5 files changed, 373 insertions, 117 deletions
diff --git a/nixos/modules/services/cluster/kubernetes.nix b/nixos/modules/services/cluster/kubernetes.nix
index 6a775bb159fc..a7f4ec7b008b 100644
--- a/nixos/modules/services/cluster/kubernetes.nix
+++ b/nixos/modules/services/cluster/kubernetes.nix
@@ -286,7 +286,7 @@ in {
 
       clusterDomain = mkOption {
         description = "Use alternative domain.";
-        default = "";
+        default = "kubernetes.io";
         type = types.str;
       };
 
@@ -322,13 +322,35 @@ in {
         type = types.str;
       };
     };
+
+    kube2sky = {
+      enable = mkEnableOption "Whether to enable kube2sky dns service.";
+
+      domain = mkOption  {
+        description = "Kuberntes kube2sky domain under which all DNS names will be hosted.";
+        default = cfg.kubelet.clusterDomain;
+        type = types.str;
+      };
+
+      master = mkOption {
+        description = "Kubernetes apiserver address";
+        default = "${cfg.apiserver.address}:${toString cfg.apiserver.port}";
+        type = types.str;
+      };
+
+      extraOpts = mkOption {
+        description = "Kubernetes kube2sky extra command line options.";
+        default = "";
+        type = types.str;
+      };
+    };
   };
 
   ###### implementation
 
   config = mkMerge [
     (mkIf cfg.apiserver.enable {
-      systemd.services.kubernetes-apiserver = {
+      systemd.services.kube-apiserver = {
         description = "Kubernetes Api Server";
         wantedBy = [ "multi-user.target" ];
         requires = ["kubernetes-setup.service"];
@@ -343,26 +365,25 @@ in {
                 (concatImapStringsSep "\n" (i: v: v + "," + (toString i))
                     (mapAttrsToList (name: token: token + "," + name) cfg.apiserver.tokenAuth));
           in ''${cfg.package}/bin/kube-apiserver \
-            --etcd_servers=${concatMapStringsSep "," (f: "http://${f}") cfg.etcdServers} \
-            --address=${cfg.apiserver.address} \
-            --port=${toString cfg.apiserver.port} \
-            --read_only_port=${toString cfg.apiserver.readOnlyPort} \
-            --public_address_override=${cfg.apiserver.publicAddress} \
-            --allow_privileged=${if cfg.apiserver.allowPrivileged then "true" else "false"} \
+            --etcd-servers=${concatMapStringsSep "," (f: "http://${f}") cfg.etcdServers} \
+            --insecure-bind-address=${cfg.apiserver.address} \
+            --insecure-port=${toString cfg.apiserver.port} \
+            --read-only-port=${toString cfg.apiserver.readOnlyPort} \
+            --bind-address=${cfg.apiserver.publicAddress} \
+            --allow-privileged=${if cfg.apiserver.allowPrivileged then "true" else "false"} \
             ${optionalString (cfg.apiserver.tlsCertFile!="")
-              "--tls_cert_file=${cfg.apiserver.tlsCertFile}"} \
+              "--tls-cert-file=${cfg.apiserver.tlsCertFile}"} \
             ${optionalString (cfg.apiserver.tlsPrivateKeyFile!="")
-              "--tls_private_key_file=${cfg.apiserver.tlsPrivateKeyFile}"} \
+              "--tls-private-key-file=${cfg.apiserver.tlsPrivateKeyFile}"} \
             ${optionalString (cfg.apiserver.tokenAuth!=[])
-              "--token_auth_file=${tokenAuthFile}"} \
-            --authorization_mode=${cfg.apiserver.authorizationMode} \
+              "--token-auth-file=${tokenAuthFile}"} \
+            --authorization-mode=${cfg.apiserver.authorizationMode} \
             ${optionalString (cfg.apiserver.authorizationMode == "ABAC")
-              "--authorization_policy_file=${authorizationPolicyFile}"} \
-            --secure_port=${toString cfg.apiserver.securePort} \
-            --portal_net=${cfg.apiserver.portalNet} \
+              "--authorization-policy-file=${authorizationPolicyFile}"} \
+            --secure-port=${toString cfg.apiserver.securePort} \
+            --service-cluster-ip-range=${cfg.apiserver.portalNet} \
             --logtostderr=true \
-            --runtime_config=api/v1beta3 \
-            ${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
+            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
             ${cfg.apiserver.extraOpts}
           '';
           User = "kubernetes";
@@ -376,7 +397,7 @@ in {
     })
 
