Added cashew, did some backplane yak shaving
This commit is contained in:
parent
c747746eee
commit
b5cdfc7293
37
config/client.nix
Normal file
37
config/client.nix
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
make-passwd-file = hostname:
|
||||||
|
pkgs.lib.fudo.passwd.stablerandom-passwd-file
|
||||||
|
"${hostname}-fudo-client-passwd"
|
||||||
|
config.instance.build-seed;
|
||||||
|
|
||||||
|
secrets =
|
||||||
|
config.fudo.secrets.host-secrets.${config.instance.hostname};
|
||||||
|
|
||||||
|
host-password-files = mapAttrs (hostname: hostOpts:
|
||||||
|
make-password-file hostname) config.fudo.hosts;
|
||||||
|
|
||||||
|
in {
|
||||||
|
config = {
|
||||||
|
fudo = {
|
||||||
|
secrets.host-secrets = mapAttrs (hostname: hostOpts: {
|
||||||
|
backplane-client-passwd = {
|
||||||
|
source-file = host-password-files.${hostname};
|
||||||
|
target-file = "/var/fudo/client/passwd";
|
||||||
|
user = config.fudo.client.dns.user;
|
||||||
|
};
|
||||||
|
}) config.fudo.hosts;
|
||||||
|
|
||||||
|
client.dns = {
|
||||||
|
password-file =
|
||||||
|
secrets.backplane-client-passwd.target-file;
|
||||||
|
};
|
||||||
|
|
||||||
|
backplane.client-hosts = mapAttrs (hostname: hostOpts: {
|
||||||
|
password-file = host-password-files.${hostname};
|
||||||
|
}) config.fudo.hosts;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -14,6 +14,7 @@
|
|||||||
local-admins = [ "niten" "reaper" ];
|
local-admins = [ "niten" "reaper" ];
|
||||||
admin-email = "admin@fudo.org";
|
admin-email = "admin@fudo.org";
|
||||||
gssapi-realm = "FUDO.ORG";
|
gssapi-realm = "FUDO.ORG";
|
||||||
|
kerberos-master = "nutboy3";
|
||||||
};
|
};
|
||||||
|
|
||||||
"sea.fudo.org" = {
|
"sea.fudo.org" = {
|
||||||
@ -63,7 +64,6 @@
|
|||||||
admin-email = "viator@informis.land";
|
admin-email = "viator@informis.land";
|
||||||
gssapi-realm = "INFORMIS.LAND";
|
gssapi-realm = "INFORMIS.LAND";
|
||||||
kerberos-master = "procul";
|
kerberos-master = "procul";
|
||||||
kerberos-slaves = [ "legatus" ];
|
|
||||||
primary-nameserver = "procul";
|
primary-nameserver = "procul";
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -77,7 +77,7 @@
|
|||||||
local-users = [ "niten" "reaper" ];
|
local-users = [ "niten" "reaper" ];
|
||||||
local-groups = [ "admin" ];
|
local-groups = [ "admin" ];
|
||||||
local-admins = [ "niten" "reaper" ];
|
local-admins = [ "niten" "reaper" ];
|
||||||
admin-email = "nitenn@fudo.org";
|
admin-email = "niten@fudo.org";
|
||||||
gssapi-realm = "FUDO.ORG";
|
gssapi-realm = "FUDO.ORG";
|
||||||
# kerberos-master = "legatus";
|
# kerberos-master = "legatus";
|
||||||
primary-nameserver = "legatus";
|
primary-nameserver = "legatus";
|
||||||
|
5
config/hardware/cashew.nix
Normal file
5
config/hardware/cashew.nix
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
35
config/host-config/cashew.nix
Normal file
35
config/host-config/cashew.nix
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
hostname = config.instance.hostname;
|
||||||
|
host-ipv4 = pkgs.lib.fudo.network.host-ipv4 config hostname;
|
||||||
|
site-name = config.fudo.hosts.${hostname}.site;
|
||||||
|
site = config.fudo.sites.${site-name};
|
||||||
|
|
||||||
|
network-prefix-length =
|
||||||
|
pkgs.lib.fudo.ip.getNetworkMask site.network;
|
||||||
|
|
||||||
|
local-packages = with pkgs; [
|
||||||
|
bind
|
||||||
|
];
|
||||||
|
|
||||||
|
in {
|
||||||
|
config = {
|
||||||
|
networking = {
|
||||||
|
defaultGateway = {
|
||||||
|
address = site.gateway-v4;
|
||||||
|
interface = "extif0";
|
||||||
|
};
|
||||||
|
|
||||||
|
interfaces.extif0 = {
|
||||||
|
ipv4.addresses = [{
|
||||||
|
address = host-ipv4;
|
||||||
|
prefixLength = network-prefix-length;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = local-packages;
|
||||||
|
};
|
||||||
|
}
|
@ -51,12 +51,6 @@ in {
|
|||||||
options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ];
|
options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
"/srv/gitlab" = {
|
|
||||||
fsType = "btrfs";
|
|
||||||
label = "pool0";
|
|
||||||
options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
${mail-directory} = {
|
${mail-directory} = {
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
label = "pool0";
|
label = "pool0";
|
||||||
|
@ -7,16 +7,6 @@ let
|
|||||||
|
|
||||||
cfg = config.fudo.france.jabber;
|
cfg = config.fudo.france.jabber;
|
||||||
|
|
||||||
generate-auth-file = name: files: let
|
|
||||||
make-entry = name: passwd-file:
|
|
||||||
''("${name}" . "${readFile passwd-file}")'';
|
|
||||||
entries = mapAttrsToList make-entry files;
|
|
||||||
content = concatStringsSep "\n" entries;
|
|
||||||
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
|
|
||||||
|
|
||||||
host-auth-file = generate-auth-file "host" cfg.backplane.host-passwd-files;
|
|
||||||
service-auth-file = generate-auth-file "service" cfg.backplane.service-passwd-files;
|
|
||||||
|
|
||||||
ldap-password-file =
|
ldap-password-file =
|
||||||
pkgs.lib.fudo.passwd.random-passwd-file "ejabberd-ldap-auth-user" 30;
|
pkgs.lib.fudo.passwd.random-passwd-file "ejabberd-ldap-auth-user" 30;
|
||||||
|
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
hostname = "nutboy3";
|
hostname = "nutboy3";
|
||||||
|
host-fqdn = config.instance.host-fqdn;
|
||||||
host-ipv4 = "199.87.154.175";
|
host-ipv4 = "199.87.154.175";
|
||||||
domain-name = config.fudo.hosts.${hostname}.domain;
|
domain-name = config.fudo.hosts.${hostname}.domain;
|
||||||
domain = config.fudo.domains.${domain-name};
|
domain = config.fudo.domains.${domain-name};
|
||||||
@ -13,7 +14,16 @@ let
|
|||||||
|
|
||||||
secrets = config.fudo.secrets.host-secrets.${hostname};
|
secrets = config.fudo.secrets.host-secrets.${hostname};
|
||||||
|
|
||||||
|
postgresql-user =
|
||||||
|
config.systemd.services.postgresql.serviceConfig.User;
|
||||||
|
|
||||||
|
files = config.fudo.secrets.files;
|
||||||
|
|
||||||
|
acme-copies = config.fudo.acme.host-domains.${hostname};
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
config = {
|
||||||
networking = {
|
networking = {
|
||||||
enableIPv6 = true;
|
enableIPv6 = true;
|
||||||
|
|
||||||
@ -35,42 +45,43 @@ in {
|
|||||||
|
|
||||||
environment.systemPackages = local-packages;
|
environment.systemPackages = local-packages;
|
||||||
|
|
||||||
# networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
# informis.cl-gemini = {
|
|
||||||
# enable = true;
|
|
||||||
|
|
||||||
# hostname = "gemini.informis.land";
|
|
||||||
# server-ip = host-ipv4;
|
|
||||||
# document-root = "/srv/gemini/root";
|
|
||||||
# textfiles-archive = "${pkgs.textfiles}";
|
|
||||||
# slynk-port = 4005;
|
|
||||||
|
|
||||||
# feeds = {
|
|
||||||
# viator = {
|
|
||||||
# title = "viator's phlog";
|
|
||||||
# path = "/home/viator/gemini-public/feed/";
|
|
||||||
# url = "gemini://informis.land/user/viator/feed/";
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
fudo = {
|
fudo = {
|
||||||
hosts.${hostname}.external-interfaces = [ "extif0" ];
|
hosts.${hostname}.external-interfaces = [ "extif0" ];
|
||||||
|
|
||||||
secrets.host-secrets.nutboy3 = let
