webnsupdate/module.nix

169 lines
5 KiB
Nix
Raw Normal View History

2024-05-03 20:29:10 +02:00
{
lib,
pkgs,
config,
...
}: let
cfg = config.services.webnsupdate;
inherit (lib) mkOption mkEnableOption types;
in {
options.services.webnsupdate = mkOption {
description = "An HTTP server for nsupdate.";
default = {};
type = types.submodule {
options = {
enable = mkEnableOption "webnsupdate";
extraArgs = mkOption {
description = ''
Extra arguments to be passed to the webnsupdate server command.
'';
type = types.listOf types.str;
default = [];
example = ["--ip-source"];
};
2024-05-03 20:29:10 +02:00
bindIp = mkOption {
description = ''
IP address to bind to.
Setting it to anything other than localhost is very insecure as
`webnsupdate` only supports plain HTTP and should always be behind a
reverse proxy.
'';
type = types.str;
default = "localhost";
example = "0.0.0.0";
};
bindPort = mkOption {
description = "Port to bind to.";
type = types.port;
default = 5353;
};
passwordFile = mkOption {
description = ''
The file where the password is stored.
This file can be created by running `webnsupdate mkpasswd $USERNAME $PASSWORD`.
'';
type = types.path;
example = "/secrets/webnsupdate.pass";
};
keyFile = mkOption {
description = ''
The TSIG key that `nsupdate` should use.
This file will be passed to `nsupdate` through the `-k` option, so look
at `man 8 nsupdate` for information on the key's format.
'';
type = types.path;
example = "/secrets/webnsupdate.key";
};
ttl = mkOption {
description = "The TTL that should be set on the zone records created by `nsupdate`.";
type = types.ints.positive;
default = 60;
example = 3600;
};
records = mkOption {
description = ''
The fqdn of records that should be updated.
Empty lines will be ignored, but whitespace will not be.
'';
type = types.nullOr types.lines;
default = null;
example = ''
example.com.
example.org.
ci.example.org.
'';
};
recordsFile = mkOption {
description = ''
The fqdn of records that should be updated.
Empty lines will be ignored, but whitespace will not be.
'';
type = types.nullOr types.path;
default = null;
example = "/secrets/webnsupdate.records";
};
user = mkOption {
description = "The user to run as.";
type = types.str;
default = "named";
};
group = mkOption {
description = "The group to run as.";
type = types.str;
default = "named";
};
};
};
};
config = let
recordsFile =
if cfg.recordsFile != null
then cfg.recordsFile
else pkgs.writeText "webnsrecords" cfg.records;
2024-05-08 21:37:19 +02:00
args = lib.strings.escapeShellArgs [
"--records"
recordsFile
"--key-file"
cfg.keyFile
"--password-file"
cfg.passwordFile
"--address"
cfg.bindIp
"--port"
(builtins.toString cfg.bindPort)
"--ttl"
(builtins.toString cfg.ttl)
] ++ cfg.extraArgs;
2024-05-08 21:37:19 +02:00
cmd = "${lib.getExe pkgs.webnsupdate} ${args}";
2024-05-03 20:29:10 +02:00
in
lib.mkIf cfg.enable {
2024-05-08 21:37:19 +02:00
# warnings =
# lib.optional (!config.services.bind.enable) "`webnsupdate` is expected to be used alongside `bind`. This is an unsopported configuration.";
2024-05-03 20:29:10 +02:00
assertions = [
{
assertion = (cfg.records != null || cfg.recordsFile != null) && !(cfg.records != null && cfg.recordsFile != null);
message = "Exactly one of `services.webnsupdate.records` and `services.webnsupdate.recordsFile` must be set.";
}
];
systemd.services.webnsupdate = {
description = "Web interface for nsupdate.";
wantedBy = ["multi-user.target"];
after = ["network.target" "bind.service"];
preStart = "${cmd} verify";
path = [pkgs.dig];
2024-05-03 20:29:10 +02:00
startLimitIntervalSec = 60;
serviceConfig = {
2024-05-08 21:37:19 +02:00
ExecStart = [cmd];
Type = "exec";
Restart = "on-failure";
2024-05-03 20:29:10 +02:00
RestartSec = "10s";
# User and group
User = cfg.user;
Group = cfg.group;
# Runtime directory and mode
2024-05-08 21:37:19 +02:00
RuntimeDirectory = "webnsupdate";
2024-05-03 20:29:10 +02:00
RuntimeDirectoryMode = "0750";
# Cache directory and mode
CacheDirectory = "webnsupdate";
CacheDirectoryMode = "0750";
# Logs directory and mode
LogsDirectory = "webnsupdate";
LogsDirectoryMode = "0750";
# New file permissions
UMask = "0027";
# Security
NoNewPrivileges = true;
2024-05-08 21:37:19 +02:00
ProtectHome = true;
2024-05-03 20:29:10 +02:00
};
};
};
}