{ config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; timestamp = config.instance.build-timestamp; domain = config.instance.local-domain; powerdns-user = "backplane-powerdns"; backplane-dns-user = "backplane-dns"; generate-role-passwd = role: pkgs.lib.fudo.passwd.stablerandom-passwd-file "backplane-${role}-password" "${hostname}-${domain}-${role}-password-${config.instance.build-seed}"; powerdns-password = generate-role-passwd "powerdns-db"; backplane-dns-db-password = generate-role-passwd "backplane-dns-db"; secrets = config.fudo.secrets.host-secrets.france; cfg = config.fudo.france.backplane-server; in { options.fudo.france.backplane-server = with types; { listen-ips = mkOption { type = listOf str; description = "List of IPs on which to listen for incoming backplane connections."; }; listen-ipv6s = mkOption { type = listOf str; description = "List of IPv6s on which to listen for incoming backplane connections."; default = []; }; backplane-dns-password-file = mkOption { type = str; description = "Path to file containing the password for connecting to the XMPP backplane."; }; }; config = { users = { users = { ${powerdns-user} = { isSystemUser = true; }; ${backplane-dns-user} = { isSystemUser = true; }; }; groups = { ${powerdns-user} = { members = [ powerdns-user ]; }; ${backplane-dns-user} = { members = [ backplane-dns-user ]; }; }; }; fudo = { secrets.host-secrets.france = { powerdns-password = { source-file = powerdns-password; target-file = "/run/backplane/dns/powerdns/db.passwd"; user = config.fudo.backplane.dns.powerdns.user; }; backplane-dns-db-password = { source-file = backplane-dns-db-password; target-file = "/run/backplane/dns/db.passwd"; user = config.fudo.backplane.dns.user; }; }; postgresql = { enable = true; required-services = [ "fudo-passwords.target" ]; users = { ${powerdns-user} = { password-file = secrets.powerdns-password.target-file; databases = { backplane_dns = { access = "CONNECT"; entity-access = { "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE"; }; }; }; }; ${backplane-dns-user} = { password-file = secrets.backplane-dns-db-password.target-file; databases = { backplane_dns = { access = "CONNECT"; entity-access = { "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE"; }; }; }; }; }; databases = { backplane_dns = { users = ["niten"]; }; }; }; backplane.dns = { enable = true; listen-v4-addresses = cfg.listen-ips; listen-v6-addresses = cfg.listen-ipv6s; user = backplane-dns-user; group = backplane-dns-user; database = { username = powerdns-user; database = "backplane_dns"; # Uses an IP to avoid cyclical dependency... host = "127.0.0.1"; password-file = secrets.powerdns-password.target-file; }; backplane = { host = "backplane.fudo.org"; role = "service-dns"; password-file = cfg.backplane-dns-password-file; database = { username = backplane-dns-user; database = backplane-dns-user; host = "127.0.0.1"; password-file = secrets.backplane-dns-db-password.target-file; }; }; }; }; }; }