blob: ba05e15389f6644142c8f0f332ee960ffd09109c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.powerdns;
configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";
in {
options = {
services.powerdns = {
enable = mkEnableOption "Powerdns domain name server";
extraConfig = mkOption {
type = types.lines;
default = "launch=bind";
description = ''
Extra lines to be added verbatim to pdns.conf.
Powerdns will chroot to /var/lib/powerdns.
So any file, powerdns is supposed to be read,
should be in /var/lib/powerdns and needs to specified
relative to the chroot.
'';
};
};
};
config = mkIf config.services.powerdns.enable {
systemd.services.pdns = {
unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)";
description = "Powerdns name server";
wantedBy = [ "multi-user.target" ];
after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"];
serviceConfig = {
Restart="on-failure";
RestartSec="1";
StartLimitInterval="0";
PrivateDevices=true;
CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
NoNewPrivileges=true;
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns";
ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
ProtectSystem="full";
ProtectHome=true;
RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
};
};
};
}
|