146 lines
4.0 KiB
Nix
146 lines
4.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
timestamp = config.instance.build-timestamp;
|
|
domain = config.instance.local-domain;
|
|
|
|
powerdns-user = "backplane-powerdns";
|
|
backplane-dns-user = "backplane-dns";
|
|
|
|
generate-role-passwd = role:
|
|
pkgs.lib.fudo.passwd.stablerandom-passwd-file
|
|
"backplane-${role}-password"
|
|
"${hostname}-${domain}-${role}-password-${config.instance.build-seed}";
|
|
|
|
powerdns-password = generate-role-passwd "powerdns-db";
|
|
|
|
backplane-dns-db-password = generate-role-passwd "backplane-dns-db";
|
|
|
|
secrets = config.fudo.secrets.host-secrets.france;
|
|
|
|
cfg = config.fudo.france.backplane-server;
|
|
|
|
in {
|
|
options.fudo.france.backplane-server = with types; {
|
|
listen-ips = mkOption {
|
|
type = listOf str;
|
|
description = "List of IPs on which to listen for incoming backplane connections.";
|
|
};
|
|
|
|
listen-ipv6s = mkOption {
|
|
type = listOf str;
|
|
description = "List of IPv6s on which to listen for incoming backplane connections.";
|
|
default = [];
|
|
};
|
|
|
|
backplane-dns-password-file = mkOption {
|
|
type = str;
|
|
description = "Path to file containing the password for connecting to the XMPP backplane.";
|
|
};
|
|
};
|
|
|
|
config = {
|
|
users = {
|
|
users = {
|
|
${powerdns-user} = {
|
|
isSystemUser = true;
|
|
};
|
|
${backplane-dns-user} = {
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
|
|
groups = {
|
|
${powerdns-user} = {
|
|
members = [ powerdns-user ];
|
|
};
|
|
${backplane-dns-user} = {
|
|
members = [ backplane-dns-user ];
|
|
};
|
|
};
|
|
};
|
|
|
|
fudo = {
|
|
secrets.host-secrets.france = {
|
|
powerdns-password = {
|
|
source-file = powerdns-password;
|
|
target-file = "/run/backplane/dns/powerdns/db.passwd";
|
|
user = config.fudo.backplane.dns.powerdns.user;
|
|
};
|
|
|
|
backplane-dns-db-password = {
|
|
source-file = backplane-dns-db-password;
|
|
target-file = "/run/backplane/dns/db.passwd";
|
|
user = config.fudo.backplane.dns.user;
|
|
};
|
|
};
|
|
|
|
postgresql = {
|
|
enable = true;
|
|
required-services = [ "fudo-passwords.target" ];
|
|
|
|
users = {
|
|
${powerdns-user} = {
|
|
password-file = secrets.powerdns-password.target-file;
|
|
databases = {
|
|
backplane_dns = {
|
|
access = "CONNECT";
|
|
entity-access = {
|
|
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
|
|
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
${backplane-dns-user} = {
|
|
password-file = secrets.backplane-dns-db-password.target-file;
|
|
databases = {
|
|
backplane_dns = {
|
|
access = "CONNECT";
|
|
entity-access = {
|
|
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
|
|
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
databases = {
|
|
backplane_dns = {
|
|
users = ["niten"];
|
|
};
|
|
};
|
|
};
|
|
|
|
backplane.dns = {
|
|
enable = true;
|
|
listen-v4-addresses = cfg.listen-ips;
|
|
listen-v6-addresses = cfg.listen-ipv6s;
|
|
user = backplane-dns-user;
|
|
group = backplane-dns-user;
|
|
database = {
|
|
username = powerdns-user;
|
|
database = "backplane_dns";
|
|
# Uses an IP to avoid cyclical dependency...
|
|
host = "127.0.0.1";
|
|
password-file = secrets.powerdns-password.target-file;
|
|
};
|
|
backplane = {
|
|
host = "backplane.fudo.org";
|
|
role = "service-dns";
|
|
password-file = cfg.backplane-dns-password-file;
|
|
database = {
|
|
username = backplane-dns-user;
|
|
database = backplane-dns-user;
|
|
host = "127.0.0.1";
|
|
password-file = secrets.backplane-dns-db-password.target-file;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|