diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-02-13 10:41:52 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-13 10:41:52 +0000 |
commit | 67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04 (patch) | |
tree | e18f7d1c5de03eb88f49b3b15fa71e82e96b8364 /nixos | |
parent | afb83e0e0380abea2b97a21e25b3003ee5fce33e (diff) | |
parent | 05d6a7edb63ac387d25d96367228873c5b245eaf (diff) | |
download | nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.tar nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.tar.gz nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.tar.bz2 nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.tar.lz nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.tar.xz nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.tar.zst nixlib-67b1d6a16ddc7200e4ba10d7a44a03e2a675ca04.zip |
Merge pull request #34905 from vcunat/p/kresd-TLS
kresd service: add listenTLS option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/kresd.nix | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index d0c19c4ecb71..aac02b811d71 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -46,6 +46,15 @@ in What addresses the server should listen on. (UDP+TCP 53) ''; }; + listenTLS = mkOption { + type = with types; listOf str; + default = []; + example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ]; + description = '' + Addresses on which kresd should provide DNS over TLS (see RFC 7858). + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; # TODO: perhaps options for more common stuff like cache size or forwarding }; @@ -75,6 +84,18 @@ in socketConfig.FreeBind = true; }; + systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = cfg.listenTLS; + socketConfig = { + FileDescriptorName = "tls"; + FreeBind = true; + Service = "kresd.service"; + }; + }; + systemd.sockets.kresd-control = rec { wantedBy = [ "sockets.target" ]; before = wantedBy; @@ -97,6 +118,8 @@ in Type = "notify"; WorkingDirectory = cfg.cacheDir; Restart = "on-failure"; + Sockets = [ "kresd.socket" "kresd-control.socket" ] + ++ optional (cfg.listenTLS != []) "kresd-tls.socket"; }; # Trust anchor goes from dns-root-data by default. |