     (mkIf cfg.scheduler.enable {
-      systemd.services.kubernetes-scheduler = {
+      systemd.services.kube-scheduler = {
         description = "Kubernetes Scheduler Service";
         wantedBy = [ "multi-user.target" ];
         after = [ "network-interfaces.target" "kubernetes-apiserver.service" ];
@@ -386,7 +407,7 @@ in {
             --port=${toString cfg.scheduler.port} \
             --master=${cfg.scheduler.master} \
             --logtostderr=true \
-            ${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
+            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
             ${cfg.scheduler.extraOpts}
           '';
           User = "kubernetes";
@@ -395,7 +416,7 @@ in {
     })
 
     (mkIf cfg.controllerManager.enable {
-      systemd.services.kubernetes-controller-manager = {
+      systemd.services.kube-controller-manager = {
         description = "Kubernetes Controller Manager Service";
         wantedBy = [ "multi-user.target" ];
         after = [ "network-interfaces.target" "kubernetes-apiserver.service" ];
@@ -406,7 +427,7 @@ in {
             --master=${cfg.controllerManager.master} \
             --machines=${concatStringsSep "," cfg.controllerManager.machines} \
             --logtostderr=true \
-            ${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
+            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
             ${cfg.controllerManager.extraOpts}
           '';
           User = "kubernetes";
@@ -415,7 +436,7 @@ in {
     })
 
     (mkIf cfg.kubelet.enable {
-      systemd.services.kubernetes-kubelet = {
+      systemd.services.kubelet = {
         description = "Kubernetes Kubelet Service";
         wantedBy = [ "multi-user.target" ];
         requires = ["kubernetes-setup.service"];
@@ -423,17 +444,17 @@ in {
         script = ''
           export PATH="/bin:/sbin:/usr/bin:/usr/sbin:$PATH"
           exec ${cfg.package}/bin/kubelet \
-            --api_servers=${concatMapStringsSep "," (f: "http://${f}") cfg.kubelet.apiServers}  \
+            --api-servers=${concatMapStringsSep "," (f: "http://${f}") cfg.kubelet.apiServers}  \
             --address=${cfg.kubelet.address} \
             --port=${toString cfg.kubelet.port} \
-            --hostname_override=${cfg.kubelet.hostname} \
-            --allow_privileged=${if cfg.kubelet.allowPrivileged then "true" else "false"} \
-            --root_dir=${cfg.dataDir} \
+            --hostname-override=${cfg.kubelet.hostname} \
+            --allow-privileged=${if cfg.kubelet.allowPrivileged then "true" else "false"} \
+            --root-dir=${cfg.dataDir} \
             --cadvisor_port=${toString cfg.kubelet.cadvisorPort} \
             ${optionalString (cfg.kubelet.clusterDns != "")
-                ''--cluster_dns=${cfg.kubelet.clusterDns}''} \
+                ''--cluster-dns=${cfg.kubelet.clusterDns}''} \
             ${optionalString (cfg.kubelet.clusterDomain != "")
-                ''--cluster_domain=${cfg.kubelet.clusterDomain}''} \
+                ''--cluster-domain=${cfg.kubelet.clusterDomain}''} \
             --logtostderr=true \
             ${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
             ${cfg.kubelet.extraOpts}
@@ -443,26 +464,49 @@ in {
     })
 
