diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2018-02-12 20:48:25 +0100 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2018-02-12 20:48:25 +0100 |
commit | 05d6a7edb63ac387d25d96367228873c5b245eaf (patch) | |
tree | faf2a4a1f47883778663b588ca431faf6954bfea /nixos/modules/services/networking | |
parent | 47d479253d4821a1acb787fb3d9e8a1a02b0dff0 (diff) | |
download | nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.gz nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.bz2 nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.lz nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.xz nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.zst nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.zip |
kresd service: add listenTLS option
Also fix some deficiencies in the systemd multi-socket stuff.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/kresd.nix | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index d0c19c4ecb71..aac02b811d71 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -46,6 +46,15 @@ in What addresses the server should listen on. (UDP+TCP 53) ''; }; + listenTLS = mkOption { + type = with types; listOf str; + default = []; + example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ]; + description = '' + Addresses on which kresd should provide DNS over TLS (see RFC 7858). + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; # TODO: perhaps options for more common stuff like cache size or forwarding }; @@ -75,6 +84,18 @@ in socketConfig.FreeBind = true; }; + systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = cfg.listenTLS; + socketConfig = { + FileDescriptorName = "tls"; + FreeBind = true; + Service = "kresd.service"; + }; + }; + systemd.sockets.kresd-control = rec { wantedBy = [ "sockets.target" ]; before = wantedBy; @@ -97,6 +118,8 @@ in Type = "notify"; WorkingDirectory = cfg.cacheDir; Restart = "on-failure"; + Sockets = [ "kresd.socket" "kresd-control.socket" ] + ++ optional (cfg.listenTLS != []) "kresd-tls.socket"; }; # Trust anchor goes from dns-root-data by default. |