nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added cashew, did some backplane yak shaving

Browse Source
This commit is contained in:
niten 2021-11-16 16:56:43 -08:00
parent c747746eee
commit b5cdfc7293
21 changed files with 933 additions and 539 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
config/client.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
with lib;
let
make-passwd-file = hostname:
pkgs.lib.fudo.passwd.stablerandom-passwd-file
"${hostname}-fudo-client-passwd"
config.instance.build-seed;
secrets =
config.fudo.secrets.host-secrets.${config.instance.hostname};
host-password-files = mapAttrs (hostname: hostOpts:
make-password-file hostname) config.fudo.hosts;
in {
config = {
fudo = {
secrets.host-secrets = mapAttrs (hostname: hostOpts: {
backplane-client-passwd = {
source-file = host-password-files.${hostname};
target-file = "/var/fudo/client/passwd";
user = config.fudo.client.dns.user;
};
}) config.fudo.hosts;
client.dns = {
password-file =
secrets.backplane-client-passwd.target-file;
};
backplane.client-hosts = mapAttrs (hostname: hostOpts: {
password-file = host-password-files.${hostname};
}) config.fudo.hosts;
};
};
}

4
config/domains.nix
View File

@ -14,6 +14,7 @@
local-admins = [ "niten" "reaper" ]; local-admins = [ "niten" "reaper" ];
admin-email = "admin@fudo.org"; admin-email = "admin@fudo.org";
gssapi-realm = "FUDO.ORG"; gssapi-realm = "FUDO.ORG";
kerberos-master = "nutboy3";
}; };
"sea.fudo.org" = { "sea.fudo.org" = {
@ -63,7 +64,6 @@
admin-email = "viator@informis.land"; admin-email = "viator@informis.land";
gssapi-realm = "INFORMIS.LAND"; gssapi-realm = "INFORMIS.LAND";
kerberos-master = "procul"; kerberos-master = "procul";
kerberos-slaves = [ "legatus" ];
primary-nameserver = "procul"; primary-nameserver = "procul";
}; };
@ -77,7 +77,7 @@
local-users = [ "niten" "reaper" ]; local-users = [ "niten" "reaper" ];
local-groups = [ "admin" ]; local-groups = [ "admin" ];
local-admins = [ "niten" "reaper" ]; local-admins = [ "niten" "reaper" ];
admin-email = "nitenn@fudo.org"; admin-email = "niten@fudo.org";
gssapi-realm = "FUDO.ORG"; gssapi-realm = "FUDO.ORG";
# kerberos-master = "legatus"; # kerberos-master = "legatus";
primary-nameserver = "legatus"; primary-nameserver = "legatus";

5
config/hardware/cashew.nix Normal file
View File

@ -0,0 +1,5 @@
{ config, lib, pkgs, ... }:
{
}

35
config/host-config/cashew.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
host-ipv4 = pkgs.lib.fudo.network.host-ipv4 config hostname;
site-name = config.fudo.hosts.${hostname}.site;
site = config.fudo.sites.${site-name};
network-prefix-length =
pkgs.lib.fudo.ip.getNetworkMask site.network;
local-packages = with pkgs; [
bind
];
in {
config = {
networking = {
defaultGateway = {
address = site.gateway-v4;
interface = "extif0";
};
interfaces.extif0 = {
ipv4.addresses = [{
address = host-ipv4;
prefixLength = network-prefix-length;
}];
};
};
environment.systemPackages = local-packages;
};
}

6
config/host-config/france.nix
View File

@ -51,12 +51,6 @@ in {
options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ]; options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ];
}; };
"/srv/gitlab" = {
fsType = "btrfs";
label = "pool0";
options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ];
};
${mail-directory} = { ${mail-directory} = {
fsType = "btrfs"; fsType = "btrfs";
label = "pool0"; label = "pool0";

10
config/host-config/france/jabber.nix
View File

@ -7,16 +7,6 @@ let
cfg = config.fudo.france.jabber; cfg = config.fudo.france.jabber;
generate-auth-file = name: files: let
make-entry = name: passwd-file:
''("${name}" . "${readFile passwd-file}")'';
entries = mapAttrsToList make-entry files;
content = concatStringsSep "\n" entries;
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
host-auth-file = generate-auth-file "host" cfg.backplane.host-passwd-files;
service-auth-file = generate-auth-file "service" cfg.backplane.service-passwd-files;
ldap-password-file = ldap-password-file =
pkgs.lib.fudo.passwd.random-passwd-file "ejabberd-ldap-auth-user" 30; pkgs.lib.fudo.passwd.random-passwd-file "ejabberd-ldap-auth-user" 30;

