draft: postgres in container

configuration.nix

@@ -7,6 +7,10 @@
 
   networking.hostName = "hexname-ns1";
 
+  environment.systemPackages = with pkgs; [
+    hexname-backend
+  ];
+
   users.users = {
     luka = {
       isNormalUser = true;

flake.lock

@@ -1,28 +1,111 @@
 {
   "nodes": {
-    "nixpkgs": {
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "hexname-backend",
+          "naersk",
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
       "locked": {
-        "lastModified": 1768564909,
+        "lastModified": 1752475459,
-        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "narHash": "sha256-z6QEu4ZFuHiqdOPbYss4/Q8B0BFhacR8ts6jO/F/aOU=",
-        "owner": "nixos",
+        "owner": "nix-community",
-        "repo": "nixpkgs",
+        "repo": "fenix",
-        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "rev": "bf0d6f70f4c9a9cf8845f992105652173f4b617f",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "nix-community",
-        "ref": "nixos-unstable",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "hexname-backend": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1769444495,
+        "narHash": "sha256-8dC6d0XedjH+3YIxUb9PMzr1WhHzwxi5tsFLTkM0bss=",
+        "ref": "refs/heads/main",
+        "rev": "5be98605494183210469cf5ad3be211dd0e3f18e",
+        "revCount": 20,
+        "type": "git",
+        "url": "ssh://forgejo@git.lukadeka.com:6968/LukaDeka/HexName-Backend.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://forgejo@git.lukadeka.com:6968/LukaDeka/HexName-Backend.git"
+      }
+    },
+    "naersk": {
+      "inputs": {
+        "fenix": "fenix",
+        "nixpkgs": [
+          "hexname-backend",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768908532,
+        "narHash": "sha256-HIdLXEFaUVE8FiaCPJbCfBMsnF+mVtDub8Jwj2BD+mk=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "8d97452673640eb7fabe428e8b6a425bc355008b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1769330179,
+        "narHash": "sha256-yxgb4AmkVHY5OOBrC79Vv6EVd4QZEotqv+6jcvA212M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "48698d12cc10555a4f3e3222d9c669b884a49dfe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1768621446,
+        "lastModified": 1769318308,
-        "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=",
+        "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "72ac591e737060deab2b86d6952babd1f896d7c5",
+        "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
         "type": "github"
       },
       "original": {
@@ -32,11 +115,60 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1769170682,
+        "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c5296fdd05cfa2c187990dd909864da9658df755",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs",
+        "hexname-backend": "hexname-backend",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-stable": "nixpkgs-stable"
       }
+    },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1752428706,
+        "narHash": "sha256-EJcdxw3aXfP8Ex1Nm3s0awyH9egQvB2Gu+QEnJn2Sfg=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "591e3b7624be97e4443ea7b5542c191311aa141d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -4,13 +4,15 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
+
+    hexname-backend.url = "git+ssh://forgejo@git.lukadeka.com:6968/LukaDeka/HexName-Backend.git";
   };
 
-  outputs = { nixpkgs, nixpkgs-stable, ... } @ inputs: {
+  outputs = { nixpkgs, nixpkgs-stable, hexname-backend, ... } @ inputs: {
     nixosConfigurations = {
       hexname-ns1 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
+        specialArgs = { inherit inputs; inherit hexname-backend; };
         modules = [
           ######## Boilerplate ########
           ./configuration.nix
@@ -19,7 +21,9 @@
           ./pkgs/extra.nix
 
           ######## HexName configuration ########
-          #./pkgs/hexname/powerdns-podman.nix
+          ./pkgs/powerdns.nix
+          ./pkgs/backend.nix
+          # ./pkgs/postgres.nix
 
           ######## Networking ########
           ./pkgs/server-ssh.nix

pkgs/backend.nix

@@ -1,3 +1,34 @@
-{}:
+{ pkgs, hexname-backend, ... }:
 
+{
+  nixpkgs.overlays = [
+    (self: super: {
+      hexname-backend = hexname-backend.packages.${super.stdenv.hostPlatform.system}.default;
+    })
+  ];
+
+  users.groups.hexname = {};
+  users.users = {
+    hexname-backend = {
+      group = "hexname";
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/hexname/backend";
+    };
+  };
+
+  systemd.services.hexname-backend = {
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    environment = {
+      ENV_PATH = "/etc/env/hexname/backend.env";
+    };
+    serviceConfig = {
+      User = "hexname-backend";
+      Group = "hexname";
+      Type = "simple";
+      ExecStart = "${pkgs.hexname-backend}/bin/dns-backend";
+    };
+  };
+}
 

pkgs/extra.nix

@@ -13,6 +13,8 @@
 
   security.sudo.wheelNeedsPassword = false;
 