     (mkIf cfg.proxy.enable {
-      systemd.services.kubernetes-proxy = {
+      systemd.services.kube-proxy = {
         description = "Kubernetes Proxy Service";
         wantedBy = [ "multi-user.target" ];
         after = [ "network-interfaces.target" "etcd.service" ];
         serviceConfig = {
           ExecStart = ''${cfg.package}/bin/kube-proxy \
             --master=${cfg.proxy.master} \
-            --bind_address=${cfg.proxy.address} \
+            --bind-address=${cfg.proxy.address} \
             --logtostderr=true \
-            ${optionalString cfg.verbose "--v=6 --log_flush_frequency=1s"} \
+            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
             ${cfg.proxy.extraOpts}
           '';
         };
       };
     })
 
+    (mkIf cfg.kube2sky.enable {
+      systemd.services.kube2sky = {
+        description = "Kubernetes Dns Bridge Service";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" "skydns.service" "etcd.service" "kubernetes-apiserver.service" ];
+        serviceConfig = {
+          ExecStart = ''${cfg.package}/bin/kube2sky \
+            -etcd-server=http://${head cfg.etcdServers} \
+            -domain=${cfg.kube2sky.domain} \
+            -kube_master_url=http://${cfg.kube2sky.master} \
+            -logtostderr=true \
+            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
+            ${cfg.kube2sky.extraOpts}
+          '';
+          User = "kubernetes";
+        };
+      };
+
+      services.skydns.enable = mkDefault true;
+      services.skydns.domain = mkDefault cfg.kubelet.clusterDomain;
+    })
+
     (mkIf (any (el: el == "master") cfg.roles) {
       services.kubernetes.apiserver.enable = mkDefault true;
       services.kubernetes.scheduler.enable = mkDefault true;
       services.kubernetes.controllerManager.enable = mkDefault true;
+      services.kubernetes.kube2sky.enable = mkDefault true;
     })
 
     (mkIf (any (el: el == "node") cfg.roles) {
diff --git a/nixos/modules/services/misc/mwlib.nix b/nixos/modules/services/misc/mwlib.nix
index d02e1e021a70..a8edecff2a1e 100644
--- a/nixos/modules/services/misc/mwlib.nix
+++ b/nixos/modules/services/misc/mwlib.nix
@@ -226,7 +226,7 @@ in
         chmod -Rc u=rwX,go= '${cfg.nslave.cachedir}'
       '';
 
