added powerdns to mc5

2022-07-20 19:28:12 +02:00 · 2022-07-20 19:28:12 +02:00 · eaed19a61a
commit eaed19a61a
parent b91dd7f4bd
2 changed files with 79 additions and 0 deletions
--- a/modules/powerdns.nix
+++ b/modules/powerdns.nix
@ -0,0 +1,78 @@
+{ lib, pkgs, ... }:
+let
+  #pdns_database = "/var/lib/powerdns/pdns.sqlite3";
+  #pdnsa_database = "/var/lib/powerdns-admin/pdnsa.sqlite3";
+  pdns_database = "pdns";
+  pdns_user = "pdns";
+  pdns_password = builtins.readFile /etc/nixos/keys/powerdns-dbpassword;
+  pdnsa_database = "powerdnsadmin";
+  pdnsa_password = builtins.readFile /etc/nixos/keys/powerdnsadmin-dbpassword;
+  pgsql_host = "/run/postgresql";
+  pdns_web_port = "8081";
+  pdns_api_key = builtins.readFile /etc/nixos/keys/powerdns-apikey;
+in
+{
+  services.powerdns = {
+    enable = true;
+    extraConfig = ''
+      launch=gpgsql
+      gpgsql-host=${pgsql_host}
+      gpgsql-dbname=${pdns_database}
+      gpgsql-user=${pdns_user}
+      gpgsql-password=${pdns_password}
+      webserver=yes
+      webserver-port=${pdns_web_port}
+      api=yes
+      api-key=${pdns_api_key}
+    '';
+  };
+
+  services.powerdns-admin = {
+    enable = true;
+    secretKeyFile = "/etc/nixos/keys/powerdns-secret";
+    saltFile = "/etc/nixos/keys/powerdns-salt";
+    config = ''
+      SQLALCHEMY_DATABASE_URI = 'postgresql://${pdnsa_database}@/${pdnsa_database}?host=/run/postgresql'
+    '';
+  };
+
+  imports = [ ./postgresql.nix ];
+
+  services.postgresql = {
+    ensureDatabases = [ pdns_database pdnsa_database];
+    ensureUsers = [
+      {
+        name = pdns_user;
+        ensurePermissions = {
+          "DATABASE ${pdns_database}" = "ALL PRIVILEGES";
+        };
+      }
+      {
+        name = pdnsa_database;
+        ensurePermissions = {
+          "DATABASE ${pdnsa_database}" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+
+  services.postgresqlBackup.databases = [
+    pdns_database
+    pdnsa_database
+  ];
+
+  systemd.services."powerdns-admin" = {
+    serviceConfig = {
+    #  ExecStartPre = lib.mkForce "${pkgs.bash}/bin/bash -c 'ls -ahlp /run/postgresql/.s.PGSQL.5432'";
+      BindReadOnlyPaths = [ "/run/postgresql/.s.PGSQL.5432" ];
+    };
+    #preStart = lib.mkForce "ls -ahlp /run/postgresql/.s.PGSQL.5432";
+    #systemd.services.powerdns-admin = serviceConfig = {
+    #};
+  };
+
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+}
+
+# vim: set et ts=2 sw=2 ai:
--- a/systems/mc5/configuration.nix
+++ b/systems/mc5/configuration.nix
@ -6,6 +6,7 @@
      ./modules/generic.nix
      #./modules/ceph-common.nix
      ./modules/borg.nix
+      ./modules/powerdns.nix
    ];

  #services.ceph = {