diff --git a/configuration.nix b/configuration.nix index 23e6df4..923792a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -7,6 +7,10 @@ networking.hostName = "hexname-ns1"; + environment.systemPackages = with pkgs; [ + hexname-backend + ]; + users.users = { luka = { isNormalUser = true; diff --git a/flake.lock b/flake.lock index d42ace6..9fd5f6b 100755 --- a/flake.lock +++ b/flake.lock @@ -1,28 +1,111 @@ { "nodes": { - "nixpkgs": { + "fenix": { + "inputs": { + "nixpkgs": [ + "hexname-backend", + "naersk", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, "locked": { - "lastModified": 1768564909, - "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", + "lastModified": 1752475459, + "narHash": "sha256-z6QEu4ZFuHiqdOPbYss4/Q8B0BFhacR8ts6jO/F/aOU=", + "owner": "nix-community", + "repo": "fenix", + "rev": "bf0d6f70f4c9a9cf8845f992105652173f4b617f", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "hexname-backend": { + "inputs": { + "flake-utils": "flake-utils", + "naersk": "naersk", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1769444495, + "narHash": "sha256-8dC6d0XedjH+3YIxUb9PMzr1WhHzwxi5tsFLTkM0bss=", + "ref": "refs/heads/main", + "rev": "5be98605494183210469cf5ad3be211dd0e3f18e", + "revCount": 20, + "type": "git", + "url": "ssh://forgejo@git.lukadeka.com:6968/LukaDeka/HexName-Backend.git" + }, + "original": { + "type": "git", + "url": "ssh://forgejo@git.lukadeka.com:6968/LukaDeka/HexName-Backend.git" + } + }, + "naersk": { + "inputs": { + "fenix": "fenix", + "nixpkgs": [ + "hexname-backend", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1768908532, + "narHash": "sha256-HIdLXEFaUVE8FiaCPJbCfBMsnF+mVtDub8Jwj2BD+mk=", + "owner": "nix-community", + "repo": "naersk", + "rev": "8d97452673640eb7fabe428e8b6a425bc355008b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1769330179, + "narHash": "sha256-yxgb4AmkVHY5OOBrC79Vv6EVd4QZEotqv+6jcvA212M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "48698d12cc10555a4f3e3222d9c669b884a49dfe", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1768621446, - "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=", + "lastModified": 1769318308, + "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "72ac591e737060deab2b86d6952babd1f896d7c5", + "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c", "type": "github" }, "original": { @@ -32,11 +115,60 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1769170682, + "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c5296fdd05cfa2c187990dd909864da9658df755", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs", + "hexname-backend": "hexname-backend", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable" } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1752428706, + "narHash": "sha256-EJcdxw3aXfP8Ex1Nm3s0awyH9egQvB2Gu+QEnJn2Sfg=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "591e3b7624be97e4443ea7b5542c191311aa141d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d34eaaf..ae4c581 100755 --- a/flake.nix +++ b/flake.nix @@ -4,13 +4,15 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11"; + + hexname-backend.url = "git+ssh://forgejo@git.lukadeka.com:6968/LukaDeka/HexName-Backend.git"; }; - outputs = { nixpkgs, nixpkgs-stable, ... } @ inputs: { + outputs = { nixpkgs, nixpkgs-stable, hexname-backend, ... } @ inputs: { nixosConfigurations = { hexname-ns1 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit inputs; }; + specialArgs = { inherit inputs; inherit hexname-backend; }; modules = [ ######## Boilerplate ######## ./configuration.nix @@ -19,7 +21,9 @@ ./pkgs/extra.nix ######## HexName configuration ######## - #./pkgs/hexname/powerdns-podman.nix + ./pkgs/powerdns.nix + ./pkgs/backend.nix + # ./pkgs/postgres.nix ######## Networking ######## ./pkgs/server-ssh.nix diff --git a/pkgs/backend.nix b/pkgs/backend.nix index 4285edd..ed12b63 100644 --- a/pkgs/backend.nix +++ b/pkgs/backend.nix @@ -1,3 +1,34 @@ -{}: +{ pkgs, hexname-backend, ... }: +{ + nixpkgs.overlays = [ + (self: super: { + hexname-backend = hexname-backend.packages.