pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / web-apps / powerdns-admin.nix
at 25.11-pre 5.5 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 cfg = config.services.powerdns-admin; 12 13 configText = 14 '' 15 ${cfg.config} 16 '' 17 + optionalString (cfg.secretKeyFile != null) '' 18 with open('${cfg.secretKeyFile}') as file: 19 SECRET_KEY = file.read() 20 '' 21 + optionalString (cfg.saltFile != null) '' 22 with open('${cfg.saltFile}') as file: 23 SALT = file.read() 24 ''; 25in 26{ 27 options.services.powerdns-admin = { 28 enable = mkEnableOption "the PowerDNS web interface"; 29 30 extraArgs = mkOption { 31 type = types.listOf types.str; 32 default = [ ]; 33 example = literalExpression '' 34 [ "-b" "127.0.0.1:8000" ] 35 ''; 36 description = '' 37 Extra arguments passed to powerdns-admin. 38 ''; 39 }; 40 41 config = mkOption { 42 type = types.str; 43 default = ""; 44 example = '' 45 import cachelib 46 47 BIND_ADDRESS = '127.0.0.1' 48 PORT = 8000 49 SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql' 50 SESSION_TYPE = 'cachelib' 51 SESSION_CACHELIB = cachelib.simple.SimpleCache() 52 ''; 53 description = '' 54 Configuration python file. 55 See [the example configuration](https://github.com/ngoduykhanh/PowerDNS-Admin/blob/v${pkgs.powerdns-admin.version}/configs/development.py) 56 for options. 57 Also see [Flask Session configuration](https://flask-session.readthedocs.io/en/latest/config.html#SESSION_TYPE) 58 as the version shipped with NixOS is more recent than the one PowerDNS-Admin expects 59 and it requires explicit configuration. 60 ''; 61 }; 62 63 secretKeyFile = mkOption { 64 type = types.nullOr types.path; 65 example = "/etc/powerdns-admin/secret"; 66 description = '' 67 The secret used to create cookies. 68 This needs to be set, otherwise the default is used and everyone can forge valid login cookies. 69 Set this to null to ignore this setting and configure it through another way. 70 ''; 71 }; 72 73 saltFile = mkOption { 74 type = types.nullOr types.path; 75 example = "/etc/powerdns-admin/salt"; 76 description = '' 77 The salt used for serialization. 78 This should be set, otherwise the default is used. 79 Set this to null to ignore this setting and configure it through another way. 80 ''; 81 }; 82 }; 83 84 config = mkIf cfg.enable { 85 systemd.services.powerdns-admin = { 86 description = "PowerDNS web interface"; 87 wantedBy = [ "multi-user.target" ]; 88 after = [ "networking.target" ]; 89 90 environment.FLASK_CONF = builtins.toFile "powerdns-admin-config.py" configText; 91 environment.PYTHONPATH = pkgs.powerdns-admin.pythonPath; 92 serviceConfig = { 93 ExecStart = "${pkgs.powerdns-admin}/bin/powerdns-admin --pid /run/powerdns-admin/pid ${escapeShellArgs cfg.extraArgs}"; 94 # Set environment variables only for starting flask database upgrade 95 ExecStartPre = "${pkgs.coreutils}/bin/env FLASK_APP=${pkgs.powerdns-admin}/share/powerdnsadmin/__init__.py ${pkgs.python3Packages.flask}/bin/flask db upgrade -d ${pkgs.powerdns-admin}/share/migrations"; 96 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 97 ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; 98 PIDFile = "/run/powerdns-admin/pid"; 99 RuntimeDirectory = "powerdns-admin"; 100 User = "powerdnsadmin"; 101 Group = "powerdnsadmin"; 102 103 BindReadOnlyPaths = 104 [ 105 "/nix/store" 106 "-/etc/resolv.conf" 107 "-/etc/nsswitch.conf" 108 "-/etc/hosts" 109 "-/etc/localtime" 110 ] 111 ++ (optional (cfg.secretKeyFile != null) cfg.secretKeyFile) 112 ++ (optional (cfg.saltFile != null) cfg.saltFile); 113 # ProtectClock= adds DeviceAllow=char-rtc r 114 DeviceAllow = ""; 115 # Implies ProtectSystem=strict, which re-mounts all paths 116 #DynamicUser = true; 117 LockPersonality = true; 118 MemoryDenyWriteExecute = true; 119 NoNewPrivileges = true; 120 PrivateDevices = true; 121 PrivateMounts = true; 122 # Needs to start a server 123 #PrivateNetwork = true; 124 PrivateTmp = true; 125 PrivateUsers = true; 126 ProcSubset = "pid"; 127 ProtectClock = true; 128 ProtectHome = true; 129 ProtectHostname = true; 130 # Would re-mount paths ignored by temporary root 131 #ProtectSystem = "strict"; 132 ProtectControlGroups = true; 133 ProtectKernelLogs = true; 134 ProtectKernelModules = true; 135 ProtectKernelTunables = true; 136 ProtectProc = "invisible"; 137 RestrictAddressFamilies = [ 138 "AF_INET" 139 "AF_INET6" 140 "AF_UNIX" 141 ]; 142 RestrictNamespaces = true; 143 RestrictRealtime = true; 144 RestrictSUIDSGID = true; 145 SystemCallArchitectures = "native"; 146 # gunicorn needs setuid 147 SystemCallFilter = [ 148 "@system-service" 149 "~@privileged @resources @keyring" 150 # These got removed by the line above but are needed 151 "@setuid @chown" 152 ]; 153 TemporaryFileSystem = "/:ro"; 154 # Does not work well with the temporary root 155 #UMask = "0066"; 156 }; 157 }; 158 159 users.groups.powerdnsadmin = { }; 160 users.users.powerdnsadmin = { 161 description = "PowerDNS web interface user"; 162 isSystemUser = true; 163 group = "powerdnsadmin"; 164 }; 165 }; 166 167 # uses attributes of the linked package 168 meta.buildDocsInSandbox = false; 169}