|
secrets.host-secrets.nutboy3 = let
|
||||||
files = config.fudo.secrets.files;
|
files = config.fudo.secrets.files;
|
||||||
in {
|
in {
|
||||||
# heimdal-master-key = {
|
heimdal-master-key = {
|
||||||
# source-file = files.realm-master-keys."FUDO.ORG";
|
source-file = files.realm-master-keys."FUDO.ORG";
|
||||||
# target-file = "/run/heimdal/master-key";
|
target-file = "/run/heimdal/master-key";
|
||||||
# user = config.fudo.auth.kdc.user;
|
user = config.fudo.auth.kdc.user;
|
||||||
# };
|
};
|
||||||
|
|
||||||
# ipropd-keytab = {
|
ldap-keytab = {
|
||||||
# source-file = files.service-keytabs.legatus.ipropd;
|
source-file = files.service-keytabs.${hostname}.openldap;
|
||||||
# target-file = "/run/heimdal/ipropd.keytab";
|
target-file = "/run/openldap/ldap.keytab";
|
||||||
# user = config.fudo.auth.kdc.user;
|
user = config.services.openldap.user;
|
||||||
# };
|
};
|
||||||
|
|
||||||
|
postgresql-keytab = {
|
||||||
|
source-file = files.service-keytabs.nutboy3.postgres;
|
||||||
|
target-file = "/run/postgresql/postgres.keytab";
|
||||||
|
user = postgresql-user;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
acme.host-domains.${hostname}.${host-fqdn}.local-copies = {
|
||||||
|
openldap = {
|
||||||
|
user = config.services.openldap.user;
|
||||||
|
dependent-services = [ "openldap.service" ];
|
||||||
|
part-of = [ config.fudo.auth.ldap-server.systemd-target ];
|
||||||
|
};
|
||||||
|
|
||||||
|
postgresql = {
|
||||||
|
user = postgresql-user;
|
||||||
|
dependent-services = [ "postgresql.service" ];
|
||||||
|
part-of = [ config.fudo.postgresql.systemd-target ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
client.dns = {
|
client.dns = {
|
||||||
@ -80,33 +91,41 @@ in {
|
|||||||
external-interface = "extif0";
|
external-interface = "extif0";
|
||||||
};
|
};
|
||||||
|
|
||||||
# auth.kdc = {
|
auth = {
|
||||||
# enable = true;
|
ldap-server = let
|
||||||
# realm = "FUDO.ORG";
|
ldap-copy = acme-copies.${host-fqdn}.local-copies.openldap;
|
||||||
# bind-addresses = [ host-ipv4 "127.0.0.1" ];
|
in {
|
||||||
# master-key-file =
|
enable = true;
|
||||||
# secrets.heimdal-master-key.target-file;
|
base = "dc=fudo,dc=org";
|
||||||
# state-directory = "/state/kerberos";
|
organization = "Fudo";
|
||||||
# slave-config = {
|
kerberos-host = host-fqdn;
|
||||||
# master-host = "france";
|
kerberos-keytab = secrets.ldap-keytab.target-file;
|
||||||
# ipropd-keytab = secrets.ipropd-keytab.target-file;
|
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///"];
|
||||||
# };
|
required-services = [ ldap-copy.service ];
|
||||||
# };
|
|
||||||
|
|
||||||
# secure-dns-proxy = {
|
users = config.fudo.users;
|
||||||
# enable = true;
|
groups = config.fudo.groups;
|
||||||
# upstream-dns =
|
system-users = config.fudo.system-users;
|
||||||
# [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
|
|
||||||
# bootstrap-dns = "1.1.1.1";
|
state-directory = "/state/openldap";
|
||||||
# listen-ips = [ "127.0.0.1" ];
|
|
||||||
# listen-port = 53;
|
ssl-chain = ldap-copy.chain;
|
||||||
# allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "localhost" "link-local" ];
|
ssl-certificate = ldap-copy.certificate;
|
||||||
# };
|
ssl-private-key = ldap-copy.private-key;
|
||||||
|
ssl-ca-certificate = "${pkgs.letsencrypt-ca}";
|
||||||
|
};
|
||||||
|
|
||||||
|
kdc = {
|
||||||
|
master-key-file =
|
||||||
|
secrets.heimdal-master-key.target-file;
|
||||||
|
state-directory = "/state/kerberos";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# dns.state-directory = "/state/nsd";
|
# dns.state-directory = "/state/nsd";
|
||||||
|
|
||||||
# mail-server = {
|
# mail-server = {
|
||||||
# enable = true;
|
# enableContainer = true;
|
||||||
# debug = true;
|
# debug = true;
|
||||||
|
|
||||||
# domain = domain-name;
|
# domain = domain-name;
|
||||||
@ -147,31 +166,18 @@ in {
|
|||||||
# };
|
# };
|
||||||
# };
|
# };
|
||||||
|
|
||||||
# postgresql = {
|
postgresql = let
|
||||||
# enable = true;
|
cert-copy =
|
||||||
# ssl-certificate = (acme-certificate host-fqdn);
|
config.fudo.acme.host-domains.${hostname}.${host-fqdn}.local-copies.postgresql;
|
||||||
# ssl-private-key = (acme-private-key host-fqdn);
|
in {
|
||||||
# keytab = secrets.postgres-keytab.target-file;
|
enable = true;
|
||||||
# local-networks = local-networks;
|
ssl-certificate = cert-copy.full-certificate;
|
||||||
|
ssl-private-key = cert-copy.private-key;
|
||||||
# users = {
|
keytab = secrets.postgresql-keytab.target-file;
|
||||||
# gituser = {
|
local-networks = config.instance.local-networks;
|
||||||
# password-file =
|
state-directory = "/state/postgresql";
|
||||||
# secrets.gitea-database-password.target-file;
|
required-services = [ cert-copy.service ];
|
||||||
# databases = {
|
};
|
||||||
# git = {
|
|
||||||
# access = "CONNECT";
|
|
||||||
# entity-access = {
|
|
||||||
# "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
|
|
||||||
# "ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE";
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
# databases = { git = { users = [ "niten" ]; }; };
|
|
||||||
# };
|
|
||||||
|
|
||||||
# git = {
|
# git = {
|
||||||
# enable = true;
|
# enable = true;
|
||||||
@ -193,4 +199,36 @@ in {
|
|||||||
# };
|
# };
|
||||||
# };
|
# };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
containers.cashew = let
|
||||||
|
initialize-host = import ../../initialize.nix;
|
||||||
|
build-timestamp = config.instance.build-timestamp;
|
||||||
|
site = "nuttyclub-vm";
|
||||||
|
domain = config.instance.local-domain;
|
||||||
|
profile = "container";
|
||||||
|
in {
|
||||||
|
autoStart = true;
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
config = { pkgs, ... }: {
|
||||||
|
imports = [
|
||||||
|
(initialize-host {
|
||||||
|
inherit
|
||||||
|
lib
|
||||||
|
pkgs
|
||||||
|
build-timestamp
|
||||||
|
site
|
||||||
|
domain
|
||||||
|
profile;
|
||||||
|
hostname = "cashew";
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
|
instance.build-seed = build-seed;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
12
config/hosts/cashew.nix
Normal file
12
config/hosts/cashew.nix
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
{
|
||||||
|
description = "fudo.org primary dns server.";
|
||||||
|
rp = "reaper";
|
||||||
|
admin-email = "reaper@fudo.org";
|
||||||
|
domain = "fudo.org";
|
||||||
|
site = "nuttyclub-vm";
|
||||||
|
profile = "container";
|
||||||
|
enable-gui = false;
|
||||||
|
arch = "x86_64-linux";
|
||||||
|
nixos-system = true;
|
||||||
|
machine-id = "e5f456e3183a4dc186181a70bc3af2d1";
|
||||||
|
}
|
@ -31,6 +31,8 @@ let
|
|||||||
TIMEOUT=15m
|
TIMEOUT=15m
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
TMP=$(mktemp -d /tmp/fudo-test-config-XXXXXXX)
|
||||||
|
|
||||||
SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N")
|
SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N")
|
||||||
touch $SYNCFILE
|
touch $SYNCFILE
|
||||||
${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists."
|
${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists."
