{ config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; domain-name = config.fudo.hosts."${hostname}".domain; domain = config.fudo.domains."${domain-name}"; zone-name = config.fudo.domains."${domain-name}".zone; host-fqdn = hostname: "${hostname}.${domain-name}"; postgresql-server = domain.postgresql-server; isDatabaseServer = hostname == postgresql-server; isJabberServer = elem hostname domain.xmpp-servers; isDNSBackplane = hostname == domain.backplane.dns-service; backplaneEnabled = domain.backplane != null; isNameserver = hostname == domain.backplane.nameserver; database-name = "backplane_dns"; make-passwd-file = hostname: let name = "backplane-host-${hostname}-client-passwd"; seed = "${name}-${config.instance.build-seed}"; in pkgs.lib.passwd.stablerandom-passwd-file name seed; host-secrets = config.fudo.secrets.host-secrets.${hostname}; host-password-files = mapAttrs (hostname: hostOpts: make-passwd-file hostname) config.fudo.hosts; backplane-user = "backplane_dns"; database-backplane-user = "backplane_dns"; database-powerdns-user = "backplane_powerdns_dns"; backplane-host-domain = config.fudo.hosts.${domain.backplane.dns-service}.domain; backplane-server = head config.fudo.domains.${backplane-host-domain}.xmpp-servers; backplane-host-fqdn = "${backplane-server}.${backplane-host-domain}"; backplane-fqdn = "backplane.${backplane-host-domain}"; in { config = mkIf backplaneEnabled { fudo = let powerdns-password = pkgs.lib.passwd.stablerandom-passwd-file "backplane-powerdns-passwd-${postgresql-server}" "backplane-powerdns-passwd-${postgresql-server}-${config.instance.build-seed}"; backplane-database-password = pkgs.lib.passwd.stablerandom-passwd-file "backplane-passwd-${postgresql-server}" "backplane-passwd-${postgresql-server}-${config.instance.build-seed}"; xmpp-password = pkgs.lib.passwd.stablerandom-passwd-file "backplane-xmpp-passwd-${postgresql-server}" "backplane-xmpp-passwd-${postgresql-server}-${config.instance.build-seed}"; in { secrets.host-secrets.${hostname} = { powerdns-database-passwd = mkIf isNameserver { source-file = powerdns-password; target-file = "/run/backplane-powerdns/powerdns.passwd"; user = config.fudo.powerdns.user; }; backplane-database-passwd = mkIf isDNSBackplane { source-file = backplane-database-password; target-file = "/run/backplane-dns/database.passwd"; user = config.fudo.backplane.dns.user; }; backplane-xmpp-passwd = mkIf isDNSBackplane { source-file = xmpp-password; target-file = "/run/backplane-dns/xmpp.passwd"; user = config.fudo.backplane.dns.user; }; database-powerdns-passwd = mkIf isDatabaseServer { source-file = powerdns-password; target-file = "/run/postgres/powerdns.passwd"; user = config.services.postgresql.superUser; }; database-backplane-passwd = mkIf isDatabaseServer { source-file = backplane-database-password; target-file = "/run/postgres/backplane-database.passwd"; user = config.services.postgresql.superUser; }; ejabberd-backplane-passwd = mkIf isJabberServer { source-file = xmpp-password; target-file = "/run/backplane-jabber/service-dns.passwd"; user = config.services.ejabberd.user; }; backplane-client-passwd = { source-file = host-password-files.${hostname}; target-file = "/run/backplane-client/client.passwd"; user = config.fudo.client.dns.user; }; }; client.dns = { password-file = host-secrets.backplane-client-passwd.target-file; domain = domain.backplane.domain; }; zones.${zone-name} = { aliases = { backplane = "${backplane-host-fqdn}."; }; }; postgresql = mkIf isDatabaseServer { required-services = [ "fudo-passwords.target" ]; users = { "${database-powerdns-user}" = { password-file = host-secrets.database-powerdns-passwd.target-file; databases."${database-name}" = { access = "CONNECT"; entity-access = { "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE"; }; }; }; "${database-backplane-user}" = { password-file = host-secrets.database-backplane-passwd.target-file; databases."${database-name}" = { access = "CONNECT"; entity-access = { "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE"; }; }; }; }; databases."${database-name}".users = config.instance.local-admins; }; backplane = { enable = isJabberServer; client-hosts = mapAttrs (hostname: hostOpts: { password-file = host-password-files.${hostname}; }) config.fudo.hosts; services = { dns.password-file = host-secrets.ejabberd-backplane-passwd.source-file; }; backplane-hostname = backplane-fqdn; dns = mkIf isDNSBackplane { enable = true; database = { host = pkgs.lib.network.host-ipv4 config postgresql-server; database = database-name; username = database-backplane-user; password-file = host-secrets.backplane-database-passwd.target-file; }; backplane-role = { role = "service-dns"; password-file = host-secrets.backplane-xmpp-passwd.target-file; }; }; }; powerdns = mkIf (isNameserver) { enable = true; domains = let served-domain = domain.backplane.domain; in { ${served-domain}.admin = domain.admin-email; }; listen-v4-addresses = let ipv4-addr = pkgs.lib.network.host-ipv4 config hostname; in [ ipv4-addr ]; listen-v6-addresses = let ipv6-addr = pkgs.lib.network.host-ipv6 config hostname; in optional (ipv6-addr != null) ipv6-addr; database = { host = pkgs.lib.network.host-ipv4 config postgresql-server; database = database-name; user = database-powerdns-user; password-file = host-secrets.powerdns-database-passwd.target-file; }; }; }; }; }