-      path = with pkgs; [ imagemagick ];
+      path = with pkgs; [ imagemagick pdftk ];
       environment = {
         PYTHONPATH = concatMapStringsSep ":"
           (m: "${pypkgs.${m}}/lib/${python.libPrefix}/site-packages")
diff --git a/nixos/modules/services/misc/ripple-rest.nix b/nixos/modules/services/misc/ripple-rest.nix
new file mode 100644
index 000000000000..dc07ee132fa6
--- /dev/null
+++ b/nixos/modules/services/misc/ripple-rest.nix
@@ -0,0 +1,110 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.rippleRest;
+
+  configFile = pkgs.writeText "ripple-rest-config.json" (builtins.toJSON {
+    config_version = "2.0.3";
+    debug = cfg.debug;
+    port = cfg.port;
+    host = cfg.host;
+    ssl_enabled = cfg.ssl.enable;
+    ssl = {
+      key_path = cfg.ssl.keyPath;
+      cert_path = cfg.ssl.certPath;
+      reject_unathorized = cfg.ssl.rejectUnathorized;
+    };
+    db_path = cfg.dbPath;
+    max_transaction_fee = cfg.maxTransactionFee;
+    rippled_servers = cfg.rippleds;
+  });
+
+in {
+  options.services.rippleRest = {
+    enable = mkEnableOption "Whether to enable ripple rest.";
+
+    debug = mkEnableOption "Wheter to enable debug for ripple-rest.";
+
+    host = mkOption {
+      description = "Ripple rest host.";
+      default = "localhost";
+      type = types.str;
+    };
+
+    port = mkOption {
+      description = "Ripple rest port.";
+      default = 5990;
+      type = types.int;
+    };
+
+    ssl = {
+      enable = mkEnableOption "Whether to enable ssl.";
+
+      keyPath = mkOption {
+        description = "Path to the ripple rest key file.";
+        default = null;
+        type = types.nullOr types.path;
+      };
+
+
+      certPath = mkOption {
+        description = "Path to the ripple rest cert file.";
+        default = null;
+        type = types.nullOr types.path;
+      };
+
+      rejectUnathorized = mkOption {
+        description = "Whether to reject unatohroized.";
+        default = true;
+        type = types.bool;
+      };
+    };
+
+    dbPath = mkOption {
+      description = "Ripple rest database path.";
+      default = "${cfg.dataDir}/ripple-rest.db";
+      type = types.path;
+    };
+
+    maxTransactionFee = mkOption {
+      description = "Ripple rest max transaction fee.";
+      default = 1000000;
+      type = types.int;
+    };
+
+    rippleds = mkOption {
+      description = "List of rippled servers.";
+      default = [
+        "wss://s1.ripple.com:443"
+      ];
+      type = types.listOf types.str;
+    };
+
+    dataDir = mkOption {
+      description = "Ripple rest data directory.";
+      default = "/var/lib/ripple-rest";
+      type = types.path;
+    };
+  };
+
+  config = mkIf (cfg.enable) {
+    systemd.services.ripple-rest = {
+      wantedBy = [ "multi-user.target"];
+      after = ["network.target" ];
+      environment.NODE_PATH="${pkgs.ripple-rest}/lib/node_modules/ripple-rest/node_modules";
+      serviceConfig = {
+        ExecStart = "${pkgs.nodejs}/bin/node ${pkgs.ripple-rest}/lib/node_modules/ripple-rest/server/server.js --config ${configFile}";
+        User = "ripple-rest";
+      };
+    };
+
+    users.extraUsers.postgres = {
+      name = "ripple-rest";
+      uid = config.ids.uids.ripple-rest;
+      createHome = true;
+      home = cfg.dataDir;
+    };
+  };
+}
diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix
index 53a9f4626254..31bae628050b 100644
--- a/nixos/modules/services/networking/consul.nix
+++ b/nixos/modules/services/networking/consul.nix
@@ -106,6 +106,12 @@ in
       alerts = {
         enable = mkEnableOption "Whether to enable consul-alerts";
 
+        package = mkOption {
+          description = "Package to use for consul-alerts.";
+          default = pkgs.consul-alerts;
+          type = types.package;
+        };
+
         listenAddr = mkOption {
           description = "Api listening address.";
           default = "localhost:9000";
@@ -135,96 +141,101 @@ in
 
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (
+    mkMerge [{
 
-    users.extraUsers."consul" = {
-      description = "Consul agent daemon user";
-      uid = config.ids.uids.consul;
-      # The shell is needed for health checks
-      shell = "/run/current-system/sw/bin/bash";
-    };
+      users.extraUsers."consul" = {
+        description = "Consul agent daemon user";
+        uid = config.ids.uids.consul;
+        # The shell is needed for health checks
+        shell = "/run/current-system/sw/bin/bash";
+      };
 
-    environment = {
-      etc."consul.json".text = builtins.toJSON configOptions;
-      # We need consul.d to exist for consul to start
-      etc."consul.d/dummy.json".text = "{ }";
-      systemPackages = with pkgs; [ consul ];
-    };
+      environment = {
+        etc."consul.json".text = builtins.toJSON configOptions;
+        # We need consul.d to exist for consul to start
+        etc."consul.d/dummy.json".text = "{ }";
+        systemPackages = with pkgs; [ consul ];
+      };
 
