nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/config/service/backplane.nix

187 lines
6.6 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
domain-name = config.fudo.hosts."${hostname}".domain;
domain = config.fudo.domains."${domain-name}";
zone-name = config.fudo.domains."${domain-name}".zone;
host-fqdn = hostname: "${hostname}.${domain-name}";
postgresql-server = domain.postgresql-server;
isDatabaseServer = hostname == postgresql-server;
isJabberServer = elem hostname domain.xmpp-servers;
isDNSBackplane = hostname == domain.backplane.dns-service;
backplaneEnabled = domain.backplane != null;
isNameserver = hostname == domain.backplane.nameserver;
database-name = "backplane_dns";
make-passwd-file = hostname:
let
name = "backplane-host-${hostname}-client-passwd";
seed = "${name}-${config.instance.build-seed}";
in pkgs.lib.passwd.stablerandom-passwd-file name seed;
host-secrets = config.fudo.secrets.host-secrets.${hostname};
host-password-files =
mapAttrs (hostname: hostOpts: make-passwd-file hostname) config.fudo.hosts;
backplane-user = "backplane_dns";
database-backplane-user = "backplane_dns";
database-powerdns-user = "backplane_powerdns_dns";
backplane-host-domain =
config.fudo.hosts.${domain.backplane.dns-service}.domain;
backplane-server =
head config.fudo.domains.${backplane-host-domain}.xmpp-servers;
backplane-host-fqdn = "${backplane-server}.${backplane-host-domain}";
backplane-fqdn = "backplane.${backplane-host-domain}";
in {
config = mkIf backplaneEnabled {
fudo = let
powerdns-password = pkgs.lib.passwd.stablerandom-passwd-file
"backplane-powerdns-passwd-${postgresql-server}"
"backplane-powerdns-passwd-${postgresql-server}-${config.instance.build-seed}";
backplane-database-password = pkgs.lib.passwd.stablerandom-passwd-file
"backplane-passwd-${postgresql-server}"
"backplane-passwd-${postgresql-server}-${config.instance.build-seed}";
xmpp-password = pkgs.lib.passwd.stablerandom-passwd-file
"backplane-xmpp-passwd-${postgresql-server}"
"backplane-xmpp-passwd-${postgresql-server}-${config.instance.build-seed}";
in {
secrets.host-secrets.${hostname} = {
powerdns-database-passwd = mkIf isNameserver {
source-file = powerdns-password;
target-file = "/run/backplane-powerdns/powerdns.passwd";
user = config.fudo.powerdns.user;
};
backplane-database-passwd = mkIf isDNSBackplane {
source-file = backplane-database-password;
target-file = "/run/backplane-dns/database.passwd";
user = config.fudo.backplane.dns.user;
};
backplane-xmpp-passwd = mkIf isDNSBackplane {
source-file = xmpp-password;
target-file = "/run/backplane-dns/xmpp.passwd";
user = config.fudo.backplane.dns.user;
};
database-powerdns-passwd = mkIf isDatabaseServer {
source-file = powerdns-password;
target-file = "/run/postgres/powerdns.passwd";
user = config.services.postgresql.superUser;
};
database-backplane-passwd = mkIf isDatabaseServer {
source-file = backplane-database-password;
target-file = "/run/postgres/backplane-database.passwd";
user = config.services.postgresql.superUser;
};
ejabberd-backplane-passwd = mkIf isJabberServer {
source-file = xmpp-password;
target-file = "/run/backplane-jabber/service-dns.passwd";
user = config.services.ejabberd.user;
};
backplane-client-passwd = {
source-file = host-password-files.${hostname};
target-file = "/run/backplane-client/client.passwd";
user = config.fudo.client.dns.user;
};
};
client.dns = {
password-file = host-secrets.backplane-client-passwd.target-file;
domain = domain.backplane.domain;
};
zones.${zone-name} = {
aliases = { backplane = "${backplane-host-fqdn}."; };
};
postgresql = mkIf isDatabaseServer {
required-services = [ "fudo-passwords.target" ];
users = {
${database-powerdns-user} = {
password-file = host-secrets.database-powerdns-passwd.target-file;
databases.${database-name} = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
${database-backplane-user} = {
password-file = host-secrets.database-backplane-passwd.target-file;
databases.${database-name} = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
databases.${database-name}.users = config.instance.local-admins;
};
backplane = {
enable = isJabberServer;
client-hosts = mapAttrs (hostname: hostOpts: {
password-file = host-password-files.${hostname};
}) config.fudo.hosts;
services = {
dns.password-file =
host-secrets.ejabberd-backplane-passwd.source-file;
};
backplane-hostname = backplane-fqdn;
dns = mkIf isDNSBackplane {
enable = true;
database = {
host = pkgs.lib.network.host-ipv4 config postgresql-server;
database = database-name;
username = database-backplane-user;
password-file = host-secrets.backplane-database-passwd.target-file;
};
backplane-role = {
role = "service-dns";
password-file = host-secrets.backplane-xmpp-passwd.target-file;
};
};
};
powerdns = mkIf (isNameserver) {
enable = true;
domains = let served-domain = domain.backplane.domain;
in { ${served-domain}.admin = domain.admin-email; };
listen-v4-addresses =
let ipv4-addr = pkgs.lib.network.host-ipv4 config hostname;
in [ ipv4-addr ];
listen-v6-addresses =
let ipv6-addr = pkgs.lib.network.host-ipv6 config hostname;
in optional (ipv6-addr != null) ipv6-addr;
database = {
host = pkgs.lib.network.host-ipv4 config postgresql-server;
database = database-name;
user = database-powerdns-user;
password-file = host-secrets.powerdns-database-passwd.target-file;
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink