nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

france as a dns backplane server

Browse Source
This commit is contained in:
root 2020-11-17 17:29:44 -06:00
parent 3165c259bc
commit 9c92bb7e80
9 changed files with 339 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
config/fudo/backplane/dns.nix
View File

@ -191,17 +191,22 @@ in {
}; };
}; };
backplane-dns-config-generator = { backplane-dns-config-generator = {
description = "Generate postgres configuration for backplane DNS server."; description = "Generate postgres configuration for backplane DNS server.";
requiredBy = [ "backplane-powerdns.service" ]; requiredBy = [ "backplane-powerdns.service" ];
requires = cfg.required-services; requires = cfg.required-services;
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
restartIfChanged = true; restartIfChanged = true;
partOf = [ "backplane-dns.target" ]; partOf = [ "backplane-dns.target" ];
# This builds the config in a bash script, to avoid storing the password preStart = ''
# in the nix store at any point mkdir -p ${powerdns-conf-dir}
script = '' chown backplane-powerdns:backplane-powerdns ${powerdns-conf-dir}
'';
# This builds the config in a bash script, to avoid storing the password
# in the nix store at any point
script = ''
if [ ! -d ${powerdns-conf-dir} ]; then if [ ! -d ${powerdns-conf-dir} ]; then
mkdir ${powerdns-conf-dir} mkdir ${powerdns-conf-dir}
fi fi
@ -231,40 +236,40 @@ in {
exit 0 exit 0
''; '';
};
backplane-dns = {
description = "Fudo DNS Backplane Server";
restartIfChanged = true;
serviceConfig = {
ExecStartPre = "${pkgs.lispPackages.quicklisp}/bin/quicklisp init";
ExecStart = "${pkgs.sbcl}/bin/sbcl --load ${launchScript}";
Restart = "on-failure";
PIDFile = "/run/backplane-dns.$USERNAME.pid";
User = cfg.user;
Group = cfg.group;
}; };
backplane-dns = { environment = {
description = "Fudo DNS Backplane Server"; LD_LIBRARY_PATH = "${pkgs.openssl_1_1.out}/lib";
restartIfChanged = true;
serviceConfig = { FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
ExecStartPre = "${pkgs.lispPackages.quicklisp}/bin/quicklisp init"; FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
ExecStart = "${pkgs.sbcl}/bin/sbcl --load ${launchScript}"; FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file;
Restart = "on-failure"; FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host;
PIDFile = "/run/backplane-dns.$USERNAME.pid"; FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database;
User = cfg.user; FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.backplane.database.username;
Group = cfg.group; FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = cfg.backplane.database.password-file;
};
environment = { CL_SOURCE_REGISTRY = lib.concatStringsSep ":" (map (pkg: "${pkg}//")
LD_LIBRARY_PATH = "${pkgs.openssl_1_1.out}/lib"; (lisp-libs ++ [pkgs.backplane-dns]));
FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file;
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host;
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database;
FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.backplane.database.username;
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = cfg.backplane.database.password-file;
CL_SOURCE_REGISTRY = lib.concatStringsSep ":" (map (pkg: "${pkg}//")
(lisp-libs ++ [pkgs.backplane-dns]));
};
requires = cfg.required-services;
partOf = [ "backplane-dns.target" ];
wantedBy = [ "multi-user.target" ];
}; };
requires = cfg.required-services;
partOf = [ "backplane-dns.target" ];
wantedBy = [ "multi-user.target" ];
};
}; };
}; };
}; };

18
config/fudo/password.nix
View File

@ -31,7 +31,15 @@ let
}; };
generate-passwd-file = file: user: group: pkgs.writeShellScriptBin "generate-passwd-file.sh" '' generate-passwd-file = file: user: group: pkgs.writeShellScriptBin "generate-passwd-file.sh" ''
mkdir -p $(dirname ${file})
if touch ${file}; then if touch ${file}; then
chown ${user}${optionalString (group != null) ":${group}"} ${file}
if [ $? -ne 0 ]; then
rm ${file}
echo "failed to set permissions on ${file}"
exit 4
fi
${pkgs.pwgen}/bin/pwgen 30 1 > ${file} ${pkgs.pwgen}/bin/pwgen 30 1 > ${file}
else else
echo "cannot write to ${file}" echo "cannot write to ${file}"
@ -43,14 +51,6 @@ let
exit 3 exit 3
fi fi
chown ${user}${optionalString (group != null) ":${group}"} ${file}
if [ $? -ne 0 ]; then
rm ${file}
echo "failed to set permissions on ${file}"
exit 4
fi
${if (group != null) then ${if (group != null) then
"chmod 640 ${file}" "chmod 640 ${file}"
else else
@ -90,10 +90,12 @@ in {
systemd.services = fold (a: b: a // b) {} (mapAttrsToList (name: opts: { systemd.services = fold (a: b: a // b) {} (mapAttrsToList (name: opts: {
"file-generator-${name}" = { "file-generator-${name}" = {
enable = true;
partOf = [ "fudo-passwords.target" ]; partOf = [ "fudo-passwords.target" ];
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
description = "Generate password file for ${name}."; description = "Generate password file for ${name}.";
script = "${generate-passwd-file opts.file opts.user opts.group}/bin/generate-passwd-file.sh"; script = "${generate-passwd-file opts.file opts.user opts.group}/bin/generate-passwd-file.sh";
reloadIfChanged = true;
}; };
"file-generator-watcher-${name}" = mkIf (! (opts.restart-services == [])) { "file-generator-watcher-${name}" = mkIf (! (opts.restart-services == [])) {

