PowerDNS and PowerDNS-Admin on seperate servers: PowerDNS-Admin service doesn't start

[SoepMetBalletjes]

Hi,

I have installed the PowerDNS-Admin on a different server than PowerDNS for various reasons. The setup is working fine after configuration and running ./run.py. I can login, create and edit zones, ... all it working as expected. The problem I have is making it available as a service via NGINX.

The NGINX config on itself is clear, but it is the part where I have to make it run as a service where I am lost. The various configuration guides specify something similar like:

/etc/systemd/system/pdnsadmin.service

[Unit]
Description=PowerDNS-Admin
Requires=pdnsadmin.socket
After=network.target

[Service]
PIDFile=/run/pdnsadmin/pid
User=pdns
Group=pdns
WorkingDirectory=/var/www/html/pdns
ExecStart=/var/www/html/pdns/flask/bin/gunicorn --pid /run/pdnsadmin/pid --bind unix:/run/pdnsadmin/socket 'powerdnsadmin:create_app()'
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

/etc/systemd/system/pdnsadmin.socket

[Unit]
Description=PowerDNS-Admin socket

[Socket]
ListenStream=/run/pdnsadmin/socket

[Install]
WantedBy=sockets.target

And this is the part where it goes wrong in my opinion due to the separate server config:
echo "d /run/pdnsadmin 0755 pdns pdns -" >> /etc/tmpfiles.d/pdnsadmin.conf
mkdir /run/pdnsadmin/
chown -R pdns: /run/pdnsadmin/
chown -R pdns: /var/www/html/pdns/powerdnsadmin/

As PowerDNS is on a separate server I don't have pdns. I have tried creating a user pdns, but this didn't work, which is not fully unexpected to be honest.

The error I get when starting the service PowerDNS-Admin is:
× pdnsadmin.service - PowerDNS-Admin
Loaded: loaded (/etc/systemd/system/pdnsadmin.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2023-12-25 17:00:39 CET; 51min ago
Duration: 506ms
TriggeredBy: ● pdnsadmin.socket
Process: 558 ExecStart=/var/www/html/pdns/flask/bin/gunicorn --pid /run/pdnsadmin/pid --bind unix:/run/pdnsadmin/socket powerdnsadmin:create_app() (code=exited, status=4)
Main PID: 558 (code=exited, status=4)
CPU: 350ms

Dec 25 17:00:39 dnsadmin gunicorn[558]: [2023-12-25 17:00:39 +0100] [558] [INFO] Starting gunicorn 20.1.0
Dec 25 17:00:39 dnsadmin gunicorn[558]: [2023-12-25 17:00:39 +0100] [558] [INFO] Listening at: unix:/run/pdnsadmin/socket (558)
Dec 25 17:00:39 dnsadmin gunicorn[558]: [2023-12-25 17:00:39 +0100] [558] [INFO] Using worker: sync
Dec 25 17:00:39 dnsadmin gunicorn[651]: [2023-12-25 17:00:39 +0100] [651] [INFO] Booting worker with pid: 651
Dec 25 17:00:39 dnsadmin gunicorn[651]: Failed to find attribute 'create_app' in 'powerdnsadmin'.
Dec 25 17:00:39 dnsadmin gunicorn[651]: [2023-12-25 17:00:39 +0100] [651] [INFO] Worker exiting (pid: 651)
Dec 25 17:00:39 dnsadmin gunicorn[558]: [2023-12-25 17:00:39 +0100] [558] [INFO] Shutting down: Master
Dec 25 17:00:39 dnsadmin gunicorn[558]: [2023-12-25 17:00:39 +0100] [558] [INFO] Reason: App failed to load.
Dec 25 17:00:39 dnsadmin systemd[1]: pdnsadmin.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 25 17:00:39 dnsadmin systemd[1]: pdnsadmin.service: Failed with result 'exit-code'.

How should I properly do this? I guess creating a user indeed. But what access does it require? How should I configure it?

[SoepMetBalletjes]

In the meanwhile I have found that it is related to the fact that my Python flask environment only installs as root and thus denies access for the system user "powerdnsadmin" that I created according to the manual/wiki:
sudo useradd --system -g powerdnsadmin powerdnsadmin
When I assign the root user in the service config it works, but this is obviously not a good idea. Trying to find out why I have to be root to configure the python environment.

[SoepMetBalletjes]

It is solved by switching to the powerdnsadmin user and granting is rights on the target directory where the Flask environment is running. Services are now running.

There is however a step in the wiki that I don't understand. It is the second step in the Systemd-Gunicorn-and-Nginx wiki:
$ sudo systemctl edit powerdns-admin.service
[Service]
Environment="FLASK_CONF=../configs/production.py"

What does this exactly do? And why is this done after the service config is created?

[AzorianMatt]

@SoepMetBalletjes my apologies for the late response. To answer your question, that particular edit tells the framework to look at that given path for the configuration file, when ran as a systemd service.