|
||||||
|
@ -50,6 +50,18 @@
|
|||||||
mail-server = "mail.fudo.org";
|
mail-server = "mail.fudo.org";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nuttyclub-vm = {
|
||||||
|
gateway-v4 = "FIXME";
|
||||||
|
network = "FIXME/29";
|
||||||
|
nameservers = [ "1.1.1.1" ];
|
||||||
|
timezone = "America/Winnipeg";
|
||||||
|
deploy-pubkeys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
|
||||||
|
];
|
||||||
|
mail-server = "mail.fudo.org";
|
||||||
|
};
|
||||||
|
|
||||||
russell = {
|
russell = {
|
||||||
gateway-v4 = "10.0.0.1";
|
gateway-v4 = "10.0.0.1";
|
||||||
nameservers = [ "10.0.0.1" ];
|
nameservers = [ "10.0.0.1" ];
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
{ lib, pkgs, hostname, site, domain, profile, build-timestamp, ... }:
|
{ lib, pkgs, hostname, site, domain, profile, build-timestamp, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
let
|
let
|
||||||
# Get info on this host so we know what to load
|
# Get info on this host so we know what to load
|
||||||
config-dir = ./. + "/config";
|
config-dir = ./. + "/config";
|
||||||
@ -8,13 +9,13 @@ in {
|
|||||||
imports = [
|
imports = [
|
||||||
./lib
|
./lib
|
||||||
./config
|
./config
|
||||||
|
] ++ (filter pathExists [
|
||||||
(config-dir + /hardware/${hostname}.nix)
|
(config-dir + /hardware/${hostname}.nix)
|
||||||
(config-dir + /host-config/${hostname}.nix)
|
(config-dir + /host-config/${hostname}.nix)
|
||||||
(config-dir + /profile-config/${profile}.nix)
|
(config-dir + /profile-config/${profile}.nix)
|
||||||
(config-dir + /domain-config/${domain}.nix)
|
(config-dir + /domain-config/${domain}.nix)
|
||||||
(config-dir + /site-config/${site}.nix)
|
(config-dir + /site-config/${site}.nix)
|
||||||
];
|
]);
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
instance = {
|
instance = {
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
|
hostname = config.instance.hostname;
|
||||||
|
|
||||||
domainOpts = { name, ... }: let
|
domainOpts = { name, ... }: let
|
||||||
domain = name;
|
domain = name;
|
||||||
in {
|
in {
|
||||||
@ -23,7 +25,7 @@ let
|
|||||||
copy = name;
|
copy = name;
|
||||||
in {
|
in {
|
||||||
options = with types; let
|
options = with types; let
|
||||||
target-path = "/var/run/${domain}/${copy}";
|
target-path = "/run/ssl-certificates/${domain}/${copy}";
|
||||||
in {
|
in {
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
@ -39,7 +41,7 @@ let
|
|||||||
service = mkOption {
|
service = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = "systemd job to copy certs.";
|
description = "systemd job to copy certs.";
|
||||||
default = "fudo-${domain}-${copy}-certs.service";
|
default = "fudo-acme-${domain}-${copy}-certs.service";
|
||||||
};
|
};
|
||||||
|
|
||||||
certificate = mkOption {
|
certificate = mkOption {
|
||||||
@ -65,6 +67,18 @@ let
|
|||||||
description = "Full path to the local copy certificate.";
|
description = "Full path to the local copy certificate.";
|
||||||
default = "${target-path}/key.pem";
|
default = "${target-path}/key.pem";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dependent-services = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "List of systemd services depending on this copy.";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
part-of = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "List of systemd targets to which this copy belongs.";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in mkOption {
|
in mkOption {
|
||||||
@ -82,9 +96,9 @@ let
|
|||||||
concatMapAttrs = f: attrs:
|
concatMapAttrs = f: attrs:
|
||||||
foldr (a: b: a // b) {} (mapAttrsToList f attrs);
|
foldr (a: b: a // b) {} (mapAttrsToList f attrs);
|
||||||
|
|
||||||
hostname = config.instance.hostname;
|
|
||||||
cfg = config.fudo.acme;
|
cfg = config.fudo.acme;
|
||||||
localDomains = if (hasAttr hostname cfg.host-domains) then
|
hasLocalDomains = hasAttr hostname cfg.host-domains;
|
||||||
|
localDomains = if hasLocalDomains then
|
||||||
cfg.host-domains.${hostname} else {};
|
cfg.host-domains.${hostname} else {};
|
||||||
|
|
||||||
optionalStringOr = str: default:
|
optionalStringOr = str: default:
|
||||||
@ -105,6 +119,29 @@ in {
|
|||||||
extraDomainNames = domainOpts.extra-domains;
|
extraDomainNames = domainOpts.extra-domains;
|
||||||
}) localDomains;
|
}) localDomains;
|
||||||
|
|
||||||
|
# Assume that if we're acquiring SSL certs, we have a real IP for the
|
||||||
|
# host. nginx must have an acme dir for security.acme to work.
|
||||||
|
services.nginx = mkIf hasLocalDomains {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
|
||||||
|
virtualHosts.${config.instance.host-fqdn} = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
# Just...force override if you want this to point somewhere.
|
||||||
|
locations."/" = {
|
||||||
|
return = "403 Forbidden";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
tmpfiles.rules = let
|
tmpfiles.rules = let
|
||||||
copies = concatMapAttrs (domain: domainOpts:
|
copies = concatMapAttrs (domain: domainOpts:
|
||||||
@ -112,7 +149,7 @@ in {
|
|||||||
perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500";
|
perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500";
|
||||||
copy-paths = mapAttrsToList (copy: copyOpts:
|
copy-paths = mapAttrsToList (copy: copyOpts:
|
||||||
let
|
let
|
||||||
dir-entry = copyOpts: file: "D \"${dirOf file}\" ${perms copyOpts} ${copyOpts.user} ${optionalStringOr copyOpts.group "-"} - -";
|
dir-entry = copyOpts: file: "d \"${dirOf file}\" ${perms copyOpts} ${copyOpts.user} ${optionalStringOr copyOpts.group "-"} - -";
|
||||||
in map (dir-entry copyOpts) [
|
in map (dir-entry copyOpts) [
|
||||||
copyOpts.certificate
|
copyOpts.certificate
|
||||||
copyOpts.full-certificate
|
copyOpts.full-certificate
|
||||||
@ -122,40 +159,47 @@ in {
|
|||||||
in unique (concatMap (i: unique i) copy-paths);
|
in unique (concatMap (i: unique i) copy-paths);
|
||||||
|
|
||||||
services = concatMapAttrs (domain: domainOpts:
|
services = concatMapAttrs (domain: domainOpts:
|
||||||
mapAttrs' (copy: copyOpts: let
|
concatMapAttrs (copy: copyOpts: let
|
||||||
key-perms = copyOpts: if (copyOpts.group != null) then "0440" else "0400";
|
key-perms = copyOpts: if (copyOpts.group != null) then "0440" else "0400";
|
||||||
source = config.security.acme.certs.${domain}.directory;
|
source = config.security.acme.certs.${domain}.directory;
|
||||||
target = copyOpts.path;
|
target = copyOpts.path;
|
||||||
|
owners =
|
||||||
|
if (copyOpts.group != null) then
|
||||||
|
"${copyOpts.user}:${copyOpts.group}"
|
||||||
|
else copyOpts.user;
|
||||||
install-certs = pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" ''
|
install-certs = pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" ''
|
||||||
cp cert.pem ${copyOpts.certificate}
|
cp ${source}/cert.pem ${copyOpts.certificate}
|
||||||
chmod 0444 ${copyOpts.certificate}
|
chmod 0444 ${copyOpts.certificate}
|
||||||
|
chown ${owners} ${copyOpts.certificate}
|
||||||
|
|
||||||
cp full.pem ${copyOpts.full-certificate}
|
cp ${source}/full.pem ${copyOpts.full-certificate}
|
||||||
chmod 0444 ${copyOpts.full-certificate}
|
chmod 0444 ${copyOpts.full-certificate}
|
||||||
|
chown ${owners} ${copyOpts.full-certificate}
|
||||||
|
|
||||||
cp chain.pem ${copyOpts.chain}
|
cp ${source}/chain.pem ${copyOpts.chain}
|
||||||
chmod 0444 ${copyOpts.chain}
|
chmod 0444 ${copyOpts.chain}
|
||||||
|
chown ${owners} ${copyOpts.chain}
|
||||||
|
|
||||||
cp key.pem ${copyOpts.private-key}
|
cp ${source}/key.pem ${copyOpts.private-key}
|
||||||
chmod ${key-perms copyOpts} ${copyOpts.private-key}
|
