0698mvRiJNmIorAc +rd{U] +:&liѼ|YwRR5gER !l6e(R1r \ No newline at end of file