-    systemd.services.consul = {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ] ++ systemdDevices;
-      bindsTo = systemdDevices;
-      restartTriggers = [ config.environment.etc."consul.json".source ]
-        ++ mapAttrsToList (_: d: d.source)
-          (filterAttrs (n: _: hasPrefix "consul.d/" n) config.environment.etc);
-
-      serviceConfig = {
-        ExecStart = "@${pkgs.consul}/bin/consul consul agent -config-dir /etc/consul.d"
-          + concatMapStrings (n: " -config-file ${n}") configFiles;
-        ExecReload = "${pkgs.consul}/bin/consul reload";
-        PermissionsStartOnly = true;
-        User = if cfg.dropPrivileges then "consul" else null;
-        TimeoutStartSec = "0";
-      } // (optionalAttrs (cfg.leaveOnStop) {
-        ExecStop = "${pkgs.consul}/bin/consul leave";
-      });
-
-      path = with pkgs; [ iproute gnugrep gawk consul ];
-      preStart = ''
-        mkdir -m 0700 -p ${dataDir}
-        chown -R consul ${dataDir}
-
-        # Determine interface addresses
-        getAddrOnce () {
-          ip addr show dev "$1" \
-            | grep 'inet${optionalString (cfg.forceIpv4) " "}.*scope global' \
-            | awk -F '[ /\t]*' '{print $3}' | head -n 1
-        }
-        getAddr () {
-          ADDR="$(getAddrOnce $1)"
-          LEFT=60 # Die after 1 minute
-          while [ -z "$ADDR" ]; do
-            sleep 1
-            LEFT=$(expr $LEFT - 1)
-            if [ "$LEFT" -eq "0" ]; then
-              echo "Address lookup timed out"
-              exit 1
-            fi
+      systemd.services.consul = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ] ++ systemdDevices;
+        bindsTo = systemdDevices;
+        restartTriggers = [ config.environment.etc."consul.json".source ]
+          ++ mapAttrsToList (_: d: d.source)
+            (filterAttrs (n: _: hasPrefix "consul.d/" n) config.environment.etc);
+
+        serviceConfig = {
+          ExecStart = "@${pkgs.consul}/bin/consul consul agent -config-dir /etc/consul.d"
+            + concatMapStrings (n: " -config-file ${n}") configFiles;
+          ExecReload = "${pkgs.consul}/bin/consul reload";
+          PermissionsStartOnly = true;
+          User = if cfg.dropPrivileges then "consul" else null;
+          TimeoutStartSec = "0";
+        } // (optionalAttrs (cfg.leaveOnStop) {
+          ExecStop = "${pkgs.consul}/bin/consul leave";
+        });
+
+        path = with pkgs; [ iproute gnugrep gawk consul ];
+        preStart = ''
+          mkdir -m 0700 -p ${dataDir}
+          chown -R consul ${dataDir}
+
+          # Determine interface addresses
+          getAddrOnce () {
+            ip addr show dev "$1" \
+              | grep 'inet${optionalString (cfg.forceIpv4) " "}.*scope global' \
+              | awk -F '[ /\t]*' '{print $3}' | head -n 1
+          }
+          getAddr () {
             ADDR="$(getAddrOnce $1)"
-          done
-          echo "$ADDR"
-        }
-        echo "{" > /etc/consul-addrs.json
-        delim=" "
-      ''
-      + concatStrings (flip mapAttrsToList cfg.interface (name: i:
-        optionalString (i != null) ''
-          echo "$delim \"${name}_addr\": \"$(getAddr "${i}")\"" >> /etc/consul-addrs.json
-          delim=","
-        ''))
-      + ''
-        echo "}" >> /etc/consul-addrs.json
-      '';
-    };
-
-    systemd.services.consul-alerts = mkIf (cfg.alerts.enable) {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "consul.service" ];
-
-      path = [ pkgs.consul ];
-
-      serviceConfig = {
-        ExecStart = ''
-          ${pkgs.consul-alerts}/bin/consul-alerts start \
-            --alert-addr=${cfg.alerts.listenAddr} \
-            --consul-addr=${cfg.alerts.consulAddr} \
-            ${optionalString cfg.alerts.watchChecks "--watch-checks"} \
-            ${optionalString cfg.alerts.watchEvents "--watch-events"}
+            LEFT=60 # Die after 1 minute
+            while [ -z "$ADDR" ]; do
+              sleep 1
+              LEFT=$(expr $LEFT - 1)
+              if [ "$LEFT" -eq "0" ]; then
+                echo "Address lookup timed out"
+                exit 1
+              fi
+              ADDR="$(getAddrOnce $1)"
+            done
+            echo "$ADDR"
+          }
+          echo "{" > /etc/consul-addrs.json
+          delim=" "
+        ''
+        + concatStrings (flip mapAttrsToList cfg.interface (name: i:
+          optionalString (i != null) ''
+            echo "$delim \"${name}_addr\": \"$(getAddr "${i}")\"" >> /etc/consul-addrs.json
+            delim=","
+          ''))
+        + ''
+          echo "}" >> /etc/consul-addrs.json
         '';
-        User = if cfg.dropPrivileges then "consul" else null;
       };
-    };
+    }
+
+    (mkIf (cfg.alerts.enable) {
+      systemd.services.consul-alerts = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "consul.service" ];
+
+        path = [ pkgs.consul ];
+
+        serviceConfig = {
+          ExecStart = ''
+            ${cfg.alerts.package}/bin/consul-alerts start \
+              --alert-addr=${cfg.alerts.listenAddr} \
+              --consul-addr=${cfg.alerts.consulAddr} \
+              ${optionalString cfg.alerts.watchChecks "--watch-checks"} \
+              ${optionalString cfg.alerts.watchEvents "--watch-events"}
+          '';
+          User = if cfg.dropPrivileges then "consul" else null;
+          Restart = "on-failure";
+        };
+      };
+    })
 
