deploy powerdns admin and tlmp

author: Max Audron <audron@cocaine.farm> 2023-10-08 12:29:39 +0200
committer: Max Audron <audron@cocaine.farm> 2023-10-08 12:29:39 +0200
commit: 9466a3ce94b1bb0112a323cefe4a7aaeadf515d9 (patch)
tree: 090070c6e4ca68cdd584bf72bf47ae486d15a3f7 /modules
parent: enable acme module (diff)
4 files changed, 96 insertions, 4 deletions
diff --git a/modules/acme/default.nix b/modules/acme/default.nix
index 91f6aa0..0556710 100644
--- a/modules/acme/default.nix
+++ b/modules/acme/default.nix
@@ -9,4 +9,13 @@
       credentialsFile = "/etc/secrets/pdns_api.env";
     };
   };
+
+  secrets = {
+    pdnsAPI = {
+      source = ../../secrets/pdns/pdns_api.env;
+      dest = "/etc/secrets/pdns_api.env";
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
 }
diff --git a/modules/default.nix b/modules/default.nix
index 0bd0349..6912276 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -17,4 +17,5 @@
   postgresql = import ./postgresql;
   quassel = import ./quassel;
   powerdns = import ./powerdns;
+  tlmp = import ./tlmp;
 }
diff --git a/modules/powerdns/default.nix b/modules/powerdns/default.nix
index cca6a03..d110875 100644
--- a/modules/powerdns/default.nix
+++ b/modules/powerdns/default.nix
@@ -64,11 +64,72 @@ in
       secretFile = "/etc/secrets/pdns_api.env";
     };
 
-    secrets = {
-      pdnsAPI = {
-        source = ../../secrets/pdns/pdns_api.env;
-        dest = "/etc/secrets/pdns_api.env";
+    services.powerdns-admin = {
+      enable = true;
+      secretKeyFile = "/var/lib/pdns/secret.key";
+      saltFile = "/var/lib/pdns/salt";
+      extraArgs = [ "-b" "10.10.0.1:8000" ];
+      config = ''
+        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/pdns?host=/run/postgresql'
+        # SAML_ENABLED = True
+        # SAML_DEBUG = True
+        # SAML_METADATA_URL = 'https://auth.vapor.systems/application/saml/powerdns/metadata/'
+        # SAML_METADATA_CACHE_LIFETIME = 1
+        # SAML_LOGOUT_URL = 'https://auth.vapor.systems/application/saml/powerdns/slo/binding/redirect/'
+        # SAML_SP_ENTITY_ID = 'pdns-admin'
+        # SAML_SP_CONTACT_NAME = 'me'
+        # SAML_SP_CONTACT_MAIL = 'me'
+        # SAML_NAMEID_FORMAT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+        # SAML_ATTRIBUTE_USERNAME = 'http://schemas.goauthentik.io/2021/02/saml/username'
+        # SAML_ATTRIBUTE_NAME = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
+        # SAML_ATTRIBUTE_EMAIL = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
+        # SAML_ATTRIBUTE_GROUP = 'http://schemas.xmlsoap.org/claims/Group'
+        # SAML_GROUP_ADMIN_NAME = 'admin'
+        # SAML_SIGN_REQUEST = False
+        # SAML_ASSERTION_ENCRYPTED = False
+        # SAML_WANT_MESSAGE_SIGNED = False
+        # SAML_CERT = '/var/lib/pdns/saml.crt'
+      '';
+    };
+
+    security.acme.certs = {
+      "vapor.systems" = {
+        extraDomainNames = [ "*.vapor.systems" ];
       };
     };
+
+    services.nginx = {
+      enable = true;
+      defaultListenAddresses = [ "178.63.224.13" ];
+      virtualHosts."ns.vapor.systems" = {
+        addSSL = true;
+        useACMEHost = "vapor.systems";
+        locations."/" = {
+          proxyPass = "http://10.10.0.1:8000";
+          proxyWebsockets = true;
+          extraConfig =
+            "proxy_pass_header Authorization;"
+          ;
+        };
+      };
+    };
+
+    systemd.services.powerdns-admin.serviceConfig = {
+      BindPaths = [ "/run/postgresql" ];
+    };
+
+    services.postgresql = {
+      ensureDatabases = [ "pdns" ];
+      ensureUsers = [
+        {
+          name = "pdns";
+          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
+        }
+        {
+          name = "powerdnsadmin";
+          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
+        }
+      ];
+    };
   };
 }
diff --git a/modules/tlmp/default.nix b/modules/tlmp/default.nix
new file mode 100644
index 0000000..16f9ff5
--- /dev/null
+++ b/modules/tlmp/default.nix
@@ -0,0 +1,21 @@
+{ self, config, lib, pkgs, ... }:
+
+with self.lib.nginx;
+{
+  security.acme.certs = {
+    "media.cocaine.farm" = {
+      extraDomainNames = [ "*.media.cocaine.farm" ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "media.cocaine.farm" = (proxyDomain "media.cocaine.farm" "http://10.101.94.10:80");
+      "sonarr.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.73.6:80";
+      "radarr.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.22.234:80";
+      "jackett.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.20.23:80";
+      # "torrent.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.73.6:80";
+    };
+  };
+}
author	Max Audron <audron@cocaine.farm>	2023-10-08 12:29:39 +0200
committer	Max Audron <audron@cocaine.farm>	2023-10-08 12:29:39 +0200
commit	9466a3ce94b1bb0112a323cefe4a7aaeadf515d9 (patch)
tree	090070c6e4ca68cdd584bf72bf47ae486d15a3f7 /modules
parent	enable acme module (diff)