draft: postgres in container

pkgs/backend.nix

@@ -1,3 +1,34 @@
-{}:
+{ pkgs, hexname-backend, ... }:
 
+{
+  nixpkgs.overlays = [
+    (self: super: {
+      hexname-backend = hexname-backend.packages.${super.stdenv.hostPlatform.system}.default;
+    })
+  ];
+
+  users.groups.hexname = {};
+  users.users = {
+    hexname-backend = {
+      group = "hexname";
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/hexname/backend";
+    };
+  };
+
+  systemd.services.hexname-backend = {
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    environment = {
+      ENV_PATH = "/etc/env/hexname/backend.env";
+    };
+    serviceConfig = {
+      User = "hexname-backend";
+      Group = "hexname";
+      Type = "simple";
+      ExecStart = "${pkgs.hexname-backend}/bin/dns-backend";
+    };
+  };
+}
 

pkgs/extra.nix

@@ -13,6 +13,8 @@
 
   security.sudo.wheelNeedsPassword = false;
 
+  time.timeZone = "Europe/Berlin";
+
   # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
   i18n.extraLocaleSettings = let

pkgs/postgres.nix

@@ -0,0 +1,32 @@
+{ lib, pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+
+    # settings = {
+    #   listen_addresses = lib.mkForce "127.0.0.1,10.89.0.10";
+    # };
+
+    # Allow root to log in as postgres in the DB (for the PowerDNS container)
+    identMap = ''
+      postgres root postgres
+    '';
+
+    authentication = lib.mkForce ''
+      # TYPE DATABASE        USER            ADDRESS       AUTH-METHOD   [auth-options]
+      host   hexname-backend hexname-backend 127.0.0.1/24  scram-sha-256
+      # host   all             powerdns-user   127.0.0.1/24  scram-sha-256
+      # local  all             root                          trust
+    '';
+
+    ensureUsers = [ { name = "hexname-backend"; } ];
+    # No need to define the DB since `diesel` creates everything
+
+    # This password is only the initial one - don't get too excited
+    initialScript = pkgs.writeText "set-initial-password-script" ''
+      alter user hexname-backend with password 'shuaze-gagyof';
+    '';
+  };
+}
+

pkgs/powerdns-podman.nix

@@ -1,71 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  domain = "hexname.com";
-in
-{
-  virtualisation.oci-containers.containers = {
-    hexname-powerdns-postgres = {
-      hostname = "pgsql";
-      image = "postgres:18-alpine";
-      # ports = [
-      #   "127.0.0.1:5432:5432"
-      # ];
-      volumes = [
-        "/etc/localtime:/etc/localtime:ro"
-        "pgsql:/var/lib/postgresql/data:Z"
-      ];
-      networks = [ "hexname-powerdns-net" ];
-      environmentFiles = [ "/etc/env/hexname/postgres.env" ]; # POSTGRES_PASSWORD=...
-    };
-
-    hexname-powerdns = {
-      image = "pschiffe/pdns-pgsql:latest";
-      hostname = "ns1.${domain}";
-      ports = [
-        "127.0.0.2:53:53/tcp" # TODO: remove localhost
-        "127.0.0.2:53:53/udp"
-        "127.0.0.2:8081:8081/tcp"
-      ];
-      networks = [ "hexname-powerdns-net" ];
-
-      volumes = [
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-
-      environmentFiles = [ "/etc/env/hexname/powerdns.env" ];
-      environment = {
-        PDNS_primary = "yes";
-        PDNS_api = "yes";
-        #PDNS_webserver = "yes";
-        PDNS_webserver_address = "0.0.0.0";
-        PDNS_webserver_port = "8081";
-        PDNS_local_address = "0.0.0.0:53";
-        PDNS_webserver_allow_from = "10.0.0.0/8";
-        PDNS_version_string = "anonymous";
-        PDNS_default_ttl = "1500";
-        # PDNS_allow_axfr_ips = "172.5.0.21";
-
-        # PDNS_gpgsql_password=...
-        # PDNS_api_key=...
-      };
-      dependsOn = [ "hexname-powerdns-postgres" ];
-    };
-  };
-
-  systemd.services.podman-network-hexname = {
-    description = "Podman network for HexName/PowerDNS";
-    after = [ "podman.service" ];
-    wantedBy = [ "multi-user.target" "podman-hexname-powerdns.target" "podman-hexname-powerdns-postgres.target" ];
-    serviceConfig.Type = "oneshot";
-    path = [ pkgs.podman] ;
-    script = ''
-      podman network inspect hexname-powerdns-net >/dev/null 2>&1 || \
-        podman network create hexname-powerdns-net
-    '';
-  };
-
-  networking.firewall.allowedTCPPorts = [ 53 ];
-  networking.firewall.allowedUDPPorts = [ 53 ];
-}
-