chmod ${key-perms copyOpts} ${copyOpts.private-key}
|
||||||
|
chown ${owners} ${copyOpts.private-key}
|
||||||
'';
|
'';
|
||||||
remove-certs = pkgs.writeShellScript "fudo-remove-${domain}-${copy}-certs.sh" ''
|
|
||||||
rm -f ${copyOpts.private-key}
|
service-name = rm-service-ext copyOpts.service;
|
||||||
rm -f ${copyOpts.chain}
|
in {
|
||||||
rm -f ${copyOpts.full-certificate}
|
${service-name} = {
|
||||||
rm -f ${copyOpts.certificate}
|
|
||||||
'';
|
|
||||||
in nameValuePair
|
|
||||||
(rm-service-ext copyOpts.service) {
|
|
||||||
description = "Copy ${domain} ACME certs for ${copy}.";
|
description = "Copy ${domain} ACME certs for ${copy}.";
|
||||||
after = [ "acme-${domain}.service" ];
|
after = [ "acme-${domain}.service" ];
|
||||||
|
before = copyOpts.dependent-services;
|
||||||
|
wantedBy = [ "multi-user.target" ] ++ copyOpts.dependent-services;
|
||||||
|
partOf = copyOpts.part-of;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "simple";
|
||||||
ExecStart = install-certs;
|
ExecStart = install-certs;
|
||||||
ExecStop = remove-certs;
|
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
StandardOutput = "journal";
|
StandardOutput = "journal";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
}) domainOpts.local-copies) localDomains;
|
}) domainOpts.local-copies) localDomains;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
154
lib/fudo/backplane/common.nix
Normal file
154
lib/fudo/backplane/common.nix
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.fudo.backplane.dns;
|
||||||
|
|
||||||
|
powerdns-conf-dir = "${cfg.powerdns.home}/conf.d";
|
||||||
|
|
||||||
|
clientHostOpts = { name, ... }: {
|
||||||
|
options = with types; {
|
||||||
|
password-file = mkOption {
|
||||||
|
type = path;
|
||||||
|
description =
|
||||||
|
"Location (on the build host) of the file containing the host password.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
serviceOpts = { name, ... }: {
|
||||||
|
options = with types; {
|
||||||
|
password-file = mkOption {
|
||||||
|
type = path;
|
||||||
|
description =
|
||||||
|
"Location (on the build host) of the file containing the service password.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
databaseOpts = { ... }: {
|
||||||
|
options = with types; {
|
||||||
|
host = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Hostname or IP of the PostgreSQL server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
database = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Database to use for DNS backplane.";
|
||||||
|
default = "backplane_dns";
|
||||||
|
};
|
||||||
|
|
||||||
|
username = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Database user for DNS backplane.";
|
||||||
|
default = "backplane_dns";
|
||||||
|
};
|
||||||
|
|
||||||
|
password-file = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "File containing password for database user.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
in {
|
||||||
|
options.fudo.backplane = with types; {
|
||||||
|
|
||||||
|
client-hosts = mkOption {
|
||||||
|
type = attrsOf (submodule clientHostOpts);
|
||||||
|
description = "List of backplane client options.";
|
||||||
|
default = {};
|
||||||
|
};
|
||||||
|
|
||||||
|
services = mkOption {
|
||||||
|
type = attrsOf (submodule serviceOpts);
|
||||||
|
description = "List of backplane service options.";
|
||||||
|
default = {};
|
||||||
|
};
|
||||||
|
|
||||||
|
backplane-host = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "Hostname of the backplane XMPP server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
dns = {
|
||||||
|
enable = mkEnableOption "Enable backplane dynamic DNS server.";
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = port;
|
||||||
|
description = "Port on which to serve authoritative DNS requests.";
|
||||||
|
default = 53;
|
||||||
|
};
|
||||||
|
|
||||||
|
listen-v4-addresses = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "IPv4 addresses on which to listen for dns requests.";
|
||||||
|
default = [ "0.0.0.0" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
listen-v6-addresses = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "IPv6 addresses on which to listen for dns requests.";
|
||||||
|
example = [ "[abcd::1]" ];
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
required-services = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description =
|
||||||
|
"A list of services required before the DNS server can start.";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "User as which to run DNS backplane listener service.";
|
||||||
|
default = "backplane-dns";
|
||||||
|
};
|
||||||
|
|
||||||
|
group = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Group as which to run DNS backplane listener service.";
|
||||||
|
default = "backplane-dns";
|
||||||
|
};
|
||||||
|
|
||||||
|
database = mkOption {
|
||||||
|
type = submodule databaseOpts;
|
||||||
|
description = "Database settings for the DNS server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
powerdns = {
|
||||||
|
home = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Directory at which to store powerdns configuration and state.";
|
||||||
|
default = "/run/backplane-dns/powerdns";
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Username as which to run PowerDNS.";
|
||||||
|
default = "backplane-powerdns";
|
||||||
|
};
|
||||||
|
|
||||||
|
database = mkOption {
|
||||||
|
type = submodule databaseOpts;
|
||||||
|
description = "Database settings for the DNS server.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
backplane-role = {
|
||||||
|
role = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "Backplane XMPP role name for the DNS server.";
|
||||||
|
default = "service-dns";
|
||||||
|
};
|
||||||
|
|
||||||
|
password-file = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "File containing XMPP password for backplane role.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -3,6 +3,8 @@
|
|||||||
with lib;
|
with lib;
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
./common.nix
|
||||||
./dns.nix
|
./dns.nix
|
||||||
|
./jabber.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
@ -2,134 +2,13 @@
|
|||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.fudo.backplane.dns;
|
backplane-cfg = config.fudo.backplane;
|
||||||
|
|
||||||
|
cfg = backplane-cfg.dns;
|
||||||
|
|
||||||
powerdns-conf-dir = "${cfg.powerdns.home}/conf.d";
|
powerdns-conf-dir = "${cfg.powerdns.home}/conf.d";
|
||||||
|
|
||||||
backplaneOpts = { ... }: {
|
|
||||||
options = {
|
|
||||||
host = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Hostname of the backplane jabber server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
role = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Backplane XMPP role name for the DNS server.";
|
|
||||||
default = "service-dns";
|
|
||||||
};
|
|
||||||
|
|
||||||
password-file = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "File containing XMPP password for backplane role.";
|
|
||||||
};
|
|
||||||
|
|
||||||
database = mkOption {
|
|
||||||
type = with types; submodule databaseOpts;
|
|
||||||
description = "Database settings for backplane server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
cl-wrapper-package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
description = "Common Lisp wrapper package to use.";
|
|
||||||
default = pkgs.lispPackages.clwrapper;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
databaseOpts = { ... }: {
|
|
||||||
options = {
|
|
||||||
host = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Hostname or IP of the PostgreSQL server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
database = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Database to use for DNS backplane.";
|
|
||||||
default = "backplane_dns";
|
|
||||||
};
|
|
||||||
|
|
||||||
username = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Database user for DNS backplane.";
|
|
||||||
default = "backplane_dns";
|
|
||||||
};
|
|
||||||
|
|
||||||
password-file = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "File containing password for database user.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
in {
|
in {
|
||||||
options.fudo.backplane.dns = with types; {
|
|
||||||
enable = mkEnableOption "Enable backplane dynamic DNS server.";
|
|
||||||
|
|
||||||
port = mkOption {
|
|
||||||
type = port;
|
|
||||||
description = "Port on which to serve authoritative DNS requests.";
|
|
||||||
default = 53;
|
|
||||||
};
|
|
||||||
|
|
||||||
listen-v4-addresses = mkOption {
|
|
||||||
type = listOf str;
|
|
||||||
description = "IPv4 addresses on which to listen for dns requests.";
|
|
||||||
default = [ "0.0.0.0" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
listen-v6-addresses = mkOption {
|
|
||||||
type = listOf str;
|
|
||||||
description = "IPv6 addresses on which to listen for dns requests.";
|
|
||||||
example = [ "[abcd::1]" ];
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
|
|
||||||
required-services = mkOption {
|
|
||||||
type = listOf str;
|
|
||||||
description =
|
|
||||||
"A list of services required before the DNS server can start.";
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
type = str;
|
|
||||||
description = "User as which to run DNS backplane listener service.";
|
|
||||||
default = "backplane-dns";
|
|
||||||
};
|
|
||||||
|
|
||||||
group = mkOption {
|
|
||||||
type = str;
|
|
||||||
description = "Group as which to run DNS backplane listener service.";
|
|
||||||
default = "backplane-dns";
|
|
||||||
};
|
|
||||||
|
|
||||||
database = mkOption {
|
|
||||||
type = submodule databaseOpts;
|
|
||||||
description = "Database settings for the DNS server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
backplane = mkOption {
|
|
||||||
type = submodule backplaneOpts;
|
|
||||||
description = "Backplane Jabber settings for the DNS server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
powerdns = {
|
|
||||||
home = mkOption {
|
|
||||||
type = str;
|
|
||||||
description = "Directory at which to store powerdns configuration and state.";
|
|
||||||
default = "/run/backplane-dns/powerdns";
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
type = str;
|
|
||||||
description = "Username as which to run PowerDNS.";
|
|
||||||
default = "backplane-powerdns";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
users = {
|
users = {
|
||||||
users = {
|
users = {
|
||||||
@ -147,12 +26,13 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
groups = {
|
groups = {
|
||||||
"${cfg.group}" = { members = [ cfg.user ]; };
|
${cfg.group} = { members = [ cfg.user ]; };
|
||||||
${cfg.powerdns.user} = { members = [ cfg.powerdns.user ]; };
|
${cfg.powerdns.user} = { members = [ cfg.powerdns.user ]; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
fudo.system.services = {
|
fudo = {
|
||||||
|
system.services = {
|
||||||
backplane-powerdns-config-generator = {
|
backplane-powerdns-config-generator = {
|
||||||
description =
|
description =
|
||||||
"Generate postgres configuration for backplane DNS server.";
|
"Generate postgres configuration for backplane DNS server.";
|
||||||
@ -163,18 +43,12 @@ in {
|
|||||||
|
|
||||||
readWritePaths = [ powerdns-conf-dir ];
|
readWritePaths = [ powerdns-conf-dir ];
|
||||||
|
|
||||||
preStart = ''
|
|
||||||
mkdir -p ${powerdns-conf-dir}
|
|
||||||
chown ${cfg.powerdns.user}:${cfg.powerdns.user} ${powerdns-conf-dir}
|
|
||||||
'';
|
|
||||||
|
|
||||||
# This builds the config in a bash script, to avoid storing the password
|
# This builds the config in a bash script, to avoid storing the password
|
||||||
# in the nix store at any point
|
# in the nix store at any point
|
||||||
script = ''
|
script = let
|
||||||
if [ ! -d ${powerdns-conf-dir} ]; then
|
user = cfg.powerdns.user;
|
||||||
mkdir ${powerdns-conf-dir}
|
db = cfg.powerdns.database;
|
||||||
fi
|
in ''
|
||||||
|
|
||||||
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX)
|
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX)
|
||||||
TMPCONF=$TMPDIR/pdns.local.gpgsql.conf
|
TMPCONF=$TMPDIR/pdns.local.gpgsql.conf
|
||||||
|
|
||||||
@ -184,13 +58,13 @@ in {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
touch $TMPCONF
|
touch $TMPCONF
|
||||||
chown ${cfg.powerdns.user}:${cfg.powerdns.user} $TMPCONF
|
|
||||||
chmod go-rwx $TMPCONF
|
chmod go-rwx $TMPCONF
|
||||||
PASSWORD=$(cat ${cfg.database.password-file})
|
chown ${user} $TMPCONF
|
||||||
|
PASSWORD=$(cat ${db.password-file})
|
||||||
echo "launch+=gpgsql" >> $TMPCONF
|
echo "launch+=gpgsql" >> $TMPCONF
|
||||||
echo "gpgsql-host=${cfg.database.host}" >> $TMPCONF
|
echo "gpgsql-host=${db.host}" >> $TMPCONF
|
||||||
echo "gpgsql-dbname=${cfg.database.database}" >> $TMPCONF
|
echo "gpgsql-dbname=${db.database}" >> $TMPCONF
|
||||||
echo "gpgsql-user=${cfg.database.username}" >> $TMPCONF
|
echo "gpgsql-user=${db.username}" >> $TMPCONF
|
||||||
echo "gpgsql-password=$PASSWORD" >> $TMPCONF
|
echo "gpgsql-password=$PASSWORD" >> $TMPCONF
|
||||||
echo "gpgsql-dnssec=yes" >> $TMPCONF
|
echo "gpgsql-dnssec=yes" >> $TMPCONF
|
||||||
|
|
||||||
@ -212,23 +86,28 @@ in {
|
|||||||
partOf = [ "backplane-dns.target" ];
|
partOf = [ "backplane-dns.target" ];
|
||||||
requires = cfg.required-services ++ [ "postgresql.service" ];
|
requires = cfg.required-services ++ [ "postgresql.service" ];
|
||||||
environment = {
|
environment = {
|
||||||
FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
|
FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = backplane-cfg.backplane-host;
|
||||||
FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
|
FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane-role.role;
|
||||||
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file;
|
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane-role.password-file;
|
||||||
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host;
|
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;
|
||||||
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database;
|
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;
|
||||||
FUDO_DNS_BACKPLANE_DATABASE_USERNAME =
|
FUDO_DNS_BACKPLANE_DATABASE_USERNAME =
|
||||||
cfg.backplane.database.username;
|
cfg.database.username;
|
||||||
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
|
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
|
||||||
cfg.backplane.database.password-file;
|
cfg.database.password-file;
|
||||||
|
|
||||||
CL_SOURCE_REGISTRY =
|
CL_SOURCE_REGISTRY =
|
||||||
pkgs.lib.fudo.lisp.lisp-source-registry pkgs.backplane-dns-server;
|
pkgs.lib.fudo.lisp.lisp-source-registry pkgs.backplane-dns-server;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
|
tmpfiles.rules = [
|
||||||
|
"d ${powerdns-conf-dir} 0700 ${cfg.powerdns.user} - - -"
|
||||||
|
];
|
||||||
|
|
||||||
targets = {
|
targets = {
|
||||||
backplane-dns = {
|
backplane-dns = {
|
||||||
description = "Fudo DNS backplane services.";
|
description = "Fudo DNS backplane services.";
|
||||||
|
89
lib/fudo/backplane/jabber.nix
Normal file
89
lib/fudo/backplane/jabber.nix
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.fudo.backplane;
|
||||||
|
|
||||||
|
backplane-server = cfg.backplane-host;
|
||||||
