diff options
| author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2020-02-15 11:15:03 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-02-15 11:15:03 +0000 |
| commit | 466c1df3e280c4c79d5b3c0c097267af9b089796 (patch) | |
| tree | a5061ab9407985bd3ecc2646115242654e9f21d0 /nixos/modules | |
| parent | 018fac1dc779357945fdd77d027443d5295eba22 (diff) | |
| parent | e2ef8b439fbb48308f7387396fa84946259b2bb1 (diff) | |
Merge pull request #79266 from Mic92/knot
nixos/knot: add keyFiles option
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/knot.nix | 40 |
1 files changed, 31 insertions, 9 deletions
diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 47364ecb8464..12ff89fe8492 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -5,14 +5,16 @@ with lib; let cfg = config.services.knot; - configFile = pkgs.writeText "knot.conf" cfg.extraConfig; - socketFile = "/run/knot/knot.sock"; + configFile = pkgs.writeTextFile { + name = "knot.conf"; + text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" + + cfg.extraConfig; + checkPhase = lib.optionalString (cfg.keyFiles == []) '' + ${cfg.package}/bin/knotc --config=$out conf-check + ''; + }; - knotConfCheck = file: pkgs.runCommand "knot-config-checked" - { buildInputs = [ cfg.package ]; } '' - ln -s ${configFile} $out - knotc --config=${configFile} conf-check - ''; + socketFile = "/run/knot/knot.sock"; knot-cli-wrappers = pkgs.stdenv.mkDerivation { name = "knot-cli-wrappers"; @@ -45,6 +47,19 @@ in { ''; }; + keyFiles = mkOption { + type = types.listOf types.path; + default = []; + description = '' + A list of files containing additional configuration + to be included using the include directive. This option + allows to include configuration like TSIG keys without + exposing them to the nix store readable to any process. + Note that using this option will also disable configuration + checks at build time. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -65,6 +80,13 @@ in { }; config = mkIf config.services.knot.enable { + users.users.knot = { + isSystemUser = true; + group = "knot"; + description = "Knot daemon user"; + }; + + users.groups.knot.gid = null; systemd.services.knot = { unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; description = cfg.package.meta.description; @@ -74,12 +96,12 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; + ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; NoNewPrivileges = true; - DynamicUser = "yes"; + User = "knot"; RuntimeDirectory = "knot"; StateDirectory = "knot"; StateDirectoryMode = "0700"; |