sepperate powerdns primary and secondary configs

author: Max Audron <audron@cocaine.farm> 2023-10-13 17:36:06 +0200
committer: Max Audron <audron@cocaine.farm> 2023-10-13 17:36:06 +0200
commit: cc8817b303d9b19c70bbf3847af1941a27f712f7 (patch)
tree: 7cd250ed474fb16b1ea3aa42a5d7d8f406d0a7ea /modules
parent: package authentik for nixos (diff)
3 files changed, 82 insertions, 77 deletions
diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix
index a02e6ce..80b362f 100644
--- a/modules/postgresql/default.nix
+++ b/modules/postgresql/default.nix
@@ -3,17 +3,9 @@
 {
   services.postgresql = {
     enable = true;
-    ensureDatabases = [ "quassel" "pdns" ];
+    enableTCPIP = true;
     ensureUsers = [
       {
-        name = "quassel";
-        ensurePermissions = { "DATABASE quassel" = "ALL PRIVILEGES"; };
-      }
-      {
-        name = "pdns";
-        ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
-      }
-      {
         name = "audron";
         ensureClauses.superuser = true;
       }
@@ -25,6 +17,12 @@
     authentication = pkgs.lib.mkOverride 10 ''
       #type database DBuser origin-address auth-method
       local all      all     trust
+      # ipv4
+      host  all      all     127.0.0.1/32   trust
+      host  all      all     10.10.0.0/24   trust
+      host  all      all     10.88.0.0/24   trust
+      # ipv6
+      host all       all     ::1/128        trust
     '';
   };
 }
diff --git a/modules/powerdns/default.nix b/modules/powerdns/default.nix
index d110875..4543940 100644
--- a/modules/powerdns/default.nix
+++ b/modules/powerdns/default.nix
@@ -47,6 +47,8 @@ let
   '';
 in
 {
+  imports = [ ./primary.nix ];
+
   options.services.powerdns = {
     role = lib.mkOption {
       type = lib.types.enum [ "primary" "secondary" ];
@@ -63,73 +65,5 @@ in
         else secondary;
       secretFile = "/etc/secrets/pdns_api.env";
     };
-
-    services.powerdns-admin = {
-      enable = true;
-      secretKeyFile = "/var/lib/pdns/secret.key";
-      saltFile = "/var/lib/pdns/salt";
-      extraArgs = [ "-b" "10.10.0.1:8000" ];
-      config = ''
-        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/pdns?host=/run/postgresql'
-        # SAML_ENABLED = True
-        # SAML_DEBUG = True
-        # SAML_METADATA_URL = 'https://auth.vapor.systems/application/saml/powerdns/metadata/'
-        # SAML_METADATA_CACHE_LIFETIME = 1
-        # SAML_LOGOUT_URL = 'https://auth.vapor.systems/application/saml/powerdns/slo/binding/redirect/'
-        # SAML_SP_ENTITY_ID = 'pdns-admin'
-        # SAML_SP_CONTACT_NAME = 'me'
-        # SAML_SP_CONTACT_MAIL = 'me'
-        # SAML_NAMEID_FORMAT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
-        # SAML_ATTRIBUTE_USERNAME = 'http://schemas.goauthentik.io/2021/02/saml/username'
-        # SAML_ATTRIBUTE_NAME = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
-        # SAML_ATTRIBUTE_EMAIL = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
-        # SAML_ATTRIBUTE_GROUP = 'http://schemas.xmlsoap.org/claims/Group'
-        # SAML_GROUP_ADMIN_NAME = 'admin'
-        # SAML_SIGN_REQUEST = False
-        # SAML_ASSERTION_ENCRYPTED = False
-        # SAML_WANT_MESSAGE_SIGNED = False
-        # SAML_CERT = '/var/lib/pdns/saml.crt'
-      '';
-    };
-
-    security.acme.certs = {
-      "vapor.systems" = {
-        extraDomainNames = [ "*.vapor.systems" ];
-      };
-    };
-
-    services.nginx = {
-      enable = true;
-      defaultListenAddresses = [ "178.63.224.13" ];
-      virtualHosts."ns.vapor.systems" = {
-        addSSL = true;
-        useACMEHost = "vapor.systems";