|
|
||||||
|
generate-auth-file = name: files: let
|
||||||
|
make-entry = name: passwd-file:
|
||||||
|
''("${name}" . "${readFile passwd-file}")'';
|
||||||
|
entries = mapAttrsToList make-entry files;
|
||||||
|
content = concatStringsSep "\n" entries;
|
||||||
|
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
|
||||||
|
|
||||||
|
host-auth-file = generate-auth-file "host"
|
||||||
|
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
|
||||||
|
cfg.client-hosts);
|
||||||
|
|
||||||
|
service-auth-file = generate-auth-file "service"
|
||||||
|
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
|
||||||
|
cfg.services);
|
||||||
|
|
||||||
|
in {
|
||||||
|
config = mkIf config.fudo.jabber.enable {
|
||||||
|
|
||||||
|
fudo = {
|
||||||
|
secrets.host-secrets.${hostname} = {
|
||||||
|
backplane-host-auth = {
|
||||||
|
source-file = host-auth-file;
|
||||||
|
target-file = "/var/backplane/host-passwords.scm";
|
||||||
|
user = config.fudo.jabber.user;
|
||||||
|
};
|
||||||
|
backplane-service-auth = {
|
||||||
|
source-file = service-auth-file;
|
||||||
|
target-file = "/var/backplane/service-passwords.scm";
|
||||||
|
user = config.fudo.jabber.user;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
jabber = {
|
||||||
|
environment = {
|
||||||
|
FUDO_HOST_PASSWD_FILE =
|
||||||
|
secrets.backplane-host-auth.target-file;
|
||||||
|
FUDO_SERVICE_PASSWD_FILE =
|
||||||
|
secrets.backplane-service-auth.target-file;
|
||||||
|
};
|
||||||
|
|
||||||
|
sites.${backplane-server} = {
|
||||||
|
site-config = {
|
||||||
|
auth_method = "external";
|
||||||
|
extauth_program =
|
||||||
|
"${pkgs.guile}/bin/guile -s ${pkgs.backplane-auth}/backplane-auth.scm";
|
||||||
|
extauth_pool_size = 3;
|
||||||
|
auth_use_cache = true;
|
||||||
|
|
||||||
|
modules = {
|
||||||
|
mod_adhoc = {};
|
||||||
|
mod_caps = {};
|
||||||
|
mod_carboncopy = {};
|
||||||
|
mod_client_state = {};
|
||||||
|
mod_configure = {};
|
||||||
|
mod_disco = {};
|
||||||
|
mod_fail2ban = {};
|
||||||
|
mod_last = {};
|
||||||
|
mod_offline = {
|
||||||
|
access_max_user_messages = 5000;
|
||||||
|
};
|
||||||
|
mod_ping = {};
|
||||||
|
mod_pubsub = {
|
||||||
|
access_createnode = "pubsub_createnode";
|
||||||
|
ignore_pep_from_offline = true;
|
||||||
|
last_item_cache = false;
|
||||||
|
plugins = [
|
||||||
|
"flat"
|
||||||
|
"pep"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
mod_roster = {};
|
||||||
|
mod_stream_mgmt = {};
|
||||||
|
mod_time = {};
|
||||||
|
mod_version = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -6,6 +6,16 @@ let
|
|||||||
|
|
||||||
hostname = config.instance.hostname;
|
hostname = config.instance.hostname;
|
||||||
|
|
||||||
|
localhost-ips = let
|
||||||
|
addr-only = addrinfo: addrinfo.address;
|
||||||
|
interface = config.networking.interfaces.lo;
|
||||||
|
in
|
||||||
|
(map addr-only interface.ipv4.addresses) ++
|
||||||
|
(map addr-only interface.ipv6.addresses);
|
||||||
|
|
||||||
|
host-ips =
|
||||||
|
(pkgs.lib.fudo.network.host-ips hostname) ++ localhost-ips;
|
||||||
|
|
||||||
state-directory = toplevel.config.fudo.auth.kdc.state-directory;
|
state-directory = toplevel.config.fudo.auth.kdc.state-directory;
|
||||||
|
|
||||||
database-file = "${state-directory}/principals.db";
|
database-file = "${state-directory}/principals.db";
|
||||||
@ -249,7 +259,7 @@ in {
|
|||||||
bind-addresses = mkOption {
|
bind-addresses = mkOption {
|
||||||
type = listOf str;
|
type = listOf str;
|
||||||
description = "A list of IP addresses on which to bind.";
|
description = "A list of IP addresses on which to bind.";
|
||||||
default = [ ];
|
default = host-ips;
|
||||||
};
|
};
|
||||||
|
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
@ -392,22 +402,6 @@ in {
|
|||||||
environment = { KRB5_CONFIG = "/etc/krb5.conf"; };
|
environment = { KRB5_CONFIG = "/etc/krb5.conf"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
heimdal-kadmin = {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
requires = [ "heimdal-kdc.service" ];
|
|
||||||
description =
|
|
||||||
"Heimdal Kerberos Remote Administration Server.";
|
|
||||||
# Doesn't have any way to specify IPs to listen on...sigh
|
|
||||||
execStart = "${pkgs.heimdalFull}/libexec/heimdal/kadmin -c ${kdc-conf} -k ${cfg.master-key-file} -r ${cfg.realm} --ports=749";
|
|
||||||
user = cfg.user;
|
|
||||||
group = cfg.group;
|
|
||||||
workingDirectory = state-directory;
|
|
||||||
privateNetwork = false;
|
|
||||||
addressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
||||||
requiredCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
environment = { KRB5_CONFIG = "/etc/krb5.conf"; };
|
|
||||||
};
|
|
||||||
|
|
||||||
heimdal-kdc-init = let
|
heimdal-kdc-init = let
|
||||||
init-cmd = initialize-db {
|
init-cmd = initialize-db {
|
||||||
realm = cfg.realm;
|
realm = cfg.realm;
|
||||||
@ -477,7 +471,7 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
heimdal-ipropd-slave = {
|
heimdal-ipropd-slave = {
|
||||||
#wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
description = "Receive changes propagated from the KDC master server.";
|
description = "Receive changes propagated from the KDC master server.";
|
||||||
path = with pkgs; [ heimdalFull ];
|
path = with pkgs; [ heimdalFull ];
|
||||||
execStart = concatStringsSep " " [
|
execStart = concatStringsSep " " [
|
||||||
|
@ -7,17 +7,23 @@ let
|
|||||||
|
|
||||||
user-type = import ../types/user.nix { inherit lib; };
|
user-type = import ../types/user.nix { inherit lib; };
|
||||||
|
|
||||||
stringJoin = joiner: attrList:
|
stringJoin = concatStringsSep;
|
||||||
if (length attrList) == 0 then
|
|
||||||
""
|
|
||||||
else
|
|
||||||
foldr (lAttr: rAttr: "${lAttr}${joiner}${rAttr}") (last attrList)
|
|
||||||
(init attrList);
|
|
||||||
|
|
||||||
getUserGidNumber = user: group-map: group-map.${user.primary-group}.gid;
|
getUserGidNumber = user: group-map: group-map.${user.primary-group}.gid;
|
||||||
|
|
||||||
attrOr = attrs: attr: value: if attrs ? ${attr} then attrs.${attr} else value;
|
attrOr = attrs: attr: value: if attrs ? ${attr} then attrs.${attr} else value;
|
||||||
|
|
||||||
|
ca-path = "${cfg.state-directory}/ca.pem";
|
||||||
|
|
||||||
|
build-ca-script = target: ca-cert: site-chain: let
|
||||||
|
user = config.services.openldap.user;
|
||||||
|
group = config.services.openldap.group;
|
||||||
|
in pkgs.writeShellScript "build-openldap-ca-script.sh" ''
|
||||||
|
cat ${site-chain} ${ca-cert} > ${target}
|
||||||
|
chmod 440 ${target}
|
||||||
|
chown ${user}:${group} ${target}
|
||||||
|
'';
|
||||||
|
|
||||||
mkHomeDir = username: user-opts:
|
mkHomeDir = username: user-opts:
|
||||||
if (user-opts.primary-group == "admin") then
|
if (user-opts.primary-group == "admin") then
|
||||||
"/home/${username}"
|
"/home/${username}"
|
||||||
@ -103,6 +109,13 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ssl-chain = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = ''
|
||||||
|
The path to the SSL chain to to the certificate for the server.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
ssl-private-key = mkOption {
|
ssl-private-key = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = ''
|
description = ''
|
||||||
@ -111,8 +124,7 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
ssl-ca-certificate = mkOption {
|
ssl-ca-certificate = mkOption {
|
||||||
type = with types; nullOr str;
|
type = nullOr str;
|
||||||
|
|
||||||
description = ''
|
description = ''
|
||||||
The path to the SSL CA cert used to sign the certificate.
|
The path to the SSL CA cert used to sign the certificate.
