diff options
| author | Jörg Thalheim <joerg@thalheim.io> | 2020-02-12 16:35:33 +0000 |
|---|---|---|
| committer | Jörg Thalheim <joerg@thalheim.io> | 2020-02-12 16:36:42 +0000 |
| commit | e2ef8b439fbb48308f7387396fa84946259b2bb1 (patch) | |
| tree | 7347d7935fe071b9610a00bcba2b4a8b881735a1 /nixos/modules | |
| parent | 88029bce39bd485fc07f1b2aa111c3ee9d12e684 (diff) | |
knot: add keyFiles option
This useful to include tsig keys using nixops without adding those
world-readable to the nix store.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/knot.nix | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 6d0bb23846fb..12ff89fe8492 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -5,14 +5,16 @@ with lib; let cfg = config.services.knot; - configFile = pkgs.writeText "knot.conf" cfg.extraConfig; - socketFile = "/run/knot/knot.sock"; + configFile = pkgs.writeTextFile { + name = "knot.conf"; + text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" + + cfg.extraConfig; + checkPhase = lib.optionalString (cfg.keyFiles == []) '' + ${cfg.package}/bin/knotc --config=$out conf-check + ''; + }; - knotConfCheck = file: pkgs.runCommand "knot-config-checked" - { buildInputs = [ cfg.package ]; } '' - ln -s ${configFile} $out - knotc --config=${configFile} conf-check - ''; + socketFile = "/run/knot/knot.sock"; knot-cli-wrappers = pkgs.stdenv.mkDerivation { name = "knot-cli-wrappers"; @@ -45,6 +47,19 @@ in { ''; }; + keyFiles = mkOption { + type = types.listOf types.path; + default = []; + description = '' + A list of files containing additional configuration + to be included using the include directive. This option + allows to include configuration like TSIG keys without + exposing them to the nix store readable to any process. + Note that using this option will also disable configuration + checks at build time. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -81,7 +96,7 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; + ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; |