draft: postgres in container

2026-01-26 22:16:26 +01:00 · 2026-01-26 22:16:26 +01:00 · f48059e37e
commit f48059e37e
parent 181e6f681e
9 changed files with 327 additions and 103 deletions
--- a/pkgs/powerdns.nix
+++ b/pkgs/powerdns.nix
@ -1,25 +1,109 @@
-{ ... }:
+{ config, pkgs, lib, ... }:

 let
  domain = "hexname.com";
+  dbIp = "10.89.0.25";
+  pdnsIp = "10.89.0.53";
 in
 {
-  services.powerdns = {
-    enable = true
+  virtualisation.oci-containers.containers = {
+    hexname-postgres = {
+      hostname = "pgsql";
+      image = "postgres:18-alpine";
+      ports = [
+        "127.0.0.1:5432:5432"
+      ];
+      volumes = [
+        "pgsql:/var/lib/postgresql/data:Z"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment = {
+        POSTGRES_USER = "hexname-backend";
+        POSTGRES_PASSWORD = "EZQVObWjoEM7bldX2wu5oyJkgBIMfoU8OZZf";
+      };
+      networks = [ "hexname-net" ];
+      extraOptions = [
+        "--dns=10.89.0.1"
+        "--ip=${dbIp}"
+      ];
+    };

-    # To hash the api-key, use:
-    # $ pdnsutil hash-password
-    extraConfig = ''
-      api=true
-      api-key=
-      primary=yes
-      webserver-address=127.0.0.1
-      webserver-port=8081
-      local-address=0.0.0.0:53
-      webserver-allow-from=127.0.0.1/32
-      version-string=anonymous
-      default-ttl=1500
+    hexname-powerdns = {
+      image = "pschiffe/pdns-pgsql:latest";
+      hostname = "ns1.${domain}";
+      ports = [
+        "127.0.0.1:8081:8081/tcp"
+      ];
+      networks = [ "hexname-net" ];
+
+      volumes = [
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+
+      environmentFiles = [ "/etc/env/hexname/powerdns.env" ];
+      environment = {
+        # PDNS_primary = "yes";
+        PDNS_api = "yes";
+        PDNS_disable_axfr = "yes";
+        #PDNS_webserver = "yes";
+        PDNS_webserver_address = "0.0.0.0";
+        PDNS_webserver_port = "8081";
+        PDNS_local_address = "${pdnsIp}:53";
+        PDNS_webserver_allow_from = "10.89.0.0/24";
+        PDNS_version_string = "anonymous";
+        PDNS_default_ttl = "3600";
+
+        # PDNS_gpgsql_password=...
+        # PDNS_api_key=...
+
+        # PDNS_gpgsql_host = "127.0.0.1";
+        # PDNS_gpgsql_port = "5432";
+        # PDNS_gpgsql_dbname = "powerdns";
+        # PDNS_gpgsql_user = "postgres";
+        # PDNS_gpgsql_password = "powerdns";
+      };
+
+      extraOptions = [
+        # "--network=host"
+        "--ip=${pdnsIp}"
+        "--add-host=pgsql:${dbIp}"
+      ];
+      dependsOn = [ "hexname-postgres" ];
+    };
+  };
+
+  systemd.services.podman-network-hexname = {
+    description = "Podman network for HexName/PowerDNS";
+    after = [ "podman.service" ];
+    wantedBy = [ "multi-user.target" "podman-hexname-postgres.target" "podman-hexname-powerdns.target" ];
+    serviceConfig.Type = "oneshot";
+    path = [ pkgs.podman ] ;
+    script = ''
+      podman network inspect hexname-net >/dev/null 2>&1 || \
+        podman network create hexname-net --subnet 10.89.0.0/24
    '';
  };
+
+  # Bind port 53 and send all requests to the container
+  networking.nftables.enable = true;
+  networking.nftables.tables.dns = {
+    family = "inet";
+    content = ''
+      chain prerouting {
+        type nat hook prerouting priority -100;
+
+        udp dport 53 dnat ip to ${pdnsIp}:53
+        tcp dport 53 dnat ip to ${pdnsIp}:53
+      }
+
+      chain postrouting {
+        type nat hook postrouting priority 100;
+        ip saddr 10.89.0.0/24 masquerade
+      }
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
 }