From 8fe02a39b206cb509f6f976b501d87dca4e71603 Mon Sep 17 00:00:00 2001
From: Martin Berg Alstad <git@martials.no>
Date: Tue, 26 Aug 2025 19:00:38 +0000
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20[pi4]=20Add=20DDClient=20service?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hosts/pi4/ddclient.nix      | 21 ++++++++++
 hosts/pi4/default.nix       |  1 +
 shared/secrets/secrets.yaml | 76 +++++++++++++++++++------------------
 3 files changed, 61 insertions(+), 37 deletions(-)
 create mode 100644 hosts/pi4/ddclient.nix

diff --git a/hosts/pi4/ddclient.nix b/hosts/pi4/ddclient.nix
new file mode 100644
index 0000000..a67ef0a
--- /dev/null
+++ b/hosts/pi4/ddclient.nix
@@ -0,0 +1,21 @@
+# /nix/store/<hash>/ddclient.conf
+{ config, common, ... }:
+let
+  domain = common.domain;
+  cloudflarePasswordKey = "cloudflare/api-token";
+in
+{
+  services.ddclient = {
+    enable = true;
+    protocol = "cloudflare";
+    username = "emberal+cloudflare@pm.me";
+    passwordFile = config.sops.secrets.${cloudflarePasswordKey}.path;
+    zone = domain;
+    domains = [
+      domain
+      "*.${domain}"
+    ];
+  };
+
+  sops.secrets.${cloudflarePasswordKey} = { };
+}
diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix
index 51099a2..1f6932b 100644
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@@ -6,6 +6,7 @@
     ./actual.nix
     ./boot.nix
     ./caddy.nix
+    ./ddclient.nix
     ./forgejo.nix
     ./hardware.nix
     ./headscale.nix
diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml
index 15b0d85..c27fb45 100644
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@@ -1,42 +1,44 @@
+cloudflare:
+    api-token: ENC[AES256_GCM,data:UfTphnoN4REAue0bP5JKPfgvq36Jlxndl7dD46BKwg7ygW2Mj4mm4w==,iv:vS223ZAqACt1ZHJHCeztCVm+BghMhVYJfTuvBlySf+o=,tag:mxf6jL7/ItsxPOHb7S5upQ==,type:str]
 forgejo:
-  admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str]
-  #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
-  runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
+    admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str]
+    #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
+    runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
 password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
 mailserver:
-  password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
+    password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
 nextcloud:
-  admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
+    admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
 sops:
-  age:
-    - recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMHl6emFJdE4rVGduT2V1
-        Y1hFdlRxVHJ1NlV0R2JRZm5SMVVzVmpRQlM0CjhUN0dqajNpQXg4a29Ca1VLMDJ1
-        UmpsMFRJd254TlpGNzdDV2ZQTU9icDAKLS0tIG0wSVppUmU5TVdlMHhsQ3pMNDhJ
-        TFkrWitpb3h3UDhFNUN5Yi80YXlLbjQKxdG0m3CZ+elvzSNC9+aD15AOejkT5hJR
-        hhjtn+aUF8JvAIgggLqE1qU1XYIkbzk5//TWz5FaKeszinv9x8plvA==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRGNSYjM2Qkx5M294QWVS
-        ZkJzR0VuTzdOR1FIc2c2bWx0akVPZVB0T1hvCmxuMjZWWlVmSUhKUys0QlMxMDV3
-        ZCt1ZjJNZlV5K0Zpd3NGcldhWDFDcjgKLS0tIG9mSHA1Um5Hb2NtVm5XRFdvVHVT
-        NHp1WThrcU1hOEI5RExCbVlnV2VYNlEKV4DSgHYs/zhF34h14RX2rvVXNo2uxCpD
-        uUiwU4and1T5Q09MOjqdbs2e7QM+VjKB4P/w34KkcqXTkJeR/IBF/g==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1c3p0N0c2RGJZMmxzcUgw
-        bHZhcnlnWlczSGJRMVJRNitqVmV6YThIRWlBCitWUzVCN25JbzhJeG9haEVORUk5
-        QmhIc0R0c0diNmNPc0dYM2YyNVdScVUKLS0tIG1waU1QYXNVMXU4bC9rNUxwUDIz
-        SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
-        YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-06-23T17:39:10Z"
-  mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str]
-  unencrypted_suffix: _unencrypted
-  version: 3.10.2
+    age:
+        - recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMHl6emFJdE4rVGduT2V1
+            Y1hFdlRxVHJ1NlV0R2JRZm5SMVVzVmpRQlM0CjhUN0dqajNpQXg4a29Ca1VLMDJ1
+            UmpsMFRJd254TlpGNzdDV2ZQTU9icDAKLS0tIG0wSVppUmU5TVdlMHhsQ3pMNDhJ
+            TFkrWitpb3h3UDhFNUN5Yi80YXlLbjQKxdG0m3CZ+elvzSNC9+aD15AOejkT5hJR
+            hhjtn+aUF8JvAIgggLqE1qU1XYIkbzk5//TWz5FaKeszinv9x8plvA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRGNSYjM2Qkx5M294QWVS
+            ZkJzR0VuTzdOR1FIc2c2bWx0akVPZVB0T1hvCmxuMjZWWlVmSUhKUys0QlMxMDV3
+            ZCt1ZjJNZlV5K0Zpd3NGcldhWDFDcjgKLS0tIG9mSHA1Um5Hb2NtVm5XRFdvVHVT
+            NHp1WThrcU1hOEI5RExCbVlnV2VYNlEKV4DSgHYs/zhF34h14RX2rvVXNo2uxCpD
+            uUiwU4and1T5Q09MOjqdbs2e7QM+VjKB4P/w34KkcqXTkJeR/IBF/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1c3p0N0c2RGJZMmxzcUgw
+            bHZhcnlnWlczSGJRMVJRNitqVmV6YThIRWlBCitWUzVCN25JbzhJeG9haEVORUk5
+            QmhIc0R0c0diNmNPc0dYM2YyNVdScVUKLS0tIG1waU1QYXNVMXU4bC9rNUxwUDIz
+            SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
+            YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-26T18:46:06Z"
+    mac: ENC[AES256_GCM,data:uMwyVVzU4KFzJqMzOIZHtCbgGq7Em2KogTDZbfU/CRcl6HGF8/+wKwUp4mYLAFwPXfOoKvSaBTDUYCy76wirWxXz8Vb3JxlfkjR+dvwT7DM1SYVzP4CV6TZlOBDrht6gCG+yaLJkc77AzT7crAW5V4IB/ZaRpBOGrNhIZeS/o+E=,iv:YTOySOIEaojbSm4GmJC8NBMFMD3cuC+u0CMu/5/1wS4=,tag:qdzCZuJpIiKN3dQIDboJjA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2