-        locations."/" = {
-          proxyPass = "http://10.10.0.1:8000";
-          proxyWebsockets = true;
-          extraConfig =
-            "proxy_pass_header Authorization;"
-          ;
-        };
-      };
-    };
-
-    systemd.services.powerdns-admin.serviceConfig = {
-      BindPaths = [ "/run/postgresql" ];
-    };
-
-    services.postgresql = {
-      ensureDatabases = [ "pdns" ];
-      ensureUsers = [
-        {
-          name = "pdns";
-          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
-        }
-        {
-          name = "powerdnsadmin";
-          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
-        }
-      ];
-    };
   };
 }
diff --git a/modules/powerdns/primary.nix b/modules/powerdns/primary.nix
new file mode 100644
index 0000000..bfd9c0c
--- /dev/null
+++ b/modules/powerdns/primary.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf (config.services.powerdns.role == "primary") {
+    services.powerdns-admin = {
+      enable = true;
+      secretKeyFile = "/var/lib/pdns/secret.key";
+      saltFile = "/var/lib/pdns/salt";
+      extraArgs = [ "-b" "10.10.0.1:8000" ];
+      config = ''
+        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/pdns?host=/run/postgresql'
+        # SAML_ENABLED = True
+        # SAML_DEBUG = True
+        # SAML_METADATA_URL = 'https://auth.vapor.systems/application/saml/powerdns/metadata/'
+        # SAML_METADATA_CACHE_LIFETIME = 1
+        # SAML_LOGOUT_URL = 'https://auth.vapor.systems/application/saml/powerdns/slo/binding/redirect/'
+        # SAML_SP_ENTITY_ID = 'pdns-admin'
+        # SAML_SP_CONTACT_NAME = 'me'
+        # SAML_SP_CONTACT_MAIL = 'me'
+        # SAML_NAMEID_FORMAT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+        # SAML_ATTRIBUTE_USERNAME = 'http://schemas.goauthentik.io/2021/02/saml/username'
+        # SAML_ATTRIBUTE_NAME = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
+        # SAML_ATTRIBUTE_EMAIL = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
+        # SAML_ATTRIBUTE_GROUP = 'http://schemas.xmlsoap.org/claims/Group'
+        # SAML_GROUP_ADMIN_NAME = 'admin'
+        # SAML_SIGN_REQUEST = False
+        # SAML_ASSERTION_ENCRYPTED = False
+        # SAML_WANT_MESSAGE_SIGNED = False
+        # SAML_CERT = '/var/lib/pdns/saml.crt'
+      '';
+    };
+
+    security.acme.certs = {
+      "vapor.systems" = {
+        extraDomainNames = [ "*.vapor.systems" ];
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      defaultListenAddresses = [ "178.63.224.13" ];
+      virtualHosts."ns.vapor.systems" = {
+        addSSL = true;
+        useACMEHost = "vapor.systems";
+        locations."/" = {
+          proxyPass = "http://10.10.0.1:8000";
+          proxyWebsockets = true;
+          extraConfig =
+            "proxy_pass_header Authorization;"
+          ;
+        };
+      };
+    };
+
+    systemd.services.powerdns-admin.serviceConfig = {
+      BindPaths = [ "/run/postgresql" ];
+    };
+
+    services.postgresql = {
+      ensureDatabases = [ "pdns" ];
+      ensureUsers = [
+        {
+          name = "pdns";
+          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
+        }
+        {
+          name = "powerdnsadmin";
+          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
+        }
+      ];
+    };
+  };
+}
author	Max Audron <audron@cocaine.farm>	2023-10-13 17:36:06 +0200
committer	Max Audron <audron@cocaine.farm>	2023-10-13 17:36:06 +0200
commit	cc8817b303d9b19c70bbf3847af1941a27f712f7 (patch)
tree	7cd250ed474fb16b1ea3aa42a5d7d8f406d0a7ea /modules
parent	package authentik for nixos (diff)