192
config/host-config/nutboy3.nix
View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
hostname = "nutboy3"; hostname = "nutboy3";
host-fqdn = config.instance.host-fqdn;
host-ipv4 = "199.87.154.175"; host-ipv4 = "199.87.154.175";
domain-name = config.fudo.hosts.${hostname}.domain; domain-name = config.fudo.hosts.${hostname}.domain;
domain = config.fudo.domains.${domain-name}; domain = config.fudo.domains.${domain-name};
@ -13,7 +14,16 @@ let
secrets = config.fudo.secrets.host-secrets.${hostname}; secrets = config.fudo.secrets.host-secrets.${hostname};
postgresql-user =
config.systemd.services.postgresql.serviceConfig.User;
files = config.fudo.secrets.files;
acme-copies = config.fudo.acme.host-domains.${hostname};
in { in {
config = {
networking = { networking = {
enableIPv6 = true; enableIPv6 = true;
@ -35,42 +45,43 @@ in {
environment.systemPackages = local-packages; environment.systemPackages = local-packages;
# networking.firewall.allowedTCPPorts = [ 80 443 ];
# informis.cl-gemini = {
# enable = true;
# hostname = "gemini.informis.land";
# server-ip = host-ipv4;
# document-root = "/srv/gemini/root";
# textfiles-archive = "${pkgs.textfiles}";
# slynk-port = 4005;
# feeds = {
# viator = {
# title = "viator's phlog";
# path = "/home/viator/gemini-public/feed/";
# url = "gemini://informis.land/user/viator/feed/";
# };
# };
# };
fudo = { fudo = {
hosts.${hostname}.external-interfaces = [ "extif0" ]; hosts.${hostname}.external-interfaces = [ "extif0" ];
secrets.host-secrets.nutboy3 = let secrets.host-secrets.nutboy3 = let
files = config.fudo.secrets.files; files = config.fudo.secrets.files;
in { in {
# heimdal-master-key = { heimdal-master-key = {
# source-file = files.realm-master-keys."FUDO.ORG"; source-file = files.realm-master-keys."FUDO.ORG";
# target-file = "/run/heimdal/master-key"; target-file = "/run/heimdal/master-key";
# user = config.fudo.auth.kdc.user; user = config.fudo.auth.kdc.user;
# }; };
# ipropd-keytab = { ldap-keytab = {
# source-file = files.service-keytabs.legatus.ipropd; source-file = files.service-keytabs.${hostname}.openldap;
# target-file = "/run/heimdal/ipropd.keytab"; target-file = "/run/openldap/ldap.keytab";
# user = config.fudo.auth.kdc.user; user = config.services.openldap.user;
# }; };
postgresql-keytab = {
source-file = files.service-keytabs.nutboy3.postgres;
target-file = "/run/postgresql/postgres.keytab";
user = postgresql-user;
};
};
acme.host-domains.${hostname}.${host-fqdn}.local-copies = {
openldap = {
user = config.services.openldap.user;
dependent-services = [ "openldap.service" ];
part-of = [ config.fudo.auth.ldap-server.systemd-target ];
};
postgresql = {
user = postgresql-user;
dependent-services = [ "postgresql.service" ];
part-of = [ config.fudo.postgresql.systemd-target ];
};
}; };
client.dns = { client.dns = {
@ -80,33 +91,41 @@ in {
external-interface = "extif0"; external-interface = "extif0";
}; };
# auth.kdc = { auth = {
# enable = true; ldap-server = let
# realm = "FUDO.ORG"; ldap-copy = acme-copies.${host-fqdn}.local-copies.openldap;
# bind-addresses = [ host-ipv4 "127.0.0.1" ]; in {
# master-key-file = enable = true;
# secrets.heimdal-master-key.target-file; base = "dc=fudo,dc=org";
# state-directory = "/state/kerberos"; organization = "Fudo";
# slave-config = { kerberos-host = host-fqdn;
# master-host = "france"; kerberos-keytab = secrets.ldap-keytab.target-file;
# ipropd-keytab = secrets.ipropd-keytab.target-file; listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///"];
# }; required-services = [ ldap-copy.service ];
# };
# secure-dns-proxy = { users = config.fudo.users;
# enable = true; groups = config.fudo.groups;
# upstream-dns = system-users = config.fudo.system-users;
# [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
# bootstrap-dns = "1.1.1.1"; state-directory = "/state/openldap";
# listen-ips = [ "127.0.0.1" ];
# listen-port = 53; ssl-chain = ldap-copy.chain;
# allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "localhost" "link-local" ]; ssl-certificate = ldap-copy.certificate;
# }; ssl-private-key = ldap-copy.private-key;
ssl-ca-certificate = "${pkgs.letsencrypt-ca}";
};
kdc = {
master-key-file =
secrets.heimdal-master-key.target-file;
state-directory = "/state/kerberos";
};
};
# dns.state-directory = "/state/nsd"; # dns.state-directory = "/state/nsd";
# mail-server = { # mail-server = {
# enable = true; # enableContainer = true;
# debug = true; # debug = true;
# domain = domain-name; # domain = domain-name;
@ -147,31 +166,18 @@ in {
# }; # };
# }; # };
# postgresql = { postgresql = let
# enable = true; cert-copy =
# ssl-certificate = (acme-certificate host-fqdn); config.fudo.acme.host-domains.${hostname}.${host-fqdn}.local-copies.postgresql;
# ssl-private-key = (acme-private-key host-fqdn); in {
# keytab = secrets.postgres-keytab.target-file; enable = true;
# local-networks = local-networks; ssl-certificate = cert-copy.full-certificate;
ssl-private-key = cert-copy.private-key;
# users = { keytab = secrets.postgresql-keytab.target-file;
# gituser = { local-networks = config.instance.local-networks;
# password-file = state-directory = "/state/postgresql";
# secrets.gitea-database-password.target-file; required-services = [ cert-copy.service ];
# databases = { };
# git = {
# access = "CONNECT";
# entity-access = {
# "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
# "ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE";
# };
# };
# };
# };
# };
# databases = { git = { users = [ "niten" ]; }; };
# };
# git = { # git = {
# enable = true; # enable = true;
@ -193,4 +199,36 @@ in {
# }; # };
# }; # };
}; };
containers.cashew = let
initialize-host = import ../../initialize.nix;
build-timestamp = config.instance.build-timestamp;
site = "nuttyclub-vm";
domain = config.instance.local-domain;
profile = "container";
in {
autoStart = true;
bindMounts = {
};
config = { pkgs, ... }: {
imports = [
(initialize-host {
inherit
lib
pkgs
build-timestamp
site
domain
profile;
hostname = "cashew";
})
];
instance.build-seed = build-seed;
};
};
};
} }

12
config/hosts/cashew.nix Normal file
View File

@ -0,0 +1,12 @@
{
description = "fudo.org primary dns server.";
rp = "reaper";
admin-email = "reaper@fudo.org";
domain = "fudo.org";
site = "nuttyclub-vm";
profile = "container";
enable-gui = false;
arch = "x86_64-linux";
nixos-system = true;
machine-id = "e5f456e3183a4dc186181a70bc3af2d1";
}

2
config/profile-config/server.nix
View File

@ -31,6 +31,8 @@ let
TIMEOUT=15m TIMEOUT=15m
fi fi
TMP=$(mktemp -d /tmp/fudo-test-config-XXXXXXX)
SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N") SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N")
touch $SYNCFILE touch $SYNCFILE
${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists." ${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists."