|
||||||
'';
|
'';
|
||||||
@ -189,9 +201,21 @@ in {
|
|||||||
description = "System users to be added to the Fudo LDAP database.";
|
description = "System users to be added to the Fudo LDAP database.";
|
||||||
};
|
};
|
||||||
|
|
||||||
database-directory = mkOption {
|
state-directory = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = "Path at which to store the database.";
|
description = "Path at which to store openldap database & state.";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd-target = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Systemd target for running ldap server.";
|
||||||
|
default = "fudo-ldap-server.target";
|
||||||
|
};
|
||||||
|
|
||||||
|
required-services = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "Systemd services on which the server depends.";
|
||||||
|
default = [ ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -214,9 +238,28 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.openldap = {
|
networking.firewall = {
|
||||||
environment = { KRB5_KTNAME = cfg.kerberos-keytab; };
|
allowedTCPPorts = [ 389 636 ];
|
||||||
# FIXME: THIS IS ALL UNPROVEN
|
allowedUDPPorts = [ 389 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd = {
|
||||||
|
tmpfiles.rules = let
|
||||||
|
ca-dir = dirOf ca-path;
|
||||||
|
user = config.services.openldap.user;
|
||||||
|
group = config.services.openldap.group;
|
||||||
|
in [
|
||||||
|
"d ${ca-dir} 0700 ${user} ${group} - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.openldap = {
|
||||||
|
partOf = [ cfg.systemd-target ];
|
||||||
|
requires = cfg.required-services;
|
||||||
|
environment.KRB5_KTNAME = cfg.kerberos-keytab;
|
||||||
|
preStart = mkBefore
|
||||||
|
"${build-ca-script ca-path
|
||||||
|
cfg.ssl-chain
|
||||||
|
cfg.ssl-ca-certificate}";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
@ -230,20 +273,32 @@ in {
|
|||||||
ProtectClock = true;
|
ProtectClock = true;
|
||||||
ProtectKernelLogs = true;
|
ProtectKernelLogs = true;
|
||||||
KeyringMode = "private";
|
KeyringMode = "private";
|
||||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
# RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
MemoryDenyWriteExecute = true;
|
MemoryDenyWriteExecute = true;
|
||||||
SystemCallFilter =
|
SystemCallFilter = concatStringsSep " " [
|
||||||
"~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete";
|
"~@clock"
|
||||||
|
"@debug"
|
||||||
|
"@module"
|
||||||
|
"@mount"
|
||||||
|
"@raw-io"
|
||||||
|
"@reboot"
|
||||||
|
"@swap"
|
||||||
|
# "@privileged"
|
||||||
|
"@resources"
|
||||||
|
"@cpu-emulation"
|
||||||
|
"@obsolete"
|
||||||
|
];
|
||||||
UMask = "7007";
|
UMask = "7007";
|
||||||
InaccessiblePaths = [ "/home" "/root" ];
|
InaccessiblePaths = [ "/home" "/root" ];
|
||||||
LimitNOFILE = 49152;
|
LimitNOFILE = 49152;
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.openldap = {
|
services.openldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -254,7 +309,7 @@ in {
|
|||||||
|
|
||||||
makeAccessLine = target: perm-map: let
|
makeAccessLine = target: perm-map: let
|
||||||
perm-entries = mapAttrsToList makePermEntry perm-map;
|
perm-entries = mapAttrsToList makePermEntry perm-map;
|
||||||
in "to ${target} ${concatStringsSep " " perm-entries} done";
|
in "to ${target} ${concatStringsSep " " perm-entries}";
|
||||||
|
|
||||||
makeAccess = access-map: let
|
makeAccess = access-map: let
|
||||||
access-lines = mapAttrsToList makeAccessLine;
|
access-lines = mapAttrsToList makeAccessLine;
|
||||||
@ -268,7 +323,7 @@ in {
|
|||||||
olcPidFile = "/run/slapd/slapd.pid";
|
olcPidFile = "/run/slapd/slapd.pid";
|
||||||
olcTLSCertificateFile = cfg.ssl-certificate;
|
olcTLSCertificateFile = cfg.ssl-certificate;
|
||||||
olcTLSCertificateKeyFile = cfg.ssl-private-key;
|
olcTLSCertificateKeyFile = cfg.ssl-private-key;
|
||||||
olcTLSCACertificateFile = cfg.ssl-ca-certificate;
|
olcTLSCACertificateFile = ca-path;
|
||||||
olcSaslSecProps = "noplain,noanonymous";
|
olcSaslSecProps = "noplain,noanonymous";
|
||||||
olcAuthzRegexp = let
|
olcAuthzRegexp = let
|
||||||
authz-regex-entry = i: { regex, target }:
|
authz-regex-entry = i: { regex, target }:
|
||||||
@ -297,70 +352,74 @@ in {
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
children = {
|
children = {
|
||||||
"olcDatabase{-1}frontend" = {
|
"cn=schema" = {
|
||||||
|
includes = [
|
||||||
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
"olcDatabase={-1}frontend" = {
|
||||||
attrs = {
|
attrs = {
|
||||||
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
|
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
|
||||||
olcDatabase = "{-1}frontend";
|
olcDatabase = "{-1}frontend";
|
||||||
olcAccess = makeAccess {
|
olcAccess = makeAccess {
|
||||||
"*" = {
|
"*" = {
|
||||||
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"dn.exact=cn=admin,${cfg.base}" = "manage";
|
|
||||||
"*" = "none";
|
"*" = "none";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"olcDatabase{0}config" = {
|
"olcDatabase={0}config" = {
|
||||||
attrs = {
|
attrs = {
|
||||||
objectClass = [ "olcDatabaseConfig" ];
|
objectClass = [ "olcDatabaseConfig" ];
|
||||||
olcDatabase = "{0}config";
|
olcDatabase = "{0}config";
|
||||||
olcAccess = [ "by * none" ];
|
olcAccess = makeAccess {
|
||||||
|
"*" = {
|
||||||
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
|
"*" = "none";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"olcDatabase{1}mdb" = {
|
};
|
||||||
|
};
|
||||||
|
"olcDatabase={1}mdb" = {
|
||||||
attrs = {
|
attrs = {
|
||||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||||
olcDatabase = "{1}mdb";
|
olcDatabase = "{1}mdb";
|
||||||
olcSuffix = cfg.base;
|
olcSuffix = cfg.base;
|
||||||
# olcRootDN = "cn=admin,${cfg.base}";
|
# olcRootDN = "cn=admin,${cfg.base}";
|
||||||
# olcRootPW = FIXME; # NOTE: this should be hashed...
|
# olcRootPW = FIXME; # NOTE: this should be hashed...
|
||||||
olcDbDirectory = cfg.database-directory;
|
olcDbDirectory = "${cfg.state-directory}/database";
|
||||||
olcDbIndex = [ "objectClass eq" "uid eq" ];
|
olcDbIndex = [ "objectClass eq" "uid eq" ];
|
||||||
olcAccess = makeAccess {
|
olcAccess = makeAccess {
|
||||||
"attrs=userPassword,shadowLastChange" = {
|
"attrs=userPassword,shadowLastChange" = {
|
||||||
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"dn.exact=cn=auth_reader,${cfg.base}" = "read";
|
"dn.exact=cn=auth_reader,${cfg.base}" = "read";
|
||||||
"dn.exact=cn=replicator,${cfg.base}" = "read";
|
"dn.exact=cn=replicator,${cfg.base}" = "read";
|
||||||
"self" = "write";
|
"self" = "write";
|
||||||
"*" = "auth";
|
"*" = "auth";
|
||||||
};
|
};
|
||||||
"dn.base=cn=admin,ou=groups,${cfg.base}" = {
|
"dn=cn=admin,ou=groups,${cfg.base}" = {
|
||||||
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"users" = "read";
|
"users" = "read";
|
||||||
"*" = "none";
|
"*" = "none";
|
||||||
};
|
};
|
||||||
"dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
|
"dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
|
||||||
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
|
"dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
|
||||||
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"users" = "read";
|
"users" = "read";
|
||||||
"*" = "none";
|
"*" = "none";
|
||||||
};
|
};
|
||||||
"dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
|
"dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
|
||||||
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"dn.exact=cn=user_db_reader,${cfg.base}" = "read";
|
"dn.exact=cn=user_db_reader,${cfg.base}" = "read";
|
||||||
"users" = "read";
|
"users" = "read";
|
||||||
"*" = "none";
|
"*" = "none";
|
||||||
};
|
};
|
||||||
"*" = {
|
"*" = {
|
||||||
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
|
||||||
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
|
|
||||||
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "read";
|
|
||||||
"users" = "read";
|
"users" = "read";
|
||||||
"*" = "none";
|
"*" = "none";
|
||||||
};
|
};
|
||||||
|
@ -11,6 +11,9 @@ let
|
|||||||
|
|
||||||
join-lines = lib.concatStringsSep "\n";
|
join-lines = lib.concatStringsSep "\n";
|
||||||
|
|
||||||
|
strip-ext = filename:
|
||||||
|
head (builtins.match "^(.+)[.][^.]+$" filename);
|
||||||
|
|
||||||
userDatabaseOpts = { database, ... }: {
|
userDatabaseOpts = { database, ... }: {
|
||||||
options = {
|
options = {
|
||||||
access = mkOption {
|
access = mkOption {
|
||||||
@ -127,33 +130,33 @@ let
|
|||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
options.fudo.postgresql = {
|
options.fudo.postgresql = with types; {
|
||||||
enable = mkEnableOption "Fudo PostgreSQL Server";
|
enable = mkEnableOption "Fudo PostgreSQL Server";
|
||||||
|
|
||||||
ssl-private-key = mkOption {
|
ssl-private-key = mkOption {
|
||||||
type = types.str;
|
type = str;
|
||||||
description = "Location of the server SSL private key.";
|
description = "Location of the server SSL private key.";
|
||||||
};
|
};
|
||||||
|
|
||||||
