diff options
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/kresd.nix | 119 | ||||
| -rw-r--r-- | pkgs/servers/dns/knot-resolver/default.nix | 5 |
4 files changed, 124 insertions, 3 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index db8b66c9768..2005f2518ba 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -285,6 +285,7 @@ couchpotato = 267; gogs = 268; pdns-recursor = 269; + kresd = 270; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -539,6 +540,7 @@ glance = 266; couchpotato = 267; gogs = 268; + kresd = 270; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 888f6ff955f..9100f5b27a0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -399,6 +399,7 @@ ./services/networking/iodine.nix ./services/networking/ircd-hybrid/default.nix ./services/networking/kippo.nix + ./services/networking/kresd.nix ./services/networking/lambdabot.nix ./services/networking/libreswan.nix ./services/networking/logmein-hamachi.nix diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix new file mode 100644 index 00000000000..18e2ab9aebf --- /dev/null +++ b/nixos/modules/services/networking/kresd.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.kresd; + package = pkgs.knot-resolver; + + configFile = pkgs.writeText "kresd.conf" cfg.extraConfig; +in + +{ + meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; + + ###### interface + options.services.kresd = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable knot-resolver domain name server. + DNSSEC validation is turned on by default. + You can run <literal>sudo nc -U /run/kresd/control</literal> + and give commands interactively to kresd. + ''; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the generated configuration file. + ''; + }; + cacheDir = mkOption { + type = types.path; + default = "/var/cache/kresd"; + description = '' + Directory for caches. They are intended to survive reboots. + ''; + }; + interfaces = mkOption { + type = with types; listOf str; + default = [ "::1" "127.0.0.1" ]; + description = '' + What addresses the server should listen on. + ''; + }; + # TODO: perhaps options for more common stuff like cache size or forwarding + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."kresd.conf".source = configFile; # not required + + users.extraUsers = singleton + { name = "kresd"; + uid = config.ids.uids.kresd; + group = "kresd"; + description = "Knot-resolver daemon user"; + }; + users.extraGroups = singleton + { name = "kresd"; + gid = config.ids.gids.kresd; + }; + + systemd.sockets.kresd = rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + listenStreams = map + # Syntax depends on being IPv6 or IPv4. + (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") + cfg.interfaces; + socketConfig.ListenDatagram = listenStreams; + }; + + systemd.sockets.kresd-control = rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = [ "/run/kresd/control" ]; + socketConfig = { + FileDescriptorName = "control"; + Service = "kresd.service"; + SocketMode = "0660"; # only root user/group may connect + }; + }; + + # Create the cacheDir; tmpfiles don't work on nixos-rebuild switch. + systemd.services.kresd-cachedir = { + serviceConfig.Type = "oneshot"; + script = '' + if [ ! -d '${cfg.cacheDir}' ]; then + mkdir -p '${cfg.cacheDir}' + chown kresd:kresd '${cfg.cacheDir}' + fi + ''; + }; + + systemd.services.kresd = { + description = "Knot-resolver daemon"; + + serviceConfig = { + User = "kresd"; + Type = "notify"; + WorkingDirectory = cfg.cacheDir; + }; + + script = '' + exec '${package}/bin/kresd' --config '${configFile}' \ + -k '${cfg.cacheDir}/root.key' + ''; + + after = [ "kresd-cachedir.service" ]; + requires = [ "kresd.socket" "kresd-cachedir.service" ]; + wantedBy = [ "sockets.target" ]; + }; + }; +} diff --git a/pkgs/servers/dns/knot-resolver/default.nix b/pkgs/servers/dns/knot-resolver/default.nix index e9668ed3e53..493a4a17e4d 100644 --- a/pkgs/servers/dns/knot-resolver/default.nix +++ b/pkgs/servers/dns/knot-resolver/default.nix @@ -1,8 +1,7 @@ { stdenv, fetchurl, pkgconfig, utillinux, which, knot-dns, luajit, libuv, lmdb , cmocka, systemd, hiredis, libmemcached , gnutls, nettle -, luajitPackages, makeWrapper # TODO: on master there's luajitPackages -, fetchzip +, luajitPackages, makeWrapper }: let @@ -59,7 +58,7 @@ stdenv.mkDerivation rec { ''; meta = with stdenv.lib; { - description = "Caching DNS resolver, from .cz domain registry"; + description = "Caching validating DNS resolver, from .cz domain registry"; homepage = https://knot-resolver.cz; license = licenses.gpl3Plus; platforms = platforms.unix; |