+  time.timeZone = "Europe/Berlin";
+
   # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
   i18n.extraLocaleSettings = let

pkgs/postgres.nix

@@ -0,0 +1,32 @@
+{ lib, pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+
+    # settings = {
+    #   listen_addresses = lib.mkForce "127.0.0.1,10.89.0.10";
+    # };
+
+    # Allow root to log in as postgres in the DB (for the PowerDNS container)
+    identMap = ''
+      postgres root postgres
+    '';
+
+    authentication = lib.mkForce ''
+      # TYPE DATABASE        USER            ADDRESS       AUTH-METHOD   [auth-options]
+      host   hexname-backend hexname-backend 127.0.0.1/24  scram-sha-256
+      # host   all             powerdns-user   127.0.0.1/24  scram-sha-256
+      # local  all             root                          trust
+    '';
+
+    ensureUsers = [ { name = "hexname-backend"; } ];
+    # No need to define the DB since `diesel` creates everything
+
+    # This password is only the initial one - don't get too excited
+    initialScript = pkgs.writeText "set-initial-password-script" ''
+      alter user hexname-backend with password 'shuaze-gagyof';
+    '';
+  };
+}
+

pkgs/powerdns-podman.nix

@@ -1,71 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  domain = "hexname.com";
-in
-{
-  virtualisation.oci-containers.containers = {
-    hexname-powerdns-postgres = {
-      hostname = "pgsql";
-      image = "postgres:18-alpine";
-      # ports = [
-      #   "127.0.0.1:5432:5432"
-      # ];
-      volumes = [
-        "/etc/localtime:/etc/localtime:ro"
-        "pgsql:/var/lib/postgresql/data:Z"
-      ];
-      networks = [ "hexname-powerdns-net" ];
-      environmentFiles = [ "/etc/env/hexname/postgres.env" ]; # POSTGRES_PASSWORD=...
-    };
-
-    hexname-powerdns = {
-      image = "pschiffe/pdns-pgsql:latest";
-      hostname = "ns1.${domain}";
-      ports = [
-        "127.0.0.2:53:53/tcp" # TODO: remove localhost
-        "127.0.0.2:53:53/udp"
-        "127.0.0.2:8081:8081/tcp"
-      ];
-      networks = [ "hexname-powerdns-net" ];
-
-      volumes = [
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-
-      environmentFiles = [ "/etc/env/hexname/powerdns.env" ];
-      environment = {
-        PDNS_primary = "yes";
-        PDNS_api = "yes";
-        #PDNS_webserver = "yes";
-        PDNS_webserver_address = "0.0.0.0";
-        PDNS_webserver_port = "8081";
-        PDNS_local_address = "0.0.0.0:53";
-        PDNS_webserver_allow_from = "10.0.0.0/8";
-        PDNS_version_string = "anonymous";
-        PDNS_default_ttl = "1500";
-        # PDNS_allow_axfr_ips = "172.5.0.21";
-
-        # PDNS_gpgsql_password=...
-        # PDNS_api_key=...
-      };
-      dependsOn = [ "hexname-powerdns-postgres" ];
-    };
-  };
-
-  systemd.services.podman-network-hexname = {
-    description = "Podman network for HexName/PowerDNS";
-    after = [ "podman.service" ];
-    wantedBy = [ "multi-user.target" "podman-hexname-powerdns.target" "podman-hexname-powerdns-postgres.target" ];
-    serviceConfig.Type = "oneshot";
-    path = [ pkgs.podman] ;
-    script = ''
-      podman network inspect hexname-powerdns-net >/dev/null 2>&1 || \
-        podman network create hexname-powerdns-net
-    '';
-  };
-
-  networking.firewall.allowedTCPPorts = [ 53 ];
-  networking.firewall.allowedUDPPorts = [ 53 ];
-}
-

pkgs/powerdns.nix

@@ -1,25 +1,109 @@
-{ ... }:
+{ config, pkgs, lib, ... }:
 