${super.stdenv.hostPlatform.system}.default; + }) + ]; + + users.groups.hexname = {}; + users.users = { + hexname-backend = { + group = "hexname"; + isSystemUser = true; + createHome = true; + home = "/var/lib/hexname/backend"; + }; + }; + + systemd.services.hexname-backend = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + ENV_PATH = "/etc/env/hexname/backend.env"; + }; + serviceConfig = { + User = "hexname-backend"; + Group = "hexname"; + Type = "simple"; + ExecStart = "${pkgs.hexname-backend}/bin/dns-backend"; + }; + }; +} diff --git a/pkgs/extra.nix b/pkgs/extra.nix index ed3bfba..afcc630 100644 --- a/pkgs/extra.nix +++ b/pkgs/extra.nix @@ -13,6 +13,8 @@ security.sudo.wheelNeedsPassword = false; + time.timeZone = "Europe/Berlin"; + # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; i18n.extraLocaleSettings = let diff --git a/pkgs/postgres.nix b/pkgs/postgres.nix new file mode 100644 index 0000000..3512758 --- /dev/null +++ b/pkgs/postgres.nix @@ -0,0 +1,32 @@ +{ lib, pkgs, ... }: + +{ + services.postgresql = { + enable = true; + + # settings = { + # listen_addresses = lib.mkForce "127.0.0.1,10.89.0.10"; + # }; + + # Allow root to log in as postgres in the DB (for the PowerDNS container) + identMap = '' + postgres root postgres + ''; + + authentication = lib.mkForce '' + # TYPE DATABASE USER ADDRESS AUTH-METHOD [auth-options] + host hexname-backend hexname-backend 127.0.0.1/24 scram-sha-256 + # host all powerdns-user 127.0.0.1/24 scram-sha-256 + # local all root trust + ''; + + ensureUsers = [ { name = "hexname-backend"; } ]; + # No need to define the DB since `diesel` creates everything + + # This password is only the initial one - don't get too excited + initialScript = pkgs.writeText "set-initial-password-script" '' + alter user hexname-backend with password 'shuaze-gagyof'; + ''; + }; +} + diff --git a/pkgs/powerdns-podman.nix b/pkgs/powerdns-podman.nix deleted file mode 100644 index 4667f91..0000000 --- a/pkgs/powerdns-podman.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = "hexname.com"; -in -{ - virtualisation.oci-containers.containers = { - hexname-powerdns-postgres = { - hostname = "pgsql"; - image = "postgres:18-alpine"; - # ports = [ - # "127.0.0.1:5432:5432" - # ]; - volumes = [ - "/etc/localtime:/etc/localtime:ro" - "pgsql:/var/lib/postgresql/data:Z" - ]; - networks = [ "hexname-powerdns-net" ]; - environmentFiles = [ "/etc/env/hexname/postgres.env" ]; # POSTGRES_PASSWORD=... - }; - - hexname-powerdns = { - image = "pschiffe/pdns-pgsql:latest"; - hostname = "ns1.${domain}"; - ports = [ - "127.0.0.2:53:53/tcp" # TODO: remove localhost - "127.0.0.2:53:53/udp" - "127.0.0.2:8081:8081/tcp" - ]; - networks = [ "hexname-powerdns-net" ]; - - volumes = [ - "/etc/localtime:/etc/localtime:ro" - ]; - - environmentFiles = [ "/etc/env/hexname/powerdns.env" ]; - environment = { - PDNS_primary = "yes"; - PDNS_api = "yes"; - #PDNS_webserver = "yes"; - PDNS_webserver_address = "0.0.0.0"; - PDNS_webserver_port = "8081"; - PDNS_local_address = "0.0.0.0:53"; - PDNS_webserver_allow_from = "10.0.0.0/8"; - PDNS_version_string = "anonymous"; - PDNS_default_ttl = "1500"; - # PDNS_allow_axfr_ips = "172.5.0.21"; - - # PDNS_gpgsql_password=... - # PDNS_api_key=... - }; - dependsOn = [ "hexname-powerdns-postgres" ]; - }; - }; - - systemd.services.podman-network-hexname = { - description = "Podman network for HexName/PowerDNS"; - after = [ "podman.service" ]; - wantedBy = [ "multi-user.target" "podman-hexname-powerdns.target" "podman-hexname-powerdns-postgres.target" ]; - serviceConfig.Type = "oneshot"; - path = [ pkgs.podman] ; - script = '' - podman network inspect hexname-powerdns-net >/dev/null 2>&1 || \ - podman network create hexname-powerdns-net - ''; - }; - - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; -} - diff --git a/pkgs/powerdns.nix b/pkgs/powerdns.nix index b558fc3..41b6ab7 100644 --- a/pkgs/powerdns.nix +++ b/pkgs/powerdns.nix @@ -1,25 +1,109 @@ -{ ... }: +{ config, pkgs, lib, ... }: let domain = "hexname.com"; + dbIp = "10.89.0.25"; + pdnsIp = "10.89.0.53"; in { - services.powerdns = { - enable = true + virtualisation.oci-containers.containers = { + hexname-postgres = { + hostname = "pgsql"; + image = "postgres:18-alpine"; + ports = [ + "127.0.0.1:5432:5432" + ]; + volumes = [ + "pgsql:/var/lib/postgresql/data:Z" + "/etc/localtime:/etc/localtime:ro" + ]; + environment = { + POSTGRES_USER = "hexname-backend"; + POSTGRES_PASSWORD = "EZQVObWjoEM7bldX2wu5oyJkgBIMfoU8OZZf"; + }; + networks = [ "hexname-net" ]; + extraOptions = [ + "--dns=10.89.0.1" + "--ip=${dbIp}" + ]; + }; - # To hash the api-key, use: - # $ pdnsutil hash-password - extraConfig = '' - api=true - api-key= - primary=yes - webserver-address=127.0.0.1 - webserver-port=8081 - local-address=0.0.0.0:53 - webserver-allow-from=127.0.0.1/32 - version-string=anonymous - default-ttl=1500 + hexname-powerdns = { + image = "pschiffe/pdns-pgsql:latest"; + hostname = "ns1.${domain}"; + ports = [ + "127.0.0.1:8081:8081/tcp" + ]; + networks = [ "hexname-net" ]; + + volumes = [ + "/etc/localtime:/etc/localtime:ro" + ]; + + environmentFiles = [ "/etc/env/hexname/powerdns.env" ]; + environment = { + # PDNS_primary = "yes"; + PDNS_api = "yes"; + PDNS_disable_axfr = "yes"; + #PDNS_webserver = "yes"; + PDNS_webserver_address = "0.0.0.0"; + PDNS_webserver_port = "8081"; + PDNS_local_address = "${pdnsIp}:53"; + PDNS_webserver_allow_from = "10.89.0.0/24"; + PDNS_version_string = "anonymous"; + PDNS_default_ttl = "3600"; + + # PDNS_gpgsql_password=... + # PDNS_api_key=... + + # PDNS_gpgsql_host = "127.0.0.1"; + # PDNS_gpgsql_port = "5432"; + # PDNS_gpgsql_dbname = "powerdns"; + # PDNS_gpgsql_user = "postgres"; + # PDNS_gpgsql_password = "powerdns"; + }; + + extraOptions = [ + # "--network=host" + "--ip=${pdnsIp}" + "--add-host=pgsql:${dbIp}" + ]; + dependsOn = [ "hexname-postgres" ]; + }; + }; + + systemd.services.podman-network-hexname = { + description = "Podman network for HexName/PowerDNS"; + after = [ "podman.service" ]; + wantedBy = [ "multi-user.target" "podman-hexname-postgres.target" "podman-hexname-powerdns.target" ]; + serviceConfig.Type = "oneshot"; + path = [ pkgs.podman ] ; + script = '' + podman network inspect hexname-net >/dev/null 2>&1 || \ + podman network create hexname-net --subnet 10.89.0.0/24 ''; }; + + # Bind port 53 and send all requests to the container + networking.nftables.enable = true; + networking.nftables.tables.dns = { + family = "inet"; + content = '' + chain prerouting { + type nat hook prerouting priority -100; + + udp dport 53 dnat ip to ${pdnsIp}:53 + tcp dport 53 dnat ip to ${pdnsIp}:53 + } + + chain postrouting { + type nat hook postrouting priority 100; + ip saddr 10.89.0.0/24 masquerade + } + ''; + }; + + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; } diff --git a/pkgs/virtualisation.nix b/pkgs/virtualisation.nix index 07dadbd..8b82721 100644 --- a/pkgs/virtualisation.nix +++ b/pkgs/virtualisation.nix @@ -1,9 +1,15 @@ { ... }: { - # Auto-prune old containers virtualisation.podman = { enable = true; + + # Disable netavark + # defaultNetwork.settings = { + # dns_enabled = false; + # }; + + # Auto-prune old containers autoPrune = { enable = true; flags = [ "--all" ];