Revert "Revert "Merge from nixos-unstable"" (#63)

fmway · Jan 12, 2025 · 889ef00 · 889ef00
1 parent 08f7445
commit 889ef00
Show file tree

Hide file tree

Showing 8 changed files with 108 additions and 33 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.head_ref }}
+    - name: "Check current branch"
+      run: git branch
     - uses: DeterminateSystems/nix-installer-action@main
       with:
         github-token: ${{ secrets.GH_TOKEN }}

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -2,11 +2,13 @@ name: Auto Pull Request
 on:
   schedule:
   - cron: "0 */2 * * *"
+  - cron: "0 */6 * * *"
 
 permissions: write-all
 
 jobs:
   auto-pull-request:
+    if: ${{ github.event.schedule == "0 */2 * * *" }}
     runs-on: [ ubuntu-latest ]
     steps:
     - uses: actions/checkout@v4
@@ -46,3 +48,46 @@ jobs:
         GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       run: |
         gh pr create --title "Merge From nixos-unstable" --body "" -l "automated" 
+
+  update-stubby:
+    if: ${{ github.event.schedule == "0 */6 * * *" }}
+    runs-on: [ "ubuntu-latest" ]
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.head_ref }}
+    - name: Setup git
+      run: |
+        git config --global user.name 'little fmway'
+        git config --global user.email 'fm18lv@gmail.com'
+        git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+    - uses: DeterminateSystems/nix-installer-action@main
+      with:
+        github-token: ${{ secrets.GH_TOKEN }}
+        extra-conf: experimental-features = nix-command flakes auto-allocate-uids configurable-impure-env
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+      with:
+        use-flakehub: false
+    - run: nix run .#updateStubbyCert
+    - name: Check Updates
+      id: check
+      env:
+        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
+      run: |
+        if [ -n "$(git status --short)" ]; then
+          git add -A
+          git commit -m "chore(systems): update certs dns"
+          git checkout -B stubby-updater
+          git push origin stubby-updater
+          if [ -z "$(git diff origin/stubby-updater origin/master)" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
+        else
+          echo "skip=true" >> "$GITHUB_OUTPUT"
+        fi
+    - name: Pull Request
+      if: '!steps.check.outputs.skip'
+      env:
+        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
+      run: |
+        gh pr create --title "chore(system): update certs dns" --body "" -l "automated" -l "dependencies" --head stubby-updater --base master
diff --git a/flake.lock b/flake.lock
diff --git a/systems/default.nix b/systems/default.nix
@@ -31,6 +31,7 @@ in treeImport {
   includes = with matchers; [
     (extension "conf")
     (extension "txt")
+    json
   ];
 
   # auto-enable = [

diff --git a/systems/services/stubby.nix b/systems/services/stubby.nix
diff --git a/systems/services/stubby/__dns.json b/systems/services/stubby/__dns.json
@@ -0,0 +1,10 @@
+{
+  "1.1.1.1": {
+    "signedCert": "SPfg6FluPIlUc6a5h313BDCxQYNGX+THTy7ig5X3+VA=",
+    "tls_name": "cloudflare-dns.com",
+    "tls_host": "one.one.one.one",
+    "alt": [
+      "1.0.0.1"
+    ]
+  }
+}
diff --git a/systems/services/stubby/default.nix b/systems/services/stubby/default.nix
@@ -0,0 +1,16 @@
+{ pkgs, dns, lib, ... }: let
+  inherit (builtins) attrNames foldl';
+  extract_dns = attrNames dns |> foldl' (acc: curr: let
+    tls_auth_name = dns.${curr}.tls_name;
+    tls_pubkey_pinset = lib.flatten [ dns.${curr}.signedCert ] |> map (x: { value = x; digest = "sha256"; });
+    toValue = x: {
+      inherit tls_pubkey_pinset tls_auth_name;
+      address_data = x;
+    };
+    alts = lib.flatten [ dns.${curr}.alt ] |> map (x: toValue x);
+  in acc ++ [ (toValue curr) ] ++ lib.optionals (dns.${curr}.alt or [] != []) alts) [];
+in {
+  enable = true;
+  settings =
+    pkgs.stubby.passthru.settingsExample // { upstream_recursive_servers = extract_dns; };
+}
diff --git a/top-level/default.nix b/top-level/default.nix
@@ -10,6 +10,33 @@ in {
   perSystem = { pkgs, lib, ... }:
   {
     apps = {
+      # generate stubby certs
+      updateStubbyCert = {
+        type = "app";
+        program = pkgs.writeScriptBin "update-stubby-cert.fish" /* fish */ ''
+          #!${lib.getExe pkgs.fish}
+          ${self.lib.mkFishPath (with pkgs; [
+            jq
+            knot-dns
+            gnugrep
+            gnused
+          ])}
+
+          set tmp_json "$(cat ./systems/services/stubby/__dns.json)"
+          #
+          for i in (echo "$tmp_json" | jq -r 'keys_unsorted[]')
+            set tls_host "$(echo "$tmp_json" | jq -r '."'$i'".tls_host')"
+            set oldCert "$(echo "$tmp_json" | jq -r '."'$i'".signedCert')"
+            
+            set newCert "$(kdig -d @$i +tls-ca +tls-host=$tls_host example.com 2>/dev/null | grep '#1,' -A 1 | tail -n1 | sed 's/.\+ PIN: \(.\+\)/\1/')"
+
+            if [ $oldCert != $newCert ]
+              echo "$tmp_json" | jq '."'$i'".signedCert = "'$newCert'"' > ./systems/services/stubby/__dns.json
+              set tmp_json "$(cat ./systems/services/stubby/__dns.json)"
+            end
+          end
+        '';
+      };
       # generate cachix on nix.conf
       gcn = {
         type = "app";
@@ -38,6 +65,8 @@ in {
     };
   };
   flake.lib = {
+    mkFishPath = pkgs:
+      lib.makeBinPath pkgs |> lib.splitString ":" |> map (x: /* sh */ "fish_add_path ${x}") |> lib.concatStringsSep "\n";
     # Will be imported to configuration and home-manager
     genSpecialArgs = { ... } @ var: let
       specialArgs = {