12
config/sites.nix
View File

@ -50,6 +50,18 @@
mail-server = "mail.fudo.org"; mail-server = "mail.fudo.org";
}; };
nuttyclub-vm = {
gateway-v4 = "FIXME";
network = "FIXME/29";
nameservers = [ "1.1.1.1" ];
timezone = "America/Winnipeg";
deploy-pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
];
mail-server = "mail.fudo.org";
};
russell = { russell = {
gateway-v4 = "10.0.0.1"; gateway-v4 = "10.0.0.1";
nameservers = [ "10.0.0.1" ]; nameservers = [ "10.0.0.1" ];

5
initialize.nix
View File

@ -1,5 +1,6 @@
{ lib, pkgs, hostname, site, domain, profile, build-timestamp, ... }: { lib, pkgs, hostname, site, domain, profile, build-timestamp, ... }:
with lib;
let let
# Get info on this host so we know what to load # Get info on this host so we know what to load
config-dir = ./. + "/config"; config-dir = ./. + "/config";
@ -8,13 +9,13 @@ in {
imports = [ imports = [
./lib ./lib
./config ./config
] ++ (filter pathExists [
(config-dir + /hardware/${hostname}.nix) (config-dir + /hardware/${hostname}.nix)
(config-dir + /host-config/${hostname}.nix) (config-dir + /host-config/${hostname}.nix)
(config-dir + /profile-config/${profile}.nix) (config-dir + /profile-config/${profile}.nix)
(config-dir + /domain-config/${domain}.nix) (config-dir + /domain-config/${domain}.nix)
(config-dir + /site-config/${site}.nix) (config-dir + /site-config/${site}.nix)
]; ]);
config = { config = {
instance = { instance = {

84
lib/fudo/acme-certs.nix
View File

@ -2,6 +2,8 @@
with lib; with lib;
let let
hostname = config.instance.hostname;
domainOpts = { name, ... }: let domainOpts = { name, ... }: let
domain = name; domain = name;
in { in {
@ -23,7 +25,7 @@ let
copy = name; copy = name;
in { in {
options = with types; let options = with types; let
target-path = "/var/run/${domain}/${copy}"; target-path = "/run/ssl-certificates/${domain}/${copy}";
in { in {
user = mkOption { user = mkOption {
type = str; type = str;
@ -39,7 +41,7 @@ let
service = mkOption { service = mkOption {
type = str; type = str;
description = "systemd job to copy certs."; description = "systemd job to copy certs.";
default = "fudo-${domain}-${copy}-certs.service"; default = "fudo-acme-${domain}-${copy}-certs.service";
}; };
certificate = mkOption { certificate = mkOption {
@ -65,6 +67,18 @@ let
description = "Full path to the local copy certificate."; description = "Full path to the local copy certificate.";
default = "${target-path}/key.pem"; default = "${target-path}/key.pem";
}; };
dependent-services = mkOption {
type = listOf str;
description = "List of systemd services depending on this copy.";
default = [ ];
};
part-of = mkOption {
type = listOf str;
description = "List of systemd targets to which this copy belongs.";
default = [ ];
};
}; };
}; };
in mkOption { in mkOption {
@ -82,9 +96,9 @@ let
concatMapAttrs = f: attrs: concatMapAttrs = f: attrs:
foldr (a: b: a // b) {} (mapAttrsToList f attrs); foldr (a: b: a // b) {} (mapAttrsToList f attrs);
hostname = config.instance.hostname;
cfg = config.fudo.acme; cfg = config.fudo.acme;
localDomains = if (hasAttr hostname cfg.host-domains) then hasLocalDomains = hasAttr hostname cfg.host-domains;
localDomains = if hasLocalDomains then
cfg.host-domains.${hostname} else {}; cfg.host-domains.${hostname} else {};
optionalStringOr = str: default: optionalStringOr = str: default:
@ -105,6 +119,29 @@ in {
extraDomainNames = domainOpts.extra-domains; extraDomainNames = domainOpts.extra-domains;
}) localDomains; }) localDomains;
# Assume that if we're acquiring SSL certs, we have a real IP for the
# host. nginx must have an acme dir for security.acme to work.
services.nginx = mkIf hasLocalDomains {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts.${config.instance.host-fqdn} = {
enableACME = true;
forceSSL = true;
# Just...force override if you want this to point somewhere.
locations."/" = {
return = "403 Forbidden";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd = { systemd = {
tmpfiles.rules = let tmpfiles.rules = let
copies = concatMapAttrs (domain: domainOpts: copies = concatMapAttrs (domain: domainOpts:
@ -112,7 +149,7 @@ in {
perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500"; perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500";
copy-paths = mapAttrsToList (copy: copyOpts: copy-paths = mapAttrsToList (copy: copyOpts:
let let
dir-entry = copyOpts: file: "D \"${dirOf file}\" ${perms copyOpts} ${copyOpts.user} ${optionalStringOr copyOpts.group "-"} - -"; dir-entry = copyOpts: file: "d \"${dirOf file}\" ${perms copyOpts} ${copyOpts.user} ${optionalStringOr copyOpts.group "-"} - -";
in map (dir-entry copyOpts) [ in map (dir-entry copyOpts) [
copyOpts.certificate copyOpts.certificate
copyOpts.full-certificate copyOpts.full-certificate
@ -122,40 +159,47 @@ in {
in unique (concatMap (i: unique i) copy-paths); in unique (concatMap (i: unique i) copy-paths);
services = concatMapAttrs (domain: domainOpts: services = concatMapAttrs (domain: domainOpts:
mapAttrs' (copy: copyOpts: let concatMapAttrs (copy: copyOpts: let
key-perms = copyOpts: if (copyOpts.group != null) then "0440" else "0400"; key-perms = copyOpts: if (copyOpts.group != null) then "0440" else "0400";
source = config.security.acme.certs.${domain}.directory; source = config.security.acme.certs.${domain}.directory;
target = copyOpts.path; target = copyOpts.path;
owners =
if (copyOpts.group != null) then
"${copyOpts.user}:${copyOpts.group}"
else copyOpts.user;
install-certs = pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" '' install-certs = pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" ''
cp cert.pem ${copyOpts.certificate} cp ${source}/cert.pem ${copyOpts.certificate}
chmod 0444 ${copyOpts.certificate} chmod 0444 ${copyOpts.certificate}
chown ${owners} ${copyOpts.certificate}
cp full.pem ${copyOpts.full-certificate} cp ${source}/full.pem ${copyOpts.full-certificate}
chmod 0444 ${copyOpts.full-certificate} chmod 0444 ${copyOpts.full-certificate}
chown ${owners} ${copyOpts.full-certificate}
cp chain.pem ${copyOpts.chain} cp ${source}/chain.pem ${copyOpts.chain}
chmod 0444 ${copyOpts.chain} chmod 0444 ${copyOpts.chain}
chown ${owners} ${copyOpts.chain}
cp key.pem ${copyOpts.private-key} cp ${source}/key.pem ${copyOpts.private-key}
chmod ${key-perms copyOpts} ${copyOpts.private-key} chmod ${key-perms copyOpts} ${copyOpts.private-key}
chown ${owners} ${copyOpts.private-key}
''; '';
remove-certs = pkgs.writeShellScript "fudo-remove-${domain}-${copy}-certs.sh" ''
rm -f ${copyOpts.private-key} service-name = rm-service-ext copyOpts.service;
rm -f ${copyOpts.chain} in {
rm -f ${copyOpts.full-certificate} ${service-name} = {
rm -f ${copyOpts.certificate}
'';
in nameValuePair
(rm-service-ext copyOpts.service) {
description = "Copy ${domain} ACME certs for ${copy}."; description = "Copy ${domain} ACME certs for ${copy}.";
after = [ "acme-${domain}.service" ]; after = [ "acme-${domain}.service" ];
before = copyOpts.dependent-services;
wantedBy = [ "multi-user.target" ] ++ copyOpts.dependent-services;
partOf = copyOpts.part-of;
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "simple";
ExecStart = install-certs; ExecStart = install-certs;
ExecStop = remove-certs;
RemainAfterExit = true; RemainAfterExit = true;
StandardOutput = "journal"; StandardOutput = "journal";
}; };
};
}) domainOpts.local-copies) localDomains; }) domainOpts.local-copies) localDomains;
}; };
}; };

