summary refs log tree commit diff
path: root/nixos/modules/services/networking
diff options
context:
space:
mode:
authorVladimír Čunát <vcunat@gmail.com>2018-02-12 20:48:25 +0100
committerVladimír Čunát <vcunat@gmail.com>2018-02-12 20:48:25 +0100
commit05d6a7edb63ac387d25d96367228873c5b245eaf (patch)
treefaf2a4a1f47883778663b588ca431faf6954bfea /nixos/modules/services/networking
parent47d479253d4821a1acb787fb3d9e8a1a02b0dff0 (diff)
downloadnixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar
nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.gz
nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.bz2
nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.lz
nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.xz
nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.tar.zst
nixlib-05d6a7edb63ac387d25d96367228873c5b245eaf.zip
kresd service: add listenTLS option
Also fix some deficiencies in the systemd multi-socket stuff.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r--nixos/modules/services/networking/kresd.nix23
1 files changed, 23 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix
index d0c19c4ecb71..aac02b811d71 100644
--- a/nixos/modules/services/networking/kresd.nix
+++ b/nixos/modules/services/networking/kresd.nix
@@ -46,6 +46,15 @@ in
         What addresses the server should listen on. (UDP+TCP 53)
       '';
     };
+    listenTLS = mkOption {
+      type = with types; listOf str;
+      default = [];
+      example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ];
+      description = ''
+        Addresses on which kresd should provide DNS over TLS (see RFC 7858).
+        For detailed syntax see ListenStream in man systemd.socket.
+      '';
+    };
     # TODO: perhaps options for more common stuff like cache size or forwarding
   };
 
@@ -75,6 +84,18 @@ in
       socketConfig.FreeBind = true;
     };
 
+    systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec {
+      wantedBy = [ "sockets.target" ];
+      before = wantedBy;
+      partOf = [ "kresd.socket" ];
+      listenStreams = cfg.listenTLS;
+      socketConfig = {
+        FileDescriptorName = "tls";
+        FreeBind = true;
+        Service = "kresd.service";
+      };
+    };
+
     systemd.sockets.kresd-control = rec {
       wantedBy = [ "sockets.target" ];
       before = wantedBy;
@@ -97,6 +118,8 @@ in
         Type = "notify";
         WorkingDirectory = cfg.cacheDir;
         Restart = "on-failure";
+        Sockets = [ "kresd.socket" "kresd-control.socket" ]
+          ++ optional (cfg.listenTLS != []) "kresd-tls.socket";
       };
 
       # Trust anchor goes from dns-root-data by default.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-17 16:18:58 +0000