backplane-dns/module.nix

128 lines
3.7 KiB
Nix
Raw Permalink Normal View History

2023-02-06 15:18:31 -08:00
{ backplane-dns }:
{ config, lib, pkgs, ... }:
with lib; {
options.fudo.backplane.server.dns = with types; {
enable = mkEnableOption "Enable Fudo DNS Backplane Server";
required-services = mkOption {
type = listOf str;
description =
"List of systemd units on which the DNS backplane job depends.";
default = [ ];
};
backplane = {
host = mkOption {
type = str;
descritpion = "Backplane XMPP server hostname.";
};
role = mkOption {
type = str;
description = "Backplane XMPP role name for DNS backplane job.";
default = "service-dns";
};
password-file = mkOption {
type = str;
description =
"Password file for backplane XMPP for DNS backplane role.";
};
};
database = {
host = mkOption {
type = str;
description = "Hostname or IP of the PostGreSQL server.";
};
database = mkOption {
type = str;
description = "Database to use for DNS backplane service.";
default = "backplane_dns";
};
username = mkOption {
type = str;
description = "Database user for DNS backplane.";
default = "backplane_dns";
};
password-file = mkOption {
type = str;
description =
"File containing password for DNS backplane database user.";
};
ssl-mode = mkOption {
type = enum [ "no" "yes" "full" "try" "require" ];
description = "SSL connection mode.";
default = "require";
};
};
};
config = let cfg = config.fudo.backplane.server.dns;
in {
systemd.services.backplane-dns = {
description = "Fudo DNS Backplane Server";
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" ] ++ cfg.required-services;
partOf = [ "backplane-dns.target" ];
requires = cfg.required-services;
path = with pkgs; [ backplane-dns-server ];
environment = {
FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE =
"$CREDENTIALS_DIRECTORY/backplane.passwd";
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;
FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.database.username;
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
"$CREDENTIALS_DIRECTORY/db.passwd";
FUDO_DNS_BACKPLANE_DATABASE_USE_SSL = cfg.database.ssl-mode;
HOME = "$RUNTIME_DIRECTORY";
# CL_SOURCE_REGISTRY =
# pkgs.lib.lisp.lisp-source-registry pkgs.backplane-dns-server;
# LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib";
};
serviceConfig = {
DynamicUser = true;
RuntimeDirectory = "backplane-dns";
LoadCredentials = [
"db.passwd:${cfg.database.password-file}"
"backplane.passwd:${cfg.backplane.password-file}"
];
# Needs access to network both for Postgresql and the Backplane
PrivateNetwork = false;
PrivateUsers = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateMounts = true;
ProtectControlGroups = opts.protectControlGroups;
ProtectKernelTunables = opts.protectKernelTunables;
ProtectKernelModules = opts.protectKernelModules;
ProtectSystem = opts.protectSystem;
ProtectHostname = opts.protectHostname;
ProtectHome = opts.protectHome;
ProtectClock = opts.protectClock;
Restart = "always";
LockPersonality = true;
RestrictRealtime = true;
LimitNOFILE = "4096";
PermissionsStartOnly = true;
};
};
};
}