154
lib/fudo/backplane/common.nix Normal file
View File

@ -0,0 +1,154 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.backplane.dns;
powerdns-conf-dir = "${cfg.powerdns.home}/conf.d";
clientHostOpts = { name, ... }: {
options = with types; {
password-file = mkOption {
type = path;
description =
"Location (on the build host) of the file containing the host password.";
};
};
};
serviceOpts = { name, ... }: {
options = with types; {
password-file = mkOption {
type = path;
description =
"Location (on the build host) of the file containing the service password.";
};
};
};
databaseOpts = { ... }: {
options = with types; {
host = mkOption {
type = str;
description = "Hostname or IP of the PostgreSQL server.";
};
database = mkOption {
type = str;
description = "Database to use for DNS backplane.";
default = "backplane_dns";
};
username = mkOption {
type = str;
description = "Database user for DNS backplane.";
default = "backplane_dns";
};
password-file = mkOption {
type = str;
description = "File containing password for database user.";
};
};
};
in {
options.fudo.backplane = with types; {
client-hosts = mkOption {
type = attrsOf (submodule clientHostOpts);
description = "List of backplane client options.";
default = {};
};
services = mkOption {
type = attrsOf (submodule serviceOpts);
description = "List of backplane service options.";
default = {};
};
backplane-host = mkOption {
type = types.str;
description = "Hostname of the backplane XMPP server.";
};
dns = {
enable = mkEnableOption "Enable backplane dynamic DNS server.";
port = mkOption {
type = port;
description = "Port on which to serve authoritative DNS requests.";
default = 53;
};
listen-v4-addresses = mkOption {
type = listOf str;
description = "IPv4 addresses on which to listen for dns requests.";
default = [ "0.0.0.0" ];
};
listen-v6-addresses = mkOption {
type = listOf str;
description = "IPv6 addresses on which to listen for dns requests.";
example = [ "[abcd::1]" ];
default = [ ];
};
required-services = mkOption {
type = listOf str;
description =
"A list of services required before the DNS server can start.";
default = [ ];
};
user = mkOption {
type = str;
description = "User as which to run DNS backplane listener service.";
default = "backplane-dns";
};
group = mkOption {
type = str;
description = "Group as which to run DNS backplane listener service.";
default = "backplane-dns";
};
database = mkOption {
type = submodule databaseOpts;
description = "Database settings for the DNS server.";
};
powerdns = {
home = mkOption {
type = str;
description = "Directory at which to store powerdns configuration and state.";
default = "/run/backplane-dns/powerdns";
};
user = mkOption {
type = str;
description = "Username as which to run PowerDNS.";
default = "backplane-powerdns";
};
database = mkOption {
type = submodule databaseOpts;
description = "Database settings for the DNS server.";
};
};
backplane-role = {
role = mkOption {
type = types.str;
description = "Backplane XMPP role name for the DNS server.";
default = "service-dns";
};
password-file = mkOption {
type = types.str;
description = "File containing XMPP password for backplane role.";
};
};
};
};
}

2
lib/fudo/backplane/default.nix
View File

@ -3,6 +3,8 @@
with lib; with lib;
{ {
imports = [ imports = [
./common.nix
./dns.nix ./dns.nix
./jabber.nix
]; ];
} }

175
lib/fudo/backplane/dns.nix
View File

@ -2,134 +2,13 @@
with lib; with lib;
let let
cfg = config.fudo.backplane.dns; backplane-cfg = config.fudo.backplane;
cfg = backplane-cfg.dns;
powerdns-conf-dir = "${cfg.powerdns.home}/conf.d"; powerdns-conf-dir = "${cfg.powerdns.home}/conf.d";
backplaneOpts = { ... }: {
options = {
host = mkOption {
type = types.str;
description = "Hostname of the backplane jabber server.";
};
role = mkOption {
type = types.str;
description = "Backplane XMPP role name for the DNS server.";
default = "service-dns";
};
password-file = mkOption {
type = types.str;
description = "File containing XMPP password for backplane role.";
};
database = mkOption {
type = with types; submodule databaseOpts;
description = "Database settings for backplane server.";
};
cl-wrapper-package = mkOption {
type = types.package;
description = "Common Lisp wrapper package to use.";
default = pkgs.lispPackages.clwrapper;
};
};
};
databaseOpts = { ... }: {
options = {
host = mkOption {
type = types.str;
description = "Hostname or IP of the PostgreSQL server.";
};
database = mkOption {
type = types.str;
description = "Database to use for DNS backplane.";
default = "backplane_dns";
};
username = mkOption {
type = types.str;
description = "Database user for DNS backplane.";
default = "backplane_dns";
};
password-file = mkOption {
type = types.str;
description = "File containing password for database user.";
};
};
};
in { in {
options.fudo.backplane.dns = with types; {
enable = mkEnableOption "Enable backplane dynamic DNS server.";
port = mkOption {
type = port;
description = "Port on which to serve authoritative DNS requests.";
default = 53;
};
listen-v4-addresses = mkOption {
type = listOf str;
description = "IPv4 addresses on which to listen for dns requests.";
default = [ "0.0.0.0" ];
};
listen-v6-addresses = mkOption {
type = listOf str;
description = "IPv6 addresses on which to listen for dns requests.";
example = [ "[abcd::1]" ];
default = [ ];
};
required-services = mkOption {
type = listOf str;
description =
"A list of services required before the DNS server can start.";
default = [ ];
};
user = mkOption {
type = str;
description = "User as which to run DNS backplane listener service.";
default = "backplane-dns";
};
group = mkOption {
type = str;
description = "Group as which to run DNS backplane listener service.";
default = "backplane-dns";
};
database = mkOption {
type = submodule databaseOpts;
description = "Database settings for the DNS server.";
};
backplane = mkOption {
type = submodule backplaneOpts;
description = "Backplane Jabber settings for the DNS server.";
};
powerdns = {
home = mkOption {
type = str;
description = "Directory at which to store powerdns configuration and state.";
default = "/run/backplane-dns/powerdns";
};
user = mkOption {
type = str;
description = "Username as which to run PowerDNS.";
default = "backplane-powerdns";
};
};
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
users = { users = {
users = { users = {
@ -147,12 +26,13 @@ in {
}; };
groups = { groups = {
"${cfg.group}" = { members = [ cfg.user ]; }; ${cfg.group} = { members = [ cfg.user ]; };
${cfg.powerdns.user} = { members = [ cfg.powerdns.user ]; }; ${cfg.powerdns.user} = { members = [ cfg.powerdns.user ]; };
}; };
}; };
fudo.system.services = { fudo = {
system.services = {
backplane-powerdns-config-generator = { backplane-powerdns-config-generator = {
description = description =
"Generate postgres configuration for backplane DNS server."; "Generate postgres configuration for backplane DNS server.";
@ -163,18 +43,12 @@ in {
readWritePaths = [ powerdns-conf-dir ]; readWritePaths = [ powerdns-conf-dir ];
preStart = ''
mkdir -p ${powerdns-conf-dir}
chown ${cfg.powerdns.user}:${cfg.powerdns.user} ${powerdns-conf-dir}
'';
# This builds the config in a bash script, to avoid storing the password # This builds the config in a bash script, to avoid storing the password
# in the nix store at any point # in the nix store at any point
script = '' script = let
if [ ! -d ${powerdns-conf-dir} ]; then user = cfg.powerdns.user;
mkdir ${powerdns-conf-dir} db = cfg.powerdns.database;
fi in ''
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX) TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX)
TMPCONF=$TMPDIR/pdns.local.gpgsql.conf TMPCONF=$TMPDIR/pdns.local.gpgsql.conf
@ -184,13 +58,13 @@ in {
fi fi
touch $TMPCONF touch $TMPCONF
chown ${cfg.powerdns.user}:${cfg.powerdns.user} $TMPCONF
chmod go-rwx $TMPCONF chmod go-rwx $TMPCONF
PASSWORD=$(cat ${cfg.database.password-file}) chown ${user} $TMPCONF
PASSWORD=$(cat ${db.password-file})
echo "launch+=gpgsql" >> $TMPCONF echo "launch+=gpgsql" >> $TMPCONF
echo "gpgsql-host=${cfg.database.host}" >> $TMPCONF echo "gpgsql-host=${db.host}" >> $TMPCONF
echo "gpgsql-dbname=${cfg.database.database}" >> $TMPCONF echo "gpgsql-dbname=${db.database}" >> $TMPCONF
echo "gpgsql-user=${cfg.database.username}" >> $TMPCONF echo "gpgsql-user=${db.username}" >> $TMPCONF
echo "gpgsql-password=$PASSWORD" >> $TMPCONF echo "gpgsql-password=$PASSWORD" >> $TMPCONF
echo "gpgsql-dnssec=yes" >> $TMPCONF echo "gpgsql-dnssec=yes" >> $TMPCONF
@ -212,23 +86,28 @@ in {
partOf = [ "backplane-dns.target" ]; partOf = [ "backplane-dns.target" ];
requires = cfg.required-services ++ [ "postgresql.service" ]; requires = cfg.required-services ++ [ "postgresql.service" ];
environment = { environment = {
FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host; FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = backplane-cfg.backplane-host;
FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role; FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane-role.role;
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file; FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane-role.password-file;
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host; FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database; FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;
FUDO_DNS_BACKPLANE_DATABASE_USERNAME = FUDO_DNS_BACKPLANE_DATABASE_USERNAME =
cfg.backplane.database.username; cfg.database.username;
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
cfg.backplane.database.password-file; cfg.database.password-file;
CL_SOURCE_REGISTRY = CL_SOURCE_REGISTRY =
pkgs.lib.fudo.lisp.lisp-source-registry pkgs.backplane-dns-server; pkgs.lib.fudo.lisp.lisp-source-registry pkgs.backplane-dns-server;
}; };
}; };
}; };
};
systemd = { systemd = {
tmpfiles.rules = [
"d ${powerdns-conf-dir} 0700 ${cfg.powerdns.user} - - -"
];
targets = { targets = {
backplane-dns = { backplane-dns = {
description = "Fudo DNS backplane services."; description = "Fudo DNS backplane services.";

89
lib/fudo/backplane/jabber.nix Normal file
View File

@ -0,0 +1,89 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.backplane;
backplane-server = cfg.backplane-host;
generate-auth-file = name: files: let
make-entry = name: passwd-file:
''("${name}" . "${readFile passwd-file}")'';
entries = mapAttrsToList make-entry files;
content = concatStringsSep "\n" entries;
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
host-auth-file = generate-auth-file "host"
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
cfg.client-hosts);
service-auth-file = generate-auth-file "service"
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
cfg.services);
in {
config = mkIf config.fudo.jabber.enable {
fudo = {
secrets.host-secrets.${hostname} = {
backplane-host-auth = {
source-file = host-auth-file;
target-file = "/var/backplane/host-passwords.scm";
user = config.fudo.jabber.user;
};
backplane-service-auth = {
source-file = service-auth-file;
target-file = "/var/backplane/service-passwords.scm";
user = config.fudo.jabber.user;
};
};
jabber = {
environment = {
FUDO_HOST_PASSWD_FILE =
secrets.backplane-host-auth.target-file;
FUDO_SERVICE_PASSWD_FILE =
secrets.backplane-service-auth.target-file;
};
sites.${backplane-server} = {
site-config = {
auth_method = "external";
extauth_program =
"${pkgs.guile}/bin/guile -s ${pkgs.backplane-auth}/backplane-auth.scm";
extauth_pool_size = 3;
auth_use_cache = true;
modules = {
mod_adhoc = {};
mod_caps = {};
mod_carboncopy = {};
mod_client_state = {};
mod_configure = {};
mod_disco = {};
mod_fail2ban = {};
mod_last = {};
mod_offline = {
access_max_user_messages = 5000;
};
mod_ping = {};
mod_pubsub = {
access_createnode = "pubsub_createnode";
ignore_pep_from_offline = true;
last_item_cache = false;
plugins = [
"flat"
"pep"
];
};
mod_roster = {};
mod_stream_mgmt = {};
mod_time = {};
mod_version = {};
};
};
};
};
};
};
}

