diff options
Diffstat (limited to 'nixos/modules/services/web-apps/powerdns-admin.nix')
-rw-r--r-- | nixos/modules/services/web-apps/powerdns-admin.nix | 153 |
1 files changed, 0 insertions, 153 deletions
diff --git a/nixos/modules/services/web-apps/powerdns-admin.nix b/nixos/modules/services/web-apps/powerdns-admin.nix deleted file mode 100644 index d64c468a9cb5..000000000000 --- a/nixos/modules/services/web-apps/powerdns-admin.nix +++ /dev/null @@ -1,153 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.powerdns-admin; - - configText = '' - ${cfg.config} - '' - + optionalString (cfg.secretKeyFile != null) '' - with open('${cfg.secretKeyFile}') as file: - SECRET_KEY = file.read() - '' - + optionalString (cfg.saltFile != null) '' - with open('${cfg.saltFile}') as file: - SALT = file.read() - ''; -in -{ - options.services.powerdns-admin = { - enable = mkEnableOption "the PowerDNS web interface"; - - extraArgs = mkOption { - type = types.listOf types.str; - default = [ ]; - example = literalExpression '' - [ "-b" "127.0.0.1:8000" ] - ''; - description = '' - Extra arguments passed to powerdns-admin. - ''; - }; - - config = mkOption { - type = types.str; - default = ""; - example = '' - BIND_ADDRESS = '127.0.0.1' - PORT = 8000 - SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql' - ''; - description = '' - Configuration python file. - See [the example configuration](https://github.com/ngoduykhanh/PowerDNS-Admin/blob/v${pkgs.powerdns-admin.version}/configs/development.py) - for options. - ''; - }; - - secretKeyFile = mkOption { - type = types.nullOr types.path; - example = "/etc/powerdns-admin/secret"; - description = '' - The secret used to create cookies. - This needs to be set, otherwise the default is used and everyone can forge valid login cookies. - Set this to null to ignore this setting and configure it through another way. - ''; - }; - - saltFile = mkOption { - type = types.nullOr types.path; - example = "/etc/powerdns-admin/salt"; - description = '' - The salt used for serialization. - This should be set, otherwise the default is used. - Set this to null to ignore this setting and configure it through another way. - ''; - }; - }; - - config = mkIf cfg.enable { - systemd.services.powerdns-admin = { - description = "PowerDNS web interface"; - wantedBy = [ "multi-user.target" ]; - after = [ "networking.target" ]; - - environment.FLASK_CONF = builtins.toFile "powerdns-admin-config.py" configText; - environment.PYTHONPATH = pkgs.powerdns-admin.pythonPath; - serviceConfig = { - ExecStart = "${pkgs.powerdns-admin}/bin/powerdns-admin --pid /run/powerdns-admin/pid ${escapeShellArgs cfg.extraArgs}"; - # Set environment variables only for starting flask database upgrade - ExecStartPre = "${pkgs.coreutils}/bin/env FLASK_APP=${pkgs.powerdns-admin}/share/powerdnsadmin/__init__.py SESSION_TYPE= ${pkgs.python3Packages.flask}/bin/flask db upgrade -d ${pkgs.powerdns-admin}/share/migrations"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ExecStop = "${pkgs.coreutils}/bin/kill -TERM $MAINPID"; - PIDFile = "/run/powerdns-admin/pid"; - RuntimeDirectory = "powerdns-admin"; - User = "powerdnsadmin"; - Group = "powerdnsadmin"; - - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/hosts" - "-/etc/localtime" - ] - ++ (optional (cfg.secretKeyFile != null) cfg.secretKeyFile) - ++ (optional (cfg.saltFile != null) cfg.saltFile); - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; - # ProtectClock= adds DeviceAllow=char-rtc r - DeviceAllow = ""; - # Implies ProtectSystem=strict, which re-mounts all paths - #DynamicUser = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - # Needs to start a server - #PrivateNetwork = true; - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - # Would re-mount paths ignored by temporary root - #ProtectSystem = "strict"; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - # gunicorn needs setuid - SystemCallFilter = [ - "@system-service" - "~@privileged @resources @keyring" - # These got removed by the line above but are needed - "@setuid @chown" - ]; - TemporaryFileSystem = "/:ro"; - # Does not work well with the temporary root - #UMask = "0066"; - }; - }; - - users.groups.powerdnsadmin = { }; - users.users.powerdnsadmin = { - description = "PowerDNS web interface user"; - isSystemUser = true; - group = "powerdnsadmin"; - }; - }; - - # uses attributes of the linked package - meta.buildDocsInSandbox = false; -} |