pkgs/powerdns.nix

@@ -1,25 +1,109 @@
-{ ... }:
+{ config, pkgs, lib, ... }:
 
 let
   domain = "hexname.com";
+  dbIp = "10.89.0.25";
+  pdnsIp = "10.89.0.53";
 in
 {
-  services.powerdns = {
-    enable = true
+  virtualisation.oci-containers.containers = {
+    hexname-postgres = {
+      hostname = "pgsql";
+      image = "postgres:18-alpine";
+      ports = [
+        "127.0.0.1:5432:5432"
+      ];
+      volumes = [
+        "pgsql:/var/lib/postgresql/data:Z"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment = {
+        POSTGRES_USER = "hexname-backend";
+        POSTGRES_PASSWORD = "EZQVObWjoEM7bldX2wu5oyJkgBIMfoU8OZZf";
+      };
+      networks = [ "hexname-net" ];
+      extraOptions = [
+        "--dns=10.89.0.1"
+        "--ip=${dbIp}"
+      ];
+    };
 
-    # To hash the api-key, use:
-    # $ pdnsutil hash-password
-    extraConfig = ''
-      api=true
-      api-key=
-      primary=yes
-      webserver-address=127.0.0.1
-      webserver-port=8081
-      local-address=0.0.0.0:53
-      webserver-allow-from=127.0.0.1/32
-      version-string=anonymous
-      default-ttl=1500
+    hexname-powerdns = {
+      image = "pschiffe/pdns-pgsql:latest";
+      hostname = "ns1.${domain}";
+      ports = [
+        "127.0.0.1:8081:8081/tcp"
+      ];
+      networks = [ "hexname-net" ];
+
+      volumes = [
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+
+      environmentFiles = [ "/etc/env/hexname/powerdns.env" ];
+      environment = {
+        # PDNS_primary = "yes";
+        PDNS_api = "yes";
+        PDNS_disable_axfr = "yes";
+        #PDNS_webserver = "yes";
+        PDNS_webserver_address = "0.0.0.0";
+        PDNS_webserver_port = "8081";
+        PDNS_local_address = "${pdnsIp}:53";
+        PDNS_webserver_allow_from = "10.89.0.0/24";
+        PDNS_version_string = "anonymous";
+        PDNS_default_ttl = "3600";
+
+        # PDNS_gpgsql_password=...
+        # PDNS_api_key=...
+
+        # PDNS_gpgsql_host = "127.0.0.1";
+        # PDNS_gpgsql_port = "5432";
+        # PDNS_gpgsql_dbname = "powerdns";
+        # PDNS_gpgsql_user = "postgres";
+        # PDNS_gpgsql_password = "powerdns";
+      };
+
+      extraOptions = [
+        # "--network=host"
+        "--ip=${pdnsIp}"
+        "--add-host=pgsql:${dbIp}"
+      ];
+      dependsOn = [ "hexname-postgres" ];
+    };
+  };
+
+  systemd.services.podman-network-hexname = {
+    description = "Podman network for HexName/PowerDNS";
+    after = [ "podman.service" ];
+    wantedBy = [ "multi-user.target" "podman-hexname-postgres.target" "podman-hexname-powerdns.target" ];
+    serviceConfig.Type = "oneshot";
+    path = [ pkgs.podman ] ;
+    script = ''
+      podman network inspect hexname-net >/dev/null 2>&1 || \
+        podman network create hexname-net --subnet 10.89.0.0/24
     '';
   };
+
+  # Bind port 53 and send all requests to the container
+  networking.nftables.enable = true;
+  networking.nftables.tables.dns = {
+    family = "inet";
+    content = ''
+      chain prerouting {
+        type nat hook prerouting priority -100;
+
+        udp dport 53 dnat ip to ${pdnsIp}:53
+        tcp dport 53 dnat ip to ${pdnsIp}:53
+      }
+
+      chain postrouting {
+        type nat hook postrouting priority 100;
+        ip saddr 10.89.0.0/24 masquerade
+      }
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
 }
 

pkgs/virtualisation.nix

@@ -1,9 +1,15 @@
 { ... }:
 
 {
-  # Auto-prune old containers
   virtualisation.podman = {
     enable = true;
+
+    # Disable netavark
+    # defaultNetwork.settings = {
+    #   dns_enabled = false;
+    # };
+
+    # Auto-prune old containers
     autoPrune = {
       enable = true;
       flags = [ "--all" ];