-  };
+  ]);
 }
diff --git a/nixos/modules/services/networking/skydns.nix b/nixos/modules/services/networking/skydns.nix
new file mode 100644
index 000000000000..2d0129d63101
--- /dev/null
+++ b/nixos/modules/services/networking/skydns.nix
@@ -0,0 +1,91 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.skydns;
+
+in {
+  options.services.skydns = {
+    enable = mkEnableOption "Whether to enable skydns service.";
+
+    etcd = {
+      machines = mkOption {
+        default = [ "http://localhost:4001" ];
+        type = types.listOf types.str;
+        description = "Skydns list of etcd endpoints to connect to.";
+      };
+
+      tlsKey = mkOption {
+        default = null;
+        type = types.nullOr types.path;
+        description = "Skydns path of TLS client certificate - private key.";
+      };
+
+      tlsPem = mkOption {
+        default = null;
+        type = types.nullOr types.path;
+        description = "Skydns path of TLS client certificate - public key.";
+      };
+
+      caCert = mkOption {
+        default = null;
+        type = types.nullOr types.path;
+        description = "Skydns path of TLS certificate authority public key.";
+      };
+    };
+
+    address = mkOption {
+      default = "0.0.0.0:53";
+      type = types.str;
+      description = "Skydns address to bind to.";
+    };
+
+    domain = mkOption {
+      default = "skydns.local.";
+      type = types.str;
+      description = "Skydns default domain if not specified by etcd config.";
+    };
+
+    nameservers = mkOption {
+      default = map (n: n + ":53") config.networking.nameservers;
+      type = types.listOf types.str;
+      description = "Skydns list of nameservers to forward DNS requests to when not authoritative for a domain.";
+      example = ["8.8.8.8:53" "8.8.4.4:53"];
+    };
+
+    package = mkOption {
+      default = pkgs.goPackages.skydns;
+      type = types.package;
+      description = "Skydns package to use.";
+    };
+
+    extraConfig = mkOption {
+      default = {};
+      type = types.attrsOf types.str;
+      description = "Skydns attribute set of extra config options passed as environemnt variables.";
+    };
+  };
+
+  config = mkIf (cfg.enable) {
+    systemd.services.skydns = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "etcd.service" ];
+      description = "Skydns Service";
+      environment = {
+        ETCD_MACHINES = concatStringsSep "," cfg.etcd.machines;
+        ETCD_TLSKEY = cfg.etcd.tlsKey;
+        ETCD_TLSPEM = cfg.etcd.tlsPem;
+        ETCD_CACERT = cfg.etcd.caCert;
+        SKYDNS_ADDR = cfg.address;
+        SKYDNS_DOMAIN = cfg.domain;
+        SKYDNS_NAMESERVER = concatStringsSep "," cfg.nameservers;
+      };
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/skydns";
+      };
+    };
+
+    environment.systemPackages = [ cfg.package ];
+  };
+}