ssl-certificate = mkOption {
|
ssl-certificate = mkOption {
|
||||||
type = types.str;
|
type = str;
|
||||||
description = "Location of the server SSL certificate.";
|
description = "Location of the server SSL certificate.";
|
||||||
};
|
};
|
||||||
|
|
||||||
keytab = mkOption {
|
keytab = mkOption {
|
||||||
type = types.str;
|
type = str;
|
||||||
description = "Location of the server Kerberos keytab.";
|
description = "Location of the server Kerberos keytab.";
|
||||||
};
|
};
|
||||||
|
|
||||||
local-networks = mkOption {
|
local-networks = mkOption {
|
||||||
type = with types; listOf str;
|
type = listOf str;
|
||||||
description = "A list of networks from which to accept connections.";
|
description = "A list of networks from which to accept connections.";
|
||||||
example = [ "10.0.0.1/16" ];
|
example = [ "10.0.0.1/16" ];
|
||||||
default = [ ];
|
default = [ ];
|
||||||
};
|
};
|
||||||
|
|
||||||
users = mkOption {
|
users = mkOption {
|
||||||
type = with types; attrsOf (submodule userOpts);
|
type = attrsOf (submodule userOpts);
|
||||||
description = "A map of users to user attributes.";
|
description = "A map of users to user attributes.";
|
||||||
example = {
|
example = {
|
||||||
sampleUser = {
|
sampleUser = {
|
||||||
@ -170,35 +173,53 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
databases = mkOption {
|
databases = mkOption {
|
||||||
type = with types; attrsOf (submodule databaseOpts);
|
type = attrsOf (submodule databaseOpts);
|
||||||
description = "A map of databases to database options.";
|
description = "A map of databases to database options.";
|
||||||
default = { };
|
default = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
socket-directory = mkOption {
|
socket-directory = mkOption {
|
||||||
type = types.str;
|
type = str;
|
||||||
description = "Directory in which to place unix sockets.";
|
description = "Directory in which to place unix sockets.";
|
||||||
default = "/run/postgresql";
|
default = "/run/postgresql";
|
||||||
};
|
};
|
||||||
|
|
||||||
socket-group = mkOption {
|
socket-group = mkOption {
|
||||||
type = types.str;
|
type = str;
|
||||||
description = "Group for accessing sockets.";
|
description = "Group for accessing sockets.";
|
||||||
default = "postgres_local";
|
default = "postgres_local";
|
||||||
};
|
};
|
||||||
|
|
||||||
local-users = mkOption {
|
local-users = mkOption {
|
||||||
type = with types; listOf str;
|
type = listOf str;
|
||||||
description = "Users able to access the server via local socket.";
|
description = "Users able to access the server via local socket.";
|
||||||
default = [ ];
|
default = [ ];
|
||||||
};
|
};
|
||||||
|
|
||||||
required-services = mkOption {
|
required-services = mkOption {
|
||||||
type = with types; listOf str;
|
type = listOf str;
|
||||||
description = "List of services that should run before postgresql.";
|
description = "List of services that should run before postgresql.";
|
||||||
default = [ ];
|
default = [ ];
|
||||||
example = [ "password-generator.service" ];
|
example = [ "password-generator.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
state-directory = mkOption {
|
||||||
|
type = nullOr str;
|
||||||
|
description = "Path at which to store database state data.";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
|
||||||
|
cleanup-tasks = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
description = "List of actions to take during shutdown of the service.";
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd-target = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Name of the systemd target for postgresql";
|
||||||
|
default = "postgresql.target";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
@ -206,28 +227,28 @@ in {
|
|||||||
environment = {
|
environment = {
|
||||||
systemPackages = with pkgs; [ postgresql_11_gssapi ];
|
systemPackages = with pkgs; [ postgresql_11_gssapi ];
|
||||||
|
|
||||||
etc = {
|
# etc = {
|
||||||
"postgresql/private/privkey.pem" = {
|
# "postgresql/private/privkey.pem" = {
|
||||||
mode = "0400";
|
# mode = "0400";
|
||||||
user = "postgres";
|
# user = "postgres";
|
||||||
group = "postgres";
|
# group = "postgres";
|
||||||
source = cfg.ssl-private-key;
|
# source = cfg.ssl-private-key;
|
||||||
};
|
# };
|
||||||
|
|
||||||
"postgresql/cert.pem" = {
|
# "postgresql/cert.pem" = {
|
||||||
mode = "0444";
|
# mode = "0444";
|
||||||
user = "postgres";
|
# user = "postgres";
|
||||||
group = "postgres";
|
# group = "postgres";
|
||||||
source = cfg.ssl-certificate;
|
# source = cfg.ssl-certificate;
|
||||||
};
|
# };
|
||||||
|
|
||||||
"postgresql/private/postgres.keytab" = {
|
# "postgresql/private/postgres.keytab" = {
|
||||||
mode = "0400";
|
# mode = "0400";
|
||||||
user = "postgres";
|
# user = "postgres";
|
||||||
group = "postgres";
|
# group = "postgres";
|
||||||
source = cfg.keytab;
|
# source = cfg.keytab;
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups = {
|
users.groups = {
|
||||||
@ -249,11 +270,11 @@ in {
|
|||||||
}) opts.users)) cfg.databases)));
|
}) opts.users)) cfg.databases)));
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
krb_server_keyfile = "/etc/postgresql/private/postgres.keytab";
|
krb_server_keyfile = cfg.keytab;
|
||||||
|
|
||||||
ssl = true;
|
ssl = true;
|
||||||
ssl_cert_file = "/etc/postgresql/cert.pem";
|
ssl_cert_file = cfg.ssl-certificate;
|
||||||
ssl_key_file = "/etc/postgresql/private/privkey.pem";
|
ssl_key_file = cfg.ssl-private-key;
|
||||||
|
|
||||||
unix_socket_directories = cfg.socket-directory;
|
unix_socket_directories = cfg.socket-directory;
|
||||||
unix_socket_group = cfg.socket-group;
|
unix_socket_group = cfg.socket-group;
|
||||||
@ -272,12 +293,21 @@ in {
|
|||||||
# local networks
|
# local networks
|
||||||
${makeNetworksEntry cfg.local-networks}
|
${makeNetworksEntry cfg.local-networks}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
dataDir = mkIf (cfg.state-directory != null) cfg.state-directory;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
|
|
||||||
services = {
|
tmpfiles.rules = optional (cfg.state-directory != null) (let
|
||||||
|
user = config.systemd.services.postgresql.serviceConfig.User;
|
||||||
|
in "d ${cfg.state-directory} 0700 ${user} - - -");
|
||||||
|
|
||||||
|
targets.${strip-ext cfg.systemd-target} = {
|
||||||
|
description = "Postgresql and associated systemd services.";
|
||||||
|
};
|
||||||
|
|
||||||
|
services = {
|
||||||
postgresql-password-setter = let
|
postgresql-password-setter = let
|
||||||
passwords-script = passwords-setter-script cfg.users;
|
passwords-script = passwords-setter-script cfg.users;
|
||||||
password-wrapper-script =
|
password-wrapper-script =
|
||||||
@ -308,10 +338,16 @@ in {
|
|||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
User = config.services.postgresql.superUser;
|
User = config.services.postgresql.superUser;
|
||||||
};
|
};
|
||||||
|
partOf = [ cfg.systemd-target ];
|
||||||
script = "${password-wrapper-script}";
|
script = "${password-wrapper-script}";
|
||||||
};
|
};
|
||||||
|
|
||||||
postgresql.postStart = let
|
postgresql = {
|
||||||
|
requires = cfg.required-services;
|
||||||
|
after = cfg.required-services;
|
||||||
|
partOf = [ cfg.systemd-target ];
|
||||||
|
|
||||||
|
postStart = let
|
||||||
allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
|
allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
|
||||||
|
|
||||||
extra-settings-sql = pkgs.writeText "settings.sql" ''
|
extra-settings-sql = pkgs.writeText "settings.sql" ''
|
||||||
@ -325,6 +361,9 @@ in {
|
|||||||
} -d postgres -f ${extra-settings-sql}
|
} -d postgres -f ${extra-settings-sql}
|
||||||
${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
|
${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
postStop = concatStringsSep "\n" cfg.cleanup-tasks;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -12,6 +12,11 @@ in {
|
|||||||
description = "Hostname of this specific host (without domain).";
|
description = "Hostname of this specific host (without domain).";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
host-fqdn = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Fully-qualified name of this host.";
|
||||||
|
};
|
||||||
|
|
||||||
build-timestamp = mkOption {
|
build-timestamp = mkOption {
|
||||||
type = int;
|
type = int;
|
||||||
description = "Timestamp associated with the build. Used for e.g. DNS serials.";
|
description = "Timestamp associated with the build. Used for e.g. DNS serials.";
|
||||||
@ -98,9 +103,12 @@ in {
|
|||||||
|
|
||||||
local-profile = host.profile;
|
local-profile = host.profile;
|
||||||
|
|
||||||
|
host-fqdn = "${config.instance.hostname}.${local-domain}";
|
||||||
|
|
||||||
in {
|
in {
|
||||||
instance = {
|
instance = {
|
||||||
inherit
|
inherit
|
||||||
|
host-fqdn
|
||||||
local-domain
|
local-domain
|
||||||
local-site
|
local-site
|
||||||
local-users
|
local-users
|
||||||
|
Loading…
Reference in New Issue
Block a user