 let
   domain = "hexname.com";
+  dbIp = "10.89.0.25";
+  pdnsIp = "10.89.0.53";
 in
 {
-  services.powerdns = {
+  virtualisation.oci-containers.containers = {
-    enable = true
+    hexname-postgres = {
+      hostname = "pgsql";
+      image = "postgres:18-alpine";
+      ports = [
+        "127.0.0.1:5432:5432"
+      ];
+      volumes = [
+        "pgsql:/var/lib/postgresql/data:Z"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment = {
+        POSTGRES_USER = "hexname-backend";
+        POSTGRES_PASSWORD = "EZQVObWjoEM7bldX2wu5oyJkgBIMfoU8OZZf";
+      };
+      networks = [ "hexname-net" ];
+      extraOptions = [
+        "--dns=10.89.0.1"
+        "--ip=${dbIp}"
+      ];
+    };
 
-    # To hash the api-key, use:
+    hexname-powerdns = {
-    # $ pdnsutil hash-password
+      image = "pschiffe/pdns-pgsql:latest";
-    extraConfig = ''
+      hostname = "ns1.${domain}";
-      api=true
+      ports = [
-      api-key=
+        "127.0.0.1:8081:8081/tcp"
-      primary=yes
+      ];
-      webserver-address=127.0.0.1
+      networks = [ "hexname-net" ];
-      webserver-port=8081
+
-      local-address=0.0.0.0:53
+      volumes = [
-      webserver-allow-from=127.0.0.1/32
+        "/etc/localtime:/etc/localtime:ro"
-      version-string=anonymous
+      ];
-      default-ttl=1500
+
+      environmentFiles = [ "/etc/env/hexname/powerdns.env" ];
+      environment = {
+        # PDNS_primary = "yes";
+        PDNS_api = "yes";
+        PDNS_disable_axfr = "yes";
+        #PDNS_webserver = "yes";
+        PDNS_webserver_address = "0.0.0.0";
+        PDNS_webserver_port = "8081";
+        PDNS_local_address = "${pdnsIp}:53";
+        PDNS_webserver_allow_from = "10.89.0.0/24";
+        PDNS_version_string = "anonymous";
+        PDNS_default_ttl = "3600";
+
+        # PDNS_gpgsql_password=...
+        # PDNS_api_key=...
+
+        # PDNS_gpgsql_host = "127.0.0.1";
+        # PDNS_gpgsql_port = "5432";
+        # PDNS_gpgsql_dbname = "powerdns";
+        # PDNS_gpgsql_user = "postgres";
+        # PDNS_gpgsql_password = "powerdns";
+      };
+
+      extraOptions = [
+        # "--network=host"
+        "--ip=${pdnsIp}"
+        "--add-host=pgsql:${dbIp}"
+      ];
+      dependsOn = [ "hexname-postgres" ];
+    };
+  };
+
+  systemd.services.podman-network-hexname = {
+    description = "Podman network for HexName/PowerDNS";
+    after = [ "podman.service" ];
+    wantedBy = [ "multi-user.target" "podman-hexname-postgres.target" "podman-hexname-powerdns.target" ];
+    serviceConfig.Type = "oneshot";
+    path = [ pkgs.podman ] ;
+    script = ''
+      podman network inspect hexname-net >/dev/null 2>&1 || \
+        podman network create hexname-net --subnet 10.89.0.0/24
     '';
   };
+
+  # Bind port 53 and send all requests to the container
+  networking.nftables.enable = true;
+  networking.nftables.tables.dns = {
+    family = "inet";
+    content = ''
+      chain prerouting {
+        type nat hook prerouting priority -100;
+
+        udp dport 53 dnat ip to ${pdnsIp}:53
+        tcp dport 53 dnat ip to ${pdnsIp}:53
+      }
+
+      chain postrouting {
+        type nat hook postrouting priority 100;
+        ip saddr 10.89.0.0/24 masquerade
+      }
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
 }
 

pkgs/virtualisation.nix

@@ -1,9 +1,15 @@
 { ... }:
 
 {
-  # Auto-prune old containers
   virtualisation.podman = {
     enable = true;
+
+    # Disable netavark
+    # defaultNetwork.settings = {
+    #   dns_enabled = false;
+    # };
+
+    # Auto-prune old containers
     autoPrune = {
       enable = true;
       flags = [ "--all" ];