{ hostRegistry, config, pkgs, ... }: let systemctl = "${pkgs.systemd}/bin/systemctl"; deployCommand = "${systemctl} start deploy-c3d2-dns"; reloadCommand = "${systemctl} reload bind"; in { c3d2 = { isInHq = false; hq.statistics.enable = true; }; networking.hostName = "bind"; networking.useNetworkd = true; networking.interfaces.eth0.ipv4.addresses = [{ address = hostRegistry.hosts.${config.networking.hostName}.ip4; prefixLength = 26; }]; networking.defaultGateway = "172.20.73.1"; networking.firewall.allowedTCPPorts = [ 53 80 443 ]; networking.firewall.allowedUDPPorts = [ 53 ]; services.bind = { enable = true; extraConfig = '' include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf"; ''; }; # Web server services.nginx = { enable = true; virtualHosts = { # hooks, logs "bind.serv.zentralwerk.org" = { default = true; enableACME = true; forceSSL = true; locations."/hooks/".proxyPass = "http://localhost:9000/hooks/"; }; }; }; # Build user users.groups.c3d2-dns = {}; users.users.c3d2-dns = { isSystemUser = true; group = "c3d2-dns"; home = "/var/lib/c3d2-dns"; }; systemd.tmpfiles.rules = [ "d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -" ]; # Build script systemd.services.deploy-c3d2-dns = let inherit (pkgs.bind-secrets) giteaToken sshPrivkey; in { wantedBy = [ "multi-user.target" ]; before = [ "bind.service" ]; path = with pkgs; [ git nix curl ]; script = '' mkdir -p .ssh cp ${builtins.toFile "id_ed25519" sshPrivkey} .ssh/id_ed25519 echo "gitea.c3d2.de ${hostRegistry.hosts.gitea.publicKey}" > .ssh/known_hosts chmod 0600 .ssh/id_ed25519 # Build at least once touch deploy-pending [ -d c3d2-dns ] || git clone --depth=1 gitea@gitea.c3d2.de:c3d2-admins/c3d2-dns.git cd c3d2-dns # Loop in case the webhook was called while we were building while [ -e ../deploy-pending ]; do rm ../deploy-pending git checkout . git pull REV=$(git rev-parse HEAD) set +e curl -X POST \ "https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \ -H "accept: application/json" \ -H "Content-Type: application/json" \ -d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}" for f in *.conf ; do sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f done /run/wrappers/bin/sudo systemctl reload bind if [ $? = 0 ]; then STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}" else STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}" fi curl -X POST \ "https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \ -H "accept: application/json" \ -H "Content-Type: application/json" \ -d "$STATUS" set -e done ''; serviceConfig = { User = "c3d2-dns"; Group = config.users.users.c3d2-dns.group; PrivateTmp = true; ProtectSystem = "full"; ReadWritePaths = config.users.users.c3d2-dns.home; WorkingDirectory = config.users.users.c3d2-dns.home; }; }; systemd.timers.deploy-c3d2-dns = { partOf = [ "deploy-c3d2-dns.service" ]; wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "hourly"; }; security.sudo.extraRules = [ { users = [ "c3d2-dns" ]; commands = [ { command = deployCommand; options = [ "NOPASSWD" ]; } { command = reloadCommand; options = [ "NOPASSWD" ]; } ]; } ]; systemd.services.webhook = let hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ { id = "deploy-c3d2-dns"; execute-command = pkgs.writeShellScript "deploy-c3d2-dns" '' # Request (re-)deployment touch ${config.users.users.c3d2-dns.home}/deploy-pending # Start deploy-c3d2-dns.service if not already running exec /run/wrappers/bin/sudo ${deployCommand} ''; } ]); in { wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1"; User = "c3d2-dns"; Group = config.users.users.c3d2-dns.group; PrivateTmp = true; ProtectSystem = "full"; }; }; }