nixos-config/config/host-config/france/backplane.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  timestamp = config.instance.build-timestamp;
  domain = config.instance.local-domain;

  powerdns-user = "backplane-powerdns";
  backplane-dns-user = "backplane-dns";

  generate-role-passwd = role:
    lib.fudo.passwd.stablerandom-password-file
      "backplane-${role}-password"
      "${hostname}-${domain}-${role}-password-${config.instance.build-timestamp}";

  powerdns-password = generate-role-passwd "powerdns-db";

  backplane-dns-xmpp-password = generate-role-passwd "backplane-dns-xmpp";

  backplane-dns-db-password = generate-role-passwd "backplane-dns-db";

  secrets = config.fudo.secrets.host-secrets.france;

  cfg = config.fudo.france.backplane-server;

in {
  options.fudo.france.backplane-server = with types; {
    listen-ips = mkOption {
      type = listOf str;
      description = "List of IPs on which to listen for incoming backplane connections.";
    };

    listen-ipv6s = mkOption {
      type = listOf str;
      description = "List of IPv6s on which to listen for incoming backplane connections.";
      default = [];
    };
  };

  config = {
    users = {
      users = {
        ${powerdns-user} = {
          isSystemUser = true;
        };
        ${backplane-dns-user} = {
          isSystemUser = true;
        };
      };

      groups = {
        ${powerdns-user} = {
          members = [ powerdns-user ];
        };
        ${backplane-dns-user} = {
          members = [ backplane-dns-user ];
        };
      };
    };

    fudo = {
      secrets.host-secrets.france = {
        powerdns-password = {
          source-file = powerdns-password;
          target-file = "/run/backplane/dns/powerdns/db.passwd";
          user = config.fudo.backplane.dns.database.user;
        };

        backplane-dns-db-password = {
          source-file = backplane-dns-db-password;
          target-file = "/run/backplane/dns/db.passwd";
          user = config.fudo.backplane.dns.backplane.user;
        };

        backplane-dns-xmpp-password = {
          source-file = backplane-dns-db-password;
          target-file = "/run/backplane/dns/xmpp.passwd";
          user = config.fudo.backplane.dns.backplane.user;
        };
      };

      postgresql = {
        enable = true;
        required-services = [ "fudo-passwords.target" ];

        users = {
          ${powerdns-user} = {
            password-file = secrets.powerdns-password.target-file;
            databases = {
              backplane_dns = {
                access = "CONNECT";
                entity-access = {
                  "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
                  "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
                };
              };
            };
          };
          ${backplane-dns-user} = {
            password-file = secrets.backplane-dns-db-password;
            databases = {
              backplane_dns = {
                access = "CONNECT";
                entity-access = {
                  "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
                  "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
                };
              };
            };
          };
        };

        databases = {
          backplane_dns = {
            users = ["niten"];
          };
        };
      };

      backplane.dns = {
        enable = true;
        listen-v4-addresses = cfg.listen-ips;
        listen-v6-addresses = cfg.listen-ipv6s;
        user = backplane-dns-user;
        group = backplane-dns-user;
        database = {
          username = powerdns-user;
          database = "backplane_dns";
          # Uses an IP to avoid cyclical dependency...
          host = "127.0.0.1";
          password-file = secrets.powerdns-password.target-file;
        };
        backplane = {
          host = "backplane.fudo.org";
          role = "service-dns";
          password-file = secrets.backplane-dns-xmpp-password.target-file;
          database = {
            username = backplane-dns-user;
            database = backplane-dns-user;
            host = "127.0.0.1";
            password-file = secrets.backplane-dns-db-password.target-file;
          };
        };
      };
    };
  };
}
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`hostname = config.instance.hostname;`
			`timestamp = config.instance.build-timestamp;`
			`domain = config.instance.local-domain;`

			`powerdns-user = "backplane-powerdns";`
			`backplane-dns-user = "backplane-dns";`