30
lib/fudo/kdc.nix
View File

@ -6,6 +6,16 @@ let
hostname = config.instance.hostname; hostname = config.instance.hostname;
localhost-ips = let
addr-only = addrinfo: addrinfo.address;
interface = config.networking.interfaces.lo;
in
(map addr-only interface.ipv4.addresses) ++
(map addr-only interface.ipv6.addresses);
host-ips =
(pkgs.lib.fudo.network.host-ips hostname) ++ localhost-ips;
state-directory = toplevel.config.fudo.auth.kdc.state-directory; state-directory = toplevel.config.fudo.auth.kdc.state-directory;
database-file = "${state-directory}/principals.db"; database-file = "${state-directory}/principals.db";
@ -249,7 +259,7 @@ in {
bind-addresses = mkOption { bind-addresses = mkOption {
type = listOf str; type = listOf str;
description = "A list of IP addresses on which to bind."; description = "A list of IP addresses on which to bind.";
default = [ ]; default = host-ips;
}; };
user = mkOption { user = mkOption {
@ -392,22 +402,6 @@ in {
environment = { KRB5_CONFIG = "/etc/krb5.conf"; }; environment = { KRB5_CONFIG = "/etc/krb5.conf"; };
}; };
heimdal-kadmin = {
wantedBy = [ "multi-user.target" ];
requires = [ "heimdal-kdc.service" ];
description =
"Heimdal Kerberos Remote Administration Server.";
# Doesn't have any way to specify IPs to listen on...sigh
execStart = "${pkgs.heimdalFull}/libexec/heimdal/kadmin -c ${kdc-conf} -k ${cfg.master-key-file} -r ${cfg.realm} --ports=749";
user = cfg.user;
group = cfg.group;
workingDirectory = state-directory;
privateNetwork = false;
addressFamilies = [ "AF_INET" "AF_INET6" ];
requiredCapabilities = [ "CAP_NET_BIND_SERVICE" ];
environment = { KRB5_CONFIG = "/etc/krb5.conf"; };
};
heimdal-kdc-init = let heimdal-kdc-init = let
init-cmd = initialize-db { init-cmd = initialize-db {
realm = cfg.realm; realm = cfg.realm;
@ -477,7 +471,7 @@ in {
}; };
heimdal-ipropd-slave = { heimdal-ipropd-slave = {
#wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "Receive changes propagated from the KDC master server."; description = "Receive changes propagated from the KDC master server.";
path = with pkgs; [ heimdalFull ]; path = with pkgs; [ heimdalFull ];
execStart = concatStringsSep " " [ execStart = concatStringsSep " " [