7
config/fudo/webmail.nix
View File

@ -329,6 +329,7 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "Change ownership of the phpfpm socket for webmail once it's started."; description = "Change ownership of the phpfpm socket for webmail once it's started.";
requires = [ "phpfpm-webmail.service" ]; requires = [ "phpfpm-webmail.service" ];
after = [ "phpfpm.target" ];
serviceConfig = { serviceConfig = {
ExecStart = '' ExecStart = ''
${pkgs.coreutils}/bin/chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket} ${pkgs.coreutils}/bin/chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket}
@ -337,8 +338,10 @@ in {
}; };
nginx = { nginx = {
requires = [ "webmail-init.service" ]; requires = [
wantedBy = [ "phpfpm-webmail-socket-perm.service" ]; "webmail-init.service"
"phpfpm-webmail-socket-perm.service"
];
}; };
}; };
}; };

15
defaults.nix
View File

@ -222,4 +222,19 @@
}; };
}; };
systemd.services.fudo-environment-init = {
enable = true;
description = "Fudo common settings.";
wantedBy = [ "default.target" ];
# Careful, this WILL run many times
script = ''
# Create a directory for system user homedirs if it doesn't already exist
if [ ! -d /var/home ]; then
mkdir -p /var/home
chmod +x /var/home
fi
'';
};
} }

81
fudo/selby.ca.nix Normal file
View File

@ -0,0 +1,81 @@
{ host_ipv4, config }:
{
dnssec = true;
mx = ["mail.fudo.org"];
hosts = {
forum = {
ip-addresses = [ "208.81.3.117" ];
};
};
default-host = "208.81.3.117";
srv-records = {
tcp = {
domain = [{
host = "ns1.fudo.org";
port = "53";
}];
ssh = [{
host = "france.fudo.org";
port = 22;
}];
submission = [{
host = "mail.fudo.org";
port = 587;
}];
kerberos = [{
host = "auth.fudo.org";
port = 88;
}];
imaps = [{
host = "mail.fudo.org";
port = 993;
}];
pop3s = [{
host = "mail.fudo.org";
port = 995;
}];
http = [{
host = "forum.selby.ca";
port = 80;
}];
https = [{
host = "forum.selby.ca";
port = 80;
}];
};
udp = {
domain = [{
host = "auth.fudo.org";
port = 53;
}];
kerberos = [{
host = "auth.fudo.org";
port = 88;
}];
};
};
aliases = {
pop = "mail.fudo.org.";
smtp = "mail.fudo.org.";
imap = "mail.fudo.org.";
mail = "mail.fudo.org.";
ns1 = "ns1.fudo.org.";
ns2 = "ns2.fudo.org.";
webmail = "france.fudo.org.";
forum = "frankfurt.fudo.org.";
};
extra-dns-records = [
''_kerberos IN TXT "FUDO.ORG"''
''@ IN TXT "v=spf1 mx ip4:${host_ipv4}/29 -all"''
''@ IN SPF "v=spf1 mx ip4:${host_ipv4}/29 -all"''
];
dmarc-report-address = "dmarc-report@selby.ca";
}

84
hosts/france.nix
View File

@ -32,6 +32,7 @@ in {
../hardware-configuration.nix ../hardware-configuration.nix
../defaults.nix ../defaults.nix
./france/jabber.nix ./france/jabber.nix
./france/backplane.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -42,15 +43,6 @@ in {
tshark tshark
]; ];
# services.openssh = {
# listenAddresses = [
# {
# addr = host_ipv4;
# port = 22;
# }
# ];
# };
fudo.common = { fudo.common = {
# Sets some server-common settings. See /etc/nixos/fudo/profiles/... # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
profile = "server"; profile = "server";
@ -122,44 +114,94 @@ in {
users = { users = {
fudo_git = { fudo_git = {
password = fileContents "/srv/git/secure/db.passwd"; password-file = "/srv/git/secure/db.passwd";
databases = { databases = {
fudo_git = "ALL PRIVILEGES"; fudo_git = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
}; };
}; };
grafana = { grafana = {
password = fileContents "/srv/grafana/secure/db.passwd"; password-file = "/srv/grafana/secure/db.passwd";
databases = { databases = {
grafana = "ALL PRIVILEGES"; grafana = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
}; };
}; };
mattermost = { mattermost = {
password = fileContents "/srv/mattermost/secure/db.passwd"; password-file = "/srv/mattermost/secure/db.passwd";
databases = { databases = {
mattermost = "ALL PRIVILEGES"; mattermost = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
}; };
}; };
webmail = { webmail = {
password = fileContents "/srv/webmail/secure/db.passwd"; password-file = "/srv/webmail/secure/db.passwd";
databases = { databases = {
webmail = "ALL PRIVILEGES"; webmail = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
}; };
}; };
niten = {}; niten = {};
}; };
local-users = [ local-users = [
"niten"
"fudo_git" "fudo_git"
]; ];
databases = { databases = {
fudo_git = ["niten"]; fudo_git = {
grafana = ["niten"]; users = ["niten"];
mattermost = ["niten"]; };
webmail = ["niten"]; grafana = {
users = ["niten"];
};
mattermost = {
users = ["niten"];
};
webmail = {
users = ["niten"];
};
}; };
}; };
# fudo.dns = {
# enable = true;
# dns-hosts = {
# "ns1.fudo.org" = host_ipv4;
# "ns2.fudo.org" = "";
# };
# listen-ips = [host_ipv4];
# domains = {
# "selby.ca" = import ../fudo.org/selby.ca.nix {
# inherit host_ipv4 config;
# };
# };
# };
# Not all users need access to france; don't allow LDAP-user access. # Not all users need access to france; don't allow LDAP-user access.
fudo.authentication.enable = false; fudo.authentication.enable = false;