			`generate-role-passwd = role:`
			`lib.fudo.passwd.stablerandom-password-file`
			`"backplane-${role}-password"`
			`"${hostname}-${domain}-${role}-password-${config.instance.build-timestamp}";`

			`powerdns-password = generate-role-passwd "powerdns-db";`

			`backplane-dns-xmpp-password = generate-role-passwd "backplane-dns-xmpp";`

			`backplane-dns-db-password = generate-role-passwd "backplane-dns-db";`

			`secrets = config.fudo.secrets.host-secrets.france;`

			`cfg = config.fudo.france.backplane-server;`

			`in {`
			`options.fudo.france.backplane-server = with types; {`
			`listen-ips = mkOption {`
			`type = listOf str;`
			`description = "List of IPs on which to listen for incoming backplane connections.";`
			`};`

			`listen-ipv6s = mkOption {`
			`type = listOf str;`
			`description = "List of IPv6s on which to listen for incoming backplane connections.";`
			`default = [];`
			`};`
			`};`

			`config = {`
			`users = {`
			`users = {`
			`${powerdns-user} = {`
			`isSystemUser = true;`
			`};`
			`${backplane-dns-user} = {`
			`isSystemUser = true;`
			`};`
			`};`

			`groups = {`
			`${powerdns-user} = {`
			`members = [ powerdns-user ];`
			`};`
			`${backplane-dns-user} = {`
			`members = [ backplane-dns-user ];`
			`};`
			`};`
			`};`

			`fudo = {`
			`secrets.host-secrets.france = {`
			`powerdns-password = {`
			`source-file = powerdns-password;`
			`target-file = "/run/backplane/dns/powerdns/db.passwd";`
			`user = config.fudo.backplane.dns.database.user;`
			`};`

			`backplane-dns-db-password = {`
			`source-file = backplane-dns-db-password;`
			`target-file = "/run/backplane/dns/db.passwd";`
			`user = config.fudo.backplane.dns.backplane.user;`
			`};`

			`backplane-dns-xmpp-password = {`
			`source-file = backplane-dns-db-password;`
			`target-file = "/run/backplane/dns/xmpp.passwd";`
			`user = config.fudo.backplane.dns.backplane.user;`
			`};`
			`};`

			`postgresql = {`
			`enable = true;`
			`required-services = [ "fudo-passwords.target" ];`

			`users = {`
			`${powerdns-user} = {`
			`password-file = secrets.powerdns-password.target-file;`
			`databases = {`
			`backplane_dns = {`
			`access = "CONNECT";`
			`entity-access = {`
			`"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";`
			`"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";`
			`};`
			`};`
			`};`
			`};`
			`${backplane-dns-user} = {`
			`password-file = secrets.backplane-dns-db-password;`
			`databases = {`
			`backplane_dns = {`
			`access = "CONNECT";`
			`entity-access = {`
			`"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";`
			`"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";`
			`};`
			`};`
			`};`
			`};`
			`};`

			`databases = {`
			`backplane_dns = {`
			`users = ["niten"];`
			`};`
			`};`
			`};`

			`backplane.dns = {`
			`enable = true;`
			`listen-v4-addresses = cfg.listen-ips;`
			`listen-v6-addresses = cfg.listen-ipv6s;`
			`user = backplane-dns-user;`
			`group = backplane-dns-user;`
			`database = {`
			`username = powerdns-user;`
			`database = "backplane_dns";`
			`# Uses an IP to avoid cyclical dependency...`
			`host = "127.0.0.1";`
			`password-file = secrets.powerdns-password.target-file;`
			`};`
			`backplane = {`
			`host = "backplane.fudo.org";`
			`role = "service-dns";`
			`password-file = secrets.backplane-dns-xmpp-password.target-file;`
			`database = {`
			`username = backplane-dns-user;`
			`database = backplane-dns-user;`
			`host = "127.0.0.1";`
			`password-file = secrets.backplane-dns-db-password.target-file;`
			`};`
			`};`
			`};`
			`};`
			`};`
			`}`