summary refs log tree commit diff
diff options
context:
space:
mode:
authornetali <me@netali.de>2022-12-26 02:01:03 +0100
committernetali <me@netali.de>2022-12-26 02:12:31 +0100
commit64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c (patch)
treee72c5e2ca0879d923856b4469ec67ad9adaa1be4
parent00a40e2cf4688e90045994ca23e78ca10c7bbfea (diff)
downloadnixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar
nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.gz
nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.bz2
nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.lz
nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.xz
nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.zst
nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.zip
nixos/powerdns: add secretFile option
Diffstat
-rw-r--r--nixos/modules/services/networking/powerdns.nix22


1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix
index 6aa5928d637..850a128cf1a 100644
--- a/nixos/modules/services/networking/powerdns.nix
+++ b/nixos/modules/services/networking/powerdns.nix
@@ -5,6 +5,7 @@ with lib;
 let
   cfg = config.services.powerdns;
   configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";
+  finalConfigDir = if cfg.secretFile == null then configDir else "/run/pdns";
 in {
   options = {
     services.powerdns = {
@@ -19,6 +20,19 @@ in {
           for details on supported values.
         '';
       };
+
+      secretFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = "/run/keys/powerdns.env";
+        description = lib.mdDoc ''
+          Environment variables from this file will be interpolated into the
+          final config file using envsubst with this syntax: `$ENVIRONMENT`
+          or `''${VARIABLE}`.
+          The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`.
+          This is useful to avoid putting secrets into the nix store.
+        '';
+      };
     };
   };
 
@@ -31,7 +45,13 @@ in {
       after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ];
 
       serviceConfig = {
-        ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
+        EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile;
+        ExecStartPre = lib.optional (cfg.secretFile != null)
+          (pkgs.writeShellScript "pdns-pre-start" ''
+            umask 077
+            ${pkgs.envsubst}/bin/envsubst -i "${configDir}/pdns.conf" > ${finalConfigDir}/pdns.conf
+          '');
+        ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${finalConfigDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
       };
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-19 11:01:31 +0000