diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/knot.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/networking/knot.nix | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/knot.nix b/nixpkgs/nixos/modules/services/networking/knot.nix new file mode 100644 index 000000000000..1cc1dd3f2f62 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/knot.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.knot; + + configFile = pkgs.writeText "knot.conf" cfg.extraConfig; + socketFile = "/run/knot/knot.sock"; + + knotConfCheck = file: pkgs.runCommand "knot-config-checked" + { buildInputs = [ cfg.package ]; } '' + ln -s ${configFile} $out + knotc --config=${configFile} conf-check + ''; + + knot-cli-wrappers = pkgs.stdenv.mkDerivation { + name = "knot-cli-wrappers"; + buildInputs = [ pkgs.makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \ + --add-flags "--config=${configFile}" \ + --add-flags "--socket=${socketFile}" + makeWrapper ${cfg.package}/bin/keymgr "$out/bin/keymgr" \ + --add-flags "--config=${configFile}" + for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck + do + ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable" + done + mkdir -p "$out/share" + ln -s '${cfg.package}/share/man' "$out/share/" + ''; + }; +in { + options = { + services.knot = { + enable = mkEnableOption "Knot authoritative-only DNS server"; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of additional command line paramters for knotd + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to knot.conf + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.knot-dns; + description = '' + Which Knot DNS package to use + ''; + }; + }; + }; + + config = mkIf config.services.knot.enable { + systemd.services.knot = { + unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; + description = cfg.package.meta.description; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = ["network.target" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; + ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; + NoNewPrivileges = true; + DynamicUser = "yes"; + RuntimeDirectory = "knot"; + StateDirectory = "knot"; + StateDirectoryMode = "0700"; + PrivateDevices = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + SystemCallArchitectures = "native"; + Restart = "on-abort"; + }; + }; + + environment.systemPackages = [ knot-cli-wrappers ]; + }; +} + |