1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
{ config, lib, pkgs, ... }:
let
cfg = config.services.trust-dns;
toml = pkgs.formats.toml { };
configFile = toml.generate "trust-dns.toml" (
lib.filterAttrsRecursive (_: v: v != null) cfg.settings
);
zoneType = lib.types.submodule ({ config, ... }: {
options = with lib; {
zone = mkOption {
type = types.str;
description = mdDoc ''
Zone name, like "example.com", "localhost", or "0.0.127.in-addr.arpa".
'';
};
zone_type = mkOption {
type = types.enum [ "Primary" "Secondary" "Hint" "Forward" ];
default = "Primary";
description = mdDoc ''
One of:
- "Primary" (the master, authority for the zone).
- "Secondary" (the slave, replicated from the primary).
- "Hint" (a cached zone with recursive resolver abilities).
- "Forward" (a cached zone where all requests are forwarded to another resolver).
For more details about these zone types, consult the documentation for BIND,
though note that trust-dns supports only a subset of BIND's zone types:
<https://bind9.readthedocs.io/en/v9_18_4/reference.html#type>
'';
};
file = mkOption {
type = types.either types.path types.str;
default = "${config.zone}.zone";
defaultText = literalExpression ''"''${config.zone}.zone"'';
description = mdDoc ''
Path to the .zone file.
If not fully-qualified, this path will be interpreted relative to the `directory` option.
If omitted, defaults to the value of the `zone` option suffixed with ".zone".
'';
};
};
});
in
{
meta.maintainers = with lib.maintainers; [ colinsane ];
options = {
services.trust-dns = with lib; {
enable = mkEnableOption (lib.mdDoc "trust-dns");
package = mkOption {
type = types.package;
default = pkgs.trust-dns;
defaultText = "pkgs.trust-dns";
description = mdDoc ''
Trust-dns package to use.
Only `bin/trust-dns` need be provided: the other trust-dns utilities (client and resolver) are not needed.
'';
};
quiet = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Log ERROR level messages only.
This option is mutually exclusive with the `debug` option.
If neither `quiet` nor `debug` are enabled, logging defaults to the INFO level.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Log DEBUG, INFO, WARN and ERROR messages.
This option is mutually exclusive with the `debug` option.
If neither `quiet` nor `debug` are enabled, logging defaults to the INFO level.
'';
};
settings = mkOption {
description = lib.mdDoc ''
Settings for trust-dns. The options enumerated here are not exhaustive.
Refer to upstream documentation for all available options:
- [Example settings](https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/example.toml)
'';
type = types.submodule {
freeformType = toml.type;
options = {
listen_addrs_ipv4 = mkOption {
type = types.listOf types.str;
default = [ "0.0.0.0" ];
description = mdDoc ''
List of ipv4 addresses on which to listen for DNS queries.
'';
};
listen_addrs_ipv6 = mkOption {
type = types.listOf types.str;
default = lib.optional config.networking.enableIPv6 "::0";
defaultText = literalExpression ''lib.optional config.networking.enableIPv6 "::0"'';
description = mdDoc ''
List of ipv6 addresses on which to listen for DNS queries.
'';
};
listen_port = mkOption {
type = types.port;
default = 53;
description = mdDoc ''
Port to listen on (applies to all listen addresses).
'';
};
directory = mkOption {
type = types.str;
default = "/var/lib/trust-dns";
description = mdDoc ''
The directory in which trust-dns should look for .zone files,
whenever zones aren't specified by absolute path.
'';
};
zones = mkOption {
description = mdDoc "List of zones to serve.";
default = {};
type = types.listOf (types.coercedTo types.str (zone: { inherit zone; }) zoneType);
};
};
};
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.trust-dns = {
description = "trust-dns Domain Name Server";
unitConfig.Documentation = "https://trust-dns.org/";
serviceConfig = {
ExecStart =
let
flags = (lib.optional cfg.debug "--debug") ++ (lib.optional cfg.quiet "--quiet");
flagsStr = builtins.concatStringsSep " " flags;
in ''
${cfg.package}/bin/trust-dns --config ${configFile} ${flagsStr}
'';
Type = "simple";
Restart = "on-failure";
RestartSec = "10s";
DynamicUser = true;
StateDirectory = "trust-dns";
ReadWritePaths = [ cfg.settings.directory ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
};
}
|