125
lib/fudo/ldap.nix
View File

@ -7,17 +7,23 @@ let
user-type = import ../types/user.nix { inherit lib; }; user-type = import ../types/user.nix { inherit lib; };
stringJoin = joiner: attrList: stringJoin = concatStringsSep;
if (length attrList) == 0 then
""
else
foldr (lAttr: rAttr: "${lAttr}${joiner}${rAttr}") (last attrList)
(init attrList);
getUserGidNumber = user: group-map: group-map.${user.primary-group}.gid; getUserGidNumber = user: group-map: group-map.${user.primary-group}.gid;
attrOr = attrs: attr: value: if attrs ? ${attr} then attrs.${attr} else value; attrOr = attrs: attr: value: if attrs ? ${attr} then attrs.${attr} else value;
ca-path = "${cfg.state-directory}/ca.pem";
build-ca-script = target: ca-cert: site-chain: let
user = config.services.openldap.user;
group = config.services.openldap.group;
in pkgs.writeShellScript "build-openldap-ca-script.sh" ''
cat ${site-chain} ${ca-cert} > ${target}
chmod 440 ${target}
chown ${user}:${group} ${target}
'';
mkHomeDir = username: user-opts: mkHomeDir = username: user-opts:
if (user-opts.primary-group == "admin") then if (user-opts.primary-group == "admin") then
"/home/${username}" "/home/${username}"
@ -103,6 +109,13 @@ in {
''; '';
}; };
ssl-chain = mkOption {
type = str;
description = ''
The path to the SSL chain to to the certificate for the server.
'';
};
ssl-private-key = mkOption { ssl-private-key = mkOption {
type = str; type = str;
description = '' description = ''
@ -111,8 +124,7 @@ in {
}; };
ssl-ca-certificate = mkOption { ssl-ca-certificate = mkOption {
type = with types; nullOr str; type = nullOr str;
description = '' description = ''
The path to the SSL CA cert used to sign the certificate. The path to the SSL CA cert used to sign the certificate.
''; '';
@ -189,9 +201,21 @@ in {
description = "System users to be added to the Fudo LDAP database."; description = "System users to be added to the Fudo LDAP database.";
}; };
database-directory = mkOption { state-directory = mkOption {
type = str; type = str;
description = "Path at which to store the database."; description = "Path at which to store openldap database & state.";
};
systemd-target = mkOption {
type = str;
description = "Systemd target for running ldap server.";
default = "fudo-ldap-server.target";
};
required-services = mkOption {
type = listOf str;
description = "Systemd services on which the server depends.";
default = [ ];
}; };
}; };
}; };
@ -214,9 +238,28 @@ in {
}; };
}; };
systemd.services.openldap = { networking.firewall = {
environment = { KRB5_KTNAME = cfg.kerberos-keytab; }; allowedTCPPorts = [ 389 636 ];
# FIXME: THIS IS ALL UNPROVEN allowedUDPPorts = [ 389 ];
};
systemd = {
tmpfiles.rules = let
ca-dir = dirOf ca-path;
user = config.services.openldap.user;
group = config.services.openldap.group;
in [
"d ${ca-dir} 0700 ${user} ${group} - -"
];
services.openldap = {
partOf = [ cfg.systemd-target ];
requires = cfg.required-services;
environment.KRB5_KTNAME = cfg.kerberos-keytab;
preStart = mkBefore
"${build-ca-script ca-path
cfg.ssl-chain
cfg.ssl-ca-certificate}";
serviceConfig = { serviceConfig = {
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
@ -230,20 +273,32 @@ in {
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
KeyringMode = "private"; KeyringMode = "private";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; # RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
Restart = "on-failure"; Restart = "on-failure";
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
SystemCallFilter = SystemCallFilter = concatStringsSep " " [
"~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete"; "~@clock"
"@debug"
"@module"
"@mount"
"@raw-io"
"@reboot"
"@swap"
# "@privileged"
"@resources"
"@cpu-emulation"
"@obsolete"
];
UMask = "7007"; UMask = "7007";
InaccessiblePaths = [ "/home" "/root" ]; InaccessiblePaths = [ "/home" "/root" ];
LimitNOFILE = 49152; LimitNOFILE = 49152;
PermissionsStartOnly = true; PermissionsStartOnly = true;
}; };
}; };
};
services.openldap = { services.openldap = {
enable = true; enable = true;
@ -254,7 +309,7 @@ in {
makeAccessLine = target: perm-map: let makeAccessLine = target: perm-map: let
perm-entries = mapAttrsToList makePermEntry perm-map; perm-entries = mapAttrsToList makePermEntry perm-map;
in "to ${target} ${concatStringsSep " " perm-entries} done"; in "to ${target} ${concatStringsSep " " perm-entries}";
makeAccess = access-map: let makeAccess = access-map: let
access-lines = mapAttrsToList makeAccessLine; access-lines = mapAttrsToList makeAccessLine;
@ -268,7 +323,7 @@ in {
olcPidFile = "/run/slapd/slapd.pid"; olcPidFile = "/run/slapd/slapd.pid";
olcTLSCertificateFile = cfg.ssl-certificate; olcTLSCertificateFile = cfg.ssl-certificate;
olcTLSCertificateKeyFile = cfg.ssl-private-key; olcTLSCertificateKeyFile = cfg.ssl-private-key;
olcTLSCACertificateFile = cfg.ssl-ca-certificate; olcTLSCACertificateFile = ca-path;
olcSaslSecProps = "noplain,noanonymous"; olcSaslSecProps = "noplain,noanonymous";
olcAuthzRegexp = let olcAuthzRegexp = let
authz-regex-entry = i: { regex, target }: authz-regex-entry = i: { regex, target }:
@ -297,70 +352,74 @@ in {
]; ];
}; };
children = { children = {
"olcDatabase{-1}frontend" = { "cn=schema" = {
includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
};
"olcDatabase={-1}frontend" = {
attrs = { attrs = {
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ]; objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
olcDatabase = "{-1}frontend"; olcDatabase = "{-1}frontend";
olcAccess = makeAccess { olcAccess = makeAccess {
"*" = { "*" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"dn.exact=cn=admin,${cfg.base}" = "manage";
"*" = "none"; "*" = "none";
}; };
}; };
}; };
}; };
"olcDatabase{0}config" = { "olcDatabase={0}config" = {
attrs = { attrs = {
objectClass = [ "olcDatabaseConfig" ]; objectClass = [ "olcDatabaseConfig" ];
olcDatabase = "{0}config"; olcDatabase = "{0}config";
olcAccess = [ "by * none" ]; olcAccess = makeAccess {
"*" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"*" = "none";
}; };
}; };
"olcDatabase{1}mdb" = { };
};
"olcDatabase={1}mdb" = {
attrs = { attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb"; olcDatabase = "{1}mdb";
olcSuffix = cfg.base; olcSuffix = cfg.base;
# olcRootDN = "cn=admin,${cfg.base}"; # olcRootDN = "cn=admin,${cfg.base}";
# olcRootPW = FIXME; # NOTE: this should be hashed... # olcRootPW = FIXME; # NOTE: this should be hashed...
olcDbDirectory = cfg.database-directory; olcDbDirectory = "${cfg.state-directory}/database";
olcDbIndex = [ "objectClass eq" "uid eq" ]; olcDbIndex = [ "objectClass eq" "uid eq" ];
olcAccess = makeAccess { olcAccess = makeAccess {
"attrs=userPassword,shadowLastChange" = { "attrs=userPassword,shadowLastChange" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"dn.exact=cn=auth_reader,${cfg.base}" = "read"; "dn.exact=cn=auth_reader,${cfg.base}" = "read";
"dn.exact=cn=replicator,${cfg.base}" = "read"; "dn.exact=cn=replicator,${cfg.base}" = "read";
"self" = "write"; "self" = "write";
"*" = "auth"; "*" = "auth";
}; };
"dn.base=cn=admin,ou=groups,${cfg.base}" = { "dn=cn=admin,ou=groups,${cfg.base}" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"users" = "read"; "users" = "read";
"*" = "none"; "*" = "none";
}; };
"dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = { "dn.subtree=ou=groups,${cfg.base} attrs=memberUid" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write"; "dn.regex=cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" = "write";
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"users" = "read"; "users" = "read";
"*" = "none"; "*" = "none";
}; };
"dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = { "dn.subtree=ou=members,${cfg.base} attrs=cn,sn,homeDirectory,loginShell,gecos,description,homeDirectory,uidNumber,gidNumber" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"dn.exact=cn=user_db_reader,${cfg.base}" = "read"; "dn.exact=cn=user_db_reader,${cfg.base}" = "read";
"users" = "read"; "users" = "read";
"*" = "none"; "*" = "none";
}; };
"*" = { "*" = {
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage"; "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" = "manage";
"dn.exact=cn=admin,ou=groups,${cfg.base}" = "write";
"group/groupOfNames/member.exact=cn=admin,ou=groups,${cfg.base}" = "read";
"users" = "read"; "users" = "read";
"*" = "none"; "*" = "none";
}; };

111
lib/fudo/postgres.nix
View File

@ -11,6 +11,9 @@ let
join-lines = lib.concatStringsSep "\n"; join-lines = lib.concatStringsSep "\n";
strip-ext = filename:
head (builtins.match "^(.+)[.][^.]+$" filename);
userDatabaseOpts = { database, ... }: { userDatabaseOpts = { database, ... }: {
options = { options = {
access = mkOption { access = mkOption {
@ -127,33 +130,33 @@ let
in { in {
options.fudo.postgresql = { options.fudo.postgresql = with types; {
enable = mkEnableOption "Fudo PostgreSQL Server"; enable = mkEnableOption "Fudo PostgreSQL Server";
ssl-private-key = mkOption { ssl-private-key = mkOption {
type = types.str; type = str;
description = "Location of the server SSL private key."; description = "Location of the server SSL private key.";
}; };
ssl-certificate = mkOption { ssl-certificate = mkOption {
type = types.str; type = str;
description = "Location of the server SSL certificate."; description = "Location of the server SSL certificate.";
}; };
keytab = mkOption { keytab = mkOption {
type = types.str; type = str;
description = "Location of the server Kerberos keytab."; description = "Location of the server Kerberos keytab.";
}; };
local-networks = mkOption { local-networks = mkOption {
type = with types; listOf str; type = listOf str;
description = "A list of networks from which to accept connections."; description = "A list of networks from which to accept connections.";
example = [ "10.0.0.1/16" ]; example = [ "10.0.0.1/16" ];
default = [ ]; default = [ ];
}; };
users = mkOption { users = mkOption {
type = with types; attrsOf (submodule userOpts); type = attrsOf (submodule userOpts);
description = "A map of users to user attributes."; description = "A map of users to user attributes.";
example = { example = {
sampleUser = { sampleUser = {
@ -170,35 +173,53 @@ in {
}; };
databases = mkOption { databases = mkOption {
type = with types; attrsOf (submodule databaseOpts); type = attrsOf (submodule databaseOpts);
description = "A map of databases to database options."; description = "A map of databases to database options.";
default = { }; default = { };
}; };
socket-directory = mkOption { socket-directory = mkOption {
type = types.str; type = str;
description = "Directory in which to place unix sockets."; description = "Directory in which to place unix sockets.";
default = "/run/postgresql"; default = "/run/postgresql";
}; };
socket-group = mkOption { socket-group = mkOption {
type = types.str; type = str;
description = "Group for accessing sockets."; description = "Group for accessing sockets.";
default = "postgres_local"; default = "postgres_local";
}; };
local-users = mkOption { local-users = mkOption {
type = with types; listOf str; type = listOf str;
description = "Users able to access the server via local socket."; description = "Users able to access the server via local socket.";
default = [ ]; default = [ ];
}; };
required-services = mkOption { required-services = mkOption {
type = with types; listOf str; type = listOf str;
description = "List of services that should run before postgresql."; description = "List of services that should run before postgresql.";
default = [ ]; default = [ ];
example = [ "password-generator.service" ]; example = [ "password-generator.service" ];
}; };
state-directory = mkOption {
type = nullOr str;
description = "Path at which to store database state data.";
default = null;
};
cleanup-tasks = mkOption {
type = listOf str;
description = "List of actions to take during shutdown of the service.";
default = [];
};
systemd-target = mkOption {
type = str;
description = "Name of the systemd target for postgresql";
default = "postgresql.target";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -206,28 +227,28 @@ in {
environment = { environment = {
systemPackages = with pkgs; [ postgresql_11_gssapi ]; systemPackages = with pkgs; [ postgresql_11_gssapi ];
etc = { # etc = {
"postgresql/private/privkey.pem" = { # "postgresql/private/privkey.pem" = {
mode = "0400"; # mode = "0400";
user = "postgres"; # user = "postgres";
group = "postgres"; # group = "postgres";
source = cfg.ssl-private-key; # source = cfg.ssl-private-key;
}; # };
"postgresql/cert.pem" = { # "postgresql/cert.pem" = {
mode = "0444"; # mode = "0444";
user = "postgres"; # user = "postgres";
group = "postgres"; # group = "postgres";
source = cfg.ssl-certificate; # source = cfg.ssl-certificate;
}; # };
"postgresql/private/postgres.keytab" = { # "postgresql/private/postgres.keytab" = {
mode = "0400"; # mode = "0400";
user = "postgres"; # user = "postgres";
group = "postgres"; # group = "postgres";
source = cfg.keytab; # source = cfg.keytab;
}; # };
}; # };
}; };
users.groups = { users.groups = {
@ -249,11 +270,11 @@ in {
}) opts.users)) cfg.databases))); }) opts.users)) cfg.databases)));
settings = { settings = {
krb_server_keyfile = "/etc/postgresql/private/postgres.keytab"; krb_server_keyfile = cfg.keytab;
ssl = true; ssl = true;
ssl_cert_file = "/etc/postgresql/cert.pem"; ssl_cert_file = cfg.ssl-certificate;
ssl_key_file = "/etc/postgresql/private/privkey.pem"; ssl_key_file = cfg.ssl-private-key;
unix_socket_directories = cfg.socket-directory; unix_socket_directories = cfg.socket-directory;
unix_socket_group = cfg.socket-group; unix_socket_group = cfg.socket-group;
@ -272,12 +293,21 @@ in {
# local networks # local networks
${makeNetworksEntry cfg.local-networks} ${makeNetworksEntry cfg.local-networks}
''; '';
dataDir = mkIf (cfg.state-directory != null) cfg.state-directory;
}; };
systemd = { systemd = {
services = { tmpfiles.rules = optional (cfg.state-directory != null) (let
user = config.systemd.services.postgresql.serviceConfig.User;
in "d ${cfg.state-directory} 0700 ${user} - - -");
targets.${strip-ext cfg.systemd-target} = {
description = "Postgresql and associated systemd services.";
};
services = {
postgresql-password-setter = let postgresql-password-setter = let
passwords-script = passwords-setter-script cfg.users; passwords-script = passwords-setter-script cfg.users;
password-wrapper-script = password-wrapper-script =
@ -308,10 +338,16 @@ in {
Type = "oneshot"; Type = "oneshot";
User = config.services.postgresql.superUser; User = config.services.postgresql.superUser;
}; };
partOf = [ cfg.systemd-target ];
script = "${password-wrapper-script}"; script = "${password-wrapper-script}";
}; };
postgresql.postStart = let postgresql = {
requires = cfg.required-services;
after = cfg.required-services;
partOf = [ cfg.systemd-target ];
postStart = let
allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;"; allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
extra-settings-sql = pkgs.writeText "settings.sql" '' extra-settings-sql = pkgs.writeText "settings.sql" ''
@ -325,6 +361,9 @@ in {
} -d postgres -f ${extra-settings-sql} } -d postgres -f ${extra-settings-sql}
${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL* ${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
''; '';
postStop = concatStringsSep "\n" cfg.cleanup-tasks;
};
}; };
}; };
}; };

8
lib/instance.nix
View File

@ -12,6 +12,11 @@ in {
description = "Hostname of this specific host (without domain)."; description = "Hostname of this specific host (without domain).";
}; };
host-fqdn = mkOption {
type = str;
description = "Fully-qualified name of this host.";
};
build-timestamp = mkOption { build-timestamp = mkOption {
type = int; type = int;
description = "Timestamp associated with the build. Used for e.g. DNS serials."; description = "Timestamp associated with the build. Used for e.g. DNS serials.";
@ -98,9 +103,12 @@ in {
local-profile = host.profile; local-profile = host.profile;
host-fqdn = "${config.instance.hostname}.${local-domain}";
in { in {
instance = { instance = {
inherit inherit
host-fqdn
local-domain local-domain
local-site local-site
local-users local-users