From 278bbe3b33a91435036295a61fef49576a49c27f Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Wed, 25 Jan 2017 18:41:52 +0100 Subject: add kresd service with basic options Still celebrating today's 1.2.0 release! --- nixos/modules/services/networking/kresd.nix | 119 ++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 nixos/modules/services/networking/kresd.nix (limited to 'nixos/modules/services/networking/kresd.nix') diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix new file mode 100644 index 00000000000..18e2ab9aebf --- /dev/null +++ b/nixos/modules/services/networking/kresd.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.kresd; + package = pkgs.knot-resolver; + + configFile = pkgs.writeText "kresd.conf" cfg.extraConfig; +in + +{ + meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; + + ###### interface + options.services.kresd = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable knot-resolver domain name server. + DNSSEC validation is turned on by default. + You can run sudo nc -U /run/kresd/control + and give commands interactively to kresd. + ''; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the generated configuration file. + ''; + }; + cacheDir = mkOption { + type = types.path; + default = "/var/cache/kresd"; + description = '' + Directory for caches. They are intended to survive reboots. + ''; + }; + interfaces = mkOption { + type = with types; listOf str; + default = [ "::1" "127.0.0.1" ]; + description = '' + What addresses the server should listen on. + ''; + }; + # TODO: perhaps options for more common stuff like cache size or forwarding + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."kresd.conf".source = configFile; # not required + + users.extraUsers = singleton + { name = "kresd"; + uid = config.ids.uids.kresd; + group = "kresd"; + description = "Knot-resolver daemon user"; + }; + users.extraGroups = singleton + { name = "kresd"; + gid = config.ids.gids.kresd; + }; + + systemd.sockets.kresd = rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + listenStreams = map + # Syntax depends on being IPv6 or IPv4. + (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") + cfg.interfaces; + socketConfig.ListenDatagram = listenStreams; + }; + + systemd.sockets.kresd-control = rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = [ "/run/kresd/control" ]; + socketConfig = { + FileDescriptorName = "control"; + Service = "kresd.service"; + SocketMode = "0660"; # only root user/group may connect + }; + }; + + # Create the cacheDir; tmpfiles don't work on nixos-rebuild switch. + systemd.services.kresd-cachedir = { + serviceConfig.Type = "oneshot"; + script = '' + if [ ! -d '${cfg.cacheDir}' ]; then + mkdir -p '${cfg.cacheDir}' + chown kresd:kresd '${cfg.cacheDir}' + fi + ''; + }; + + systemd.services.kresd = { + description = "Knot-resolver daemon"; + + serviceConfig = { + User = "kresd"; + Type = "notify"; + WorkingDirectory = cfg.cacheDir; + }; + + script = '' + exec '${package}/bin/kresd' --config '${configFile}' \ + -k '${cfg.cacheDir}/root.key' + ''; + + after = [ "kresd-cachedir.service" ]; + requires = [ "kresd.socket" "kresd-cachedir.service" ]; + wantedBy = [ "sockets.target" ]; + }; + }; +} -- cgit 1.4.1