backplane-dns/module.nix

{ backplane-dns }:

{ config, lib, pkgs, ... }:

with lib; {
  options.fudo.backplane.server.dns = with types; {
    enable = mkEnableOption "Enable Fudo DNS Backplane Server";

    required-services = mkOption {
      type = listOf str;
      description =
        "List of systemd units on which the DNS backplane job depends.";
      default = [ ];
    };

    backplane = {
      host = mkOption {
        type = str;
        descritpion = "Backplane XMPP server hostname.";
      };

      role = mkOption {
        type = str;
        description = "Backplane XMPP role name for DNS backplane job.";
        default = "service-dns";
      };

      password-file = mkOption {
        type = str;
        description =
          "Password file for backplane XMPP for DNS backplane role.";
      };
    };

    database = {
      host = mkOption {
        type = str;
        description = "Hostname or IP of the PostGreSQL server.";
      };

      database = mkOption {
        type = str;
        description = "Database to use for DNS backplane service.";
        default = "backplane_dns";
      };

      username = mkOption {
        type = str;
        description = "Database user for DNS backplane.";
        default = "backplane_dns";
      };

      password-file = mkOption {
        type = str;
        description =
          "File containing password for DNS backplane database user.";
      };

      ssl-mode = mkOption {
        type = enum [ "no" "yes" "full" "try" "require" ];
        description = "SSL connection mode.";
        default = "require";
      };
    };
  };

  config = let cfg = config.fudo.backplane.server.dns;
  in {
    systemd.services.backplane-dns = {
      description = "Fudo DNS Backplane Server";

      wantedBy = [ "network-online.target" ];
      after = [ "network-online.target" ] ++ cfg.required-services;
      partOf = [ "backplane-dns.target" ];
      requires = cfg.required-services;

      path = with pkgs; [ backplane-dns-server ];
      environment = {
        FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
        FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
        FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE =
          "$CREDENTIALS_DIRECTORY/backplane.passwd";

        FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;
        FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;
        FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.database.username;
        FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
          "$CREDENTIALS_DIRECTORY/db.passwd";
        FUDO_DNS_BACKPLANE_DATABASE_USE_SSL = cfg.database.ssl-mode;

        HOME = "$RUNTIME_DIRECTORY";

        # CL_SOURCE_REGISTRY =
        #   pkgs.lib.lisp.lisp-source-registry pkgs.backplane-dns-server;

        # LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib";
      };

      serviceConfig = {
        DynamicUser = true;
        RuntimeDirectory = "backplane-dns";
        LoadCredentials = [
          "db.passwd:${cfg.database.password-file}"
          "backplane.passwd:${cfg.backplane.password-file}"
        ];
        # Needs access to network both for Postgresql and the Backplane
        PrivateNetwork = false;
        PrivateUsers = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateMounts = true;
        ProtectControlGroups = opts.protectControlGroups;
        ProtectKernelTunables = opts.protectKernelTunables;
        ProtectKernelModules = opts.protectKernelModules;
        ProtectSystem = opts.protectSystem;
        ProtectHostname = opts.protectHostname;
        ProtectHome = opts.protectHome;
        ProtectClock = opts.protectClock;
        Restart = "always";
        LockPersonality = true;
        RestrictRealtime = true;
        LimitNOFILE = "4096";
        PermissionsStartOnly = true;
      };
    };
  };
}
Add Nix code (not complete) 2023-02-06 15:18:31 -08:00			`{ backplane-dns }:`

			`{ config, lib, pkgs, ... }:`

			`with lib; {`
			`options.fudo.backplane.server.dns = with types; {`
			`enable = mkEnableOption "Enable Fudo DNS Backplane Server";`

			`required-services = mkOption {`
			`type = listOf str;`
			`description =`
			`"List of systemd units on which the DNS backplane job depends.";`
			`default = [ ];`
			`};`

			`backplane = {`
			`host = mkOption {`
			`type = str;`
			`descritpion = "Backplane XMPP server hostname.";`
			`};`

			`role = mkOption {`
			`type = str;`
			`description = "Backplane XMPP role name for DNS backplane job.";`
			`default = "service-dns";`
			`};`

			`password-file = mkOption {`
			`type = str;`
			`description =`
			`"Password file for backplane XMPP for DNS backplane role.";`
			`};`
			`};`

			`database = {`
			`host = mkOption {`
			`type = str;`
			`description = "Hostname or IP of the PostGreSQL server.";`
			`};`

			`database = mkOption {`
			`type = str;`
			`description = "Database to use for DNS backplane service.";`
			`default = "backplane_dns";`
			`};`

			`username = mkOption {`
			`type = str;`
			`description = "Database user for DNS backplane.";`
			`default = "backplane_dns";`
			`};`

			`password-file = mkOption {`
			`type = str;`
			`description =`
			`"File containing password for DNS backplane database user.";`
			`};`

			`ssl-mode = mkOption {`
			`type = enum [ "no" "yes" "full" "try" "require" ];`
			`description = "SSL connection mode.";`
			`default = "require";`
			`};`
			`};`
			`};`

			`config = let cfg = config.fudo.backplane.server.dns;`
			`in {`
			`systemd.services.backplane-dns = {`
			`description = "Fudo DNS Backplane Server";`

			`wantedBy = [ "network-online.target" ];`
			`after = [ "network-online.target" ] ++ cfg.required-services;`
			`partOf = [ "backplane-dns.target" ];`
			`requires = cfg.required-services;`

			`path = with pkgs; [ backplane-dns-server ];`
			`environment = {`
			`FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;`
			`FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;`
			`FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE =`
			`"$CREDENTIALS_DIRECTORY/backplane.passwd";`

			`FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;`
			`FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;`
			`FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.database.username;`
			`FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =`
			`"$CREDENTIALS_DIRECTORY/db.passwd";`
			`FUDO_DNS_BACKPLANE_DATABASE_USE_SSL = cfg.database.ssl-mode;`

			`HOME = "$RUNTIME_DIRECTORY";`

			`# CL_SOURCE_REGISTRY =`
			`# pkgs.lib.lisp.lisp-source-registry pkgs.backplane-dns-server;`

			`# LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib";`
			`};`

			`serviceConfig = {`
			`DynamicUser = true;`
			`RuntimeDirectory = "backplane-dns";`
			`LoadCredentials = [`
			`"db.passwd:${cfg.database.password-file}"`
			`"backplane.passwd:${cfg.backplane.password-file}"`
			`];`
			`# Needs access to network both for Postgresql and the Backplane`
			`PrivateNetwork = false;`
			`PrivateUsers = true;`
			`PrivateDevices = true;`
			`PrivateTmp = true;`
			`PrivateMounts = true;`
			`ProtectControlGroups = opts.protectControlGroups;`
			`ProtectKernelTunables = opts.protectKernelTunables;`
			`ProtectKernelModules = opts.protectKernelModules;`
			`ProtectSystem = opts.protectSystem;`
			`ProtectHostname = opts.protectHostname;`
			`ProtectHome = opts.protectHome;`
			`ProtectClock = opts.protectClock;`
			`Restart = "always";`
			`LockPersonality = true;`
			`RestrictRealtime = true;`
			`LimitNOFILE = "4096";`
			`PermissionsStartOnly = true;`
			`};`
			`};`
			`};`
			`}`