117
hosts/france/backplane.nix Normal file
View File

@ -0,0 +1,117 @@
{ pkgs, lib, config, ... }:
with lib;
let
in {
config = {
users = {
users = {
backplane-powerdns = {
isSystemUser = true;
};
backplane-dns = {
isSystemUser = true;
};
};
groups = {
backplane-powerdns = {
members = [ "backplane-powerdns" ];
};
backplane-dns = {
members = [ "backplane-dns" ];
};
};
};
fudo = {
password.file-generator = {
dns_backplane_powerdns = {
file = "/srv/backplane/dns/secure/db_powerdns.passwd";
user = config.services.postgresql.superUser;
group = "backplane-powerdns";
restart-services = [
"backplane-dns-config-generator.service"
"postgresql-password-setter.service"
"backplane-powerdns.service"
];
};
dns_backplane_database = {
file = "/srv/backplane/dns/secure/db_backplane.passwd";
user = config.services.postgresql.superUser;
group = "backplane-dns";
restart-services = [
"backplane-dns.service"
"postgresql-password-setter.service"
];
};
};
postgresql = {
enable = true;
required-services = [ "fudo-passwords.target" ];
users = {
backplane_powerdns = {
password-file = "/srv/backplane/dns/secure/db_powerdns.passwd";
databases = {
backplane_dns = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT";
};
};
};
};
backplane_dns = {
password-file = "/srv/backplane/dns/secure/db_backplane.passwd";
databases = {
backplane_dns = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
};
databases = {
backplane_dns = {
users = ["niten"];
};
};
};
backplane.dns = {
enable = true;
port = 353;
listen-addresses = [ "208.81.3.117" ];
required-services = [ "fudo-passwords.target" ];
user = "backplane-dns";
group = "backplane-dns";
database = {
username = "backplane_powerdns";
database = "backplane_dns";
# Uses an IP to avoid cyclical dependency...not really relevant, but
# whatever
host = "127.0.0.1";
password-file = "/srv/backplane/dns/secure/db_powerdns.passwd";
};
backplane = {
host = "backplane.fudo.org";
role = "service-dns";
password-file = "/srv/backplane/dns/secure/backplane.passwd";
database = {
username = "backplane_dns";
database = "backplane_dns";
host = "127.0.0.1";
password-file = "/srv/backplane/dns/secure/db_backplane.passwd";
};
};
};
};
};
}

4
packages/backplane-dns.nix
View File

@ -9,8 +9,8 @@ in stdenv.mkDerivation {
src = fetchgit { src = fetchgit {
url = url; url = url;
rev = "bfad36c9d223c7c8949fab50424c32a11164cd3a"; rev = "543df72f3962cf91b0e0508d15cdc083a3cd7ed4";
sha256 = "0s8g5cm9mdjr9wb8w6a8lc1dv5cg85hxp8bdcgr1xd6hs4fnr745"; sha256 = "0hda1wjf9wd4rvxchdlxw0af3i2cvl5plg37ric3ckma6gfzkmm0";
fetchSubmodules = false; fetchSubmodules = false;
}; };

4
static/backplane-auth.scm
View File

@ -16,8 +16,8 @@
(format (current-error-port "FUDO_SERVICE_PASSWD_FILE not set~%")) (format (current-error-port "FUDO_SERVICE_PASSWD_FILE not set~%"))
(exit 1)) (exit 1))
(define host-regex "^host-([a-zA-Z][a-zA-Z0-9_-]+)$") (define host-regex "^host-([a-zA-Z][a-zA-Z0-9_-]+)")
(define service-regex "^service-([a-zA-Z][a-zA-Z0-9_-]+)$") (define service-regex "^service-([a-zA-Z][a-zA-Z0-9_-]+)")
(define (make-verifier passwd-file) (define (make-verifier passwd-file)
(let ((passwds (load passwd-file))) (let ((passwds (load passwd-file)))