Add Nix code (not complete)

2023-02-06 15:18:31 -08:00 · 2023-02-06 15:18:31 -08:00 · 8b4b1cead6
parent b77d6a294a
commit 8b4b1cead6
3 changed files with 179 additions and 0 deletions
--- a/backplane-dns.nix
+++ b/backplane-dns.nix
@ -0,0 +1,24 @@
+{ pkgs, backplane-server, ... }:
+
+pkgs.lispPackages.buildLispPackage {
+  baseName = "backplane-dns";
+  description = "Fudo XMPP Backplane DNS Server";
+
+  buildSystems = [ "backplane-dns" ];
+
+  src = ./.;
+
+  deps = with pkgs.lispPackages; [
+    arrows
+    alexandria
+    backplane-server
+    cl-ppcre
+    cl_plus_ssl
+    ip-utils
+    postmodern
+    prove
+    trivia
+  ];
+
+  asdFilesToKeep = [ "backplane-dns.asd" ];
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,28 @@
+{
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-22.11";
+    utils.url = "github:numtide/flake-utils";
+    backplane-server.url = "";
+  };
+
+  outputs = { self, nixpkgs, utils, backplane-server, ... }:
+    utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        backplane-server-pkgs = backplane-server.packages."${system}";
+      in {
+        packages = rec {
+          default = backplane-dns;
+          backplane-dns = import ./backplane-dns.nix {
+            inherit pkgs;
+            inherit (backplane-server.packages."${system}") backplane-server;
+          };
+        };
+      }) // {
+        nixosModules = rec {
+          default = backplane-dns;
+          backplane-dns =
+            import ./module.nix { local-packages = self.packages; };
+        };
+      };
+}
--- a/module.nix
+++ b/module.nix
@ -0,0 +1,127 @@
+{ backplane-dns }:
+
+{ config, lib, pkgs, ... }:
+
+with lib; {
+  options.fudo.backplane.server.dns = with types; {
+    enable = mkEnableOption "Enable Fudo DNS Backplane Server";
+
+    required-services = mkOption {
+      type = listOf str;
+      description =
+        "List of systemd units on which the DNS backplane job depends.";
+      default = [ ];
+    };
+
+    backplane = {
+      host = mkOption {
+        type = str;
+        descritpion = "Backplane XMPP server hostname.";
+      };
+
+      role = mkOption {
+        type = str;
+        description = "Backplane XMPP role name for DNS backplane job.";
+        default = "service-dns";
+      };
+
+      password-file = mkOption {
+        type = str;
+        description =
+          "Password file for backplane XMPP for DNS backplane role.";
+      };
+    };
+
+    database = {
+      host = mkOption {
+        type = str;
+        description = "Hostname or IP of the PostGreSQL server.";
+      };
+
+      database = mkOption {
+        type = str;
+        description = "Database to use for DNS backplane service.";
+        default = "backplane_dns";
+      };
+
+      username = mkOption {
+        type = str;
+        description = "Database user for DNS backplane.";
+        default = "backplane_dns";
+      };
+
+      password-file = mkOption {
+        type = str;
+        description =
+          "File containing password for DNS backplane database user.";
+      };
+
+      ssl-mode = mkOption {
+        type = enum [ "no" "yes" "full" "try" "require" ];
+        description = "SSL connection mode.";
+        default = "require";
+      };
+    };
+  };
+
+  config = let cfg = config.fudo.backplane.server.dns;
+  in {
+    systemd.services.backplane-dns = {
+      description = "Fudo DNS Backplane Server";
+
+      wantedBy = [ "network-online.target" ];
+      after = [ "network-online.target" ] ++ cfg.required-services;
+      partOf = [ "backplane-dns.target" ];
+      requires = cfg.required-services;
+
+      path = with pkgs; [ backplane-dns-server ];
+      environment = {
+        FUDO_DNS_BACKPLANE_XMPP_HOSTNAME = cfg.backplane.host;
+        FUDO_DNS_BACKPLANE_XMPP_USERNAME = cfg.backplane.role;
+        FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE =
+          "$CREDENTIALS_DIRECTORY/backplane.passwd";
+
+        FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.database.host;
+        FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.database.database;
+        FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.database.username;
+        FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
+          "$CREDENTIALS_DIRECTORY/db.passwd";
+        FUDO_DNS_BACKPLANE_DATABASE_USE_SSL = cfg.database.ssl-mode;
+
+        HOME = "$RUNTIME_DIRECTORY";
+
+        # CL_SOURCE_REGISTRY =
+        #   pkgs.lib.lisp.lisp-source-registry pkgs.backplane-dns-server;
+
+        # LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib";
+      };
+
+      serviceConfig = {
+        DynamicUser = true;
+        RuntimeDirectory = "backplane-dns";
+        LoadCredentials = [
+          "db.passwd:${cfg.database.password-file}"
+          "backplane.passwd:${cfg.backplane.password-file}"
+        ];
+        # Needs access to network both for Postgresql and the Backplane
+        PrivateNetwork = false;
+        PrivateUsers = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateMounts = true;
+        ProtectControlGroups = opts.protectControlGroups;
+        ProtectKernelTunables = opts.protectKernelTunables;
+        ProtectKernelModules = opts.protectKernelModules;
+        ProtectSystem = opts.protectSystem;
+        ProtectHostname = opts.protectHostname;
+        ProtectHome = opts.protectHome;
+        ProtectClock = opts.protectClock;
+        Restart = "always";
+        LockPersonality = true;
+        RestrictRealtime = true;
+        LimitNOFILE = "4096";
+        PermissionsStartOnly = true;
+      };
+    };
+  };
+}