knot: add keyFiles option
This useful to include tsig keys using nixops without adding those world-readable to the nix store.
This commit is contained in:
Jörg Thalheim
parent
88029bce39
commit
e2ef8b439f
|
|
@ -5,14 +5,16 @@ with lib;
|
|||
let
|
||||
cfg = config.services.knot;
|
||||
|
||||
configFile = pkgs.writeText "knot.conf" cfg.extraConfig;
|
||||
socketFile = "/run/knot/knot.sock";
|
||||
configFile = pkgs.writeTextFile {
|
||||
name = "knot.conf";
|
||||
text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
|
||||
cfg.extraConfig;
|
||||
checkPhase = lib.optionalString (cfg.keyFiles == []) ''
|
||||
${cfg.package}/bin/knotc --config=$out conf-check
|
||||
'';
|
||||
};
|
||||
|
||||
knotConfCheck = file: pkgs.runCommand "knot-config-checked"
|
||||
{ buildInputs = [ cfg.package ]; } ''
|
||||
ln -s ${configFile} $out
|
||||
knotc --config=${configFile} conf-check
|
||||
'';
|
||||
socketFile = "/run/knot/knot.sock";
|
||||
|
||||
knot-cli-wrappers = pkgs.stdenv.mkDerivation {
|
||||
name = "knot-cli-wrappers";
|
||||
|
|
@ -45,6 +47,19 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
keyFiles = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
description = ''
|
||||
A list of files containing additional configuration
|
||||
to be included using the include directive. This option
|
||||
allows to include configuration like TSIG keys without
|
||||
exposing them to the nix store readable to any process.
|
||||
Note that using this option will also disable configuration
|
||||
checks at build time.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
|
@ -81,7 +96,7 @@ in {
|
|||
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
|
||||
ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
|
||||
ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
|
||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
|
||||
|
|
|
|||
|
|
@ -28,6 +28,13 @@ let
|
|||
name = "knot-zones";
|
||||
paths = [ exampleZone delegatedZone ];
|
||||
};
|
||||
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
|
||||
tsigFile = pkgs.writeText "tsig.conf" ''
|
||||
key:
|
||||
- id: slave_key
|
||||
algorithm: hmac-sha256
|
||||
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
|
||||
'';
|
||||
in {
|
||||
name = "knot";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
|
|
@ -48,6 +55,7 @@ in {
|
|||
};
|
||||
services.knot.enable = true;
|
||||
services.knot.extraArgs = [ "-v" ];
|
||||
services.knot.keyFiles = [ tsigFile ];
|
||||
services.knot.extraConfig = ''
|
||||
server:
|
||||
listen: 0.0.0.0@53
|
||||
|
|
@ -56,6 +64,7 @@ in {
|
|||
acl:
|
||||
- id: slave_acl
|
||||
address: 192.168.0.2
|
||||
key: slave_key
|
||||
action: transfer
|
||||
|
||||
remote:
|
||||
|
|
@ -103,6 +112,7 @@ in {
|
|||
];
|
||||
};
|
||||
services.knot.enable = true;
|
||||
services.knot.keyFiles = [ tsigFile ];
|
||||
services.knot.extraArgs = [ "-v" ];
|
||||
services.knot.extraConfig = ''
|
||||
server:
|
||||
|
|
@ -117,6 +127,7 @@ in {
|
|||
remote:
|
||||
- id: master
|
||||
address: 192.168.0.1@53
|
||||
key: slave_key
|
||||
|
||||
template:
|
||||
- id: default
|
||||
|
|
@ -155,10 +166,10 @@ in {
|
|||
];
|
||||
};
|
||||
environment.systemPackages = [ pkgs.knot-dns ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }: let
|
||||
testScript = { nodes, ... }: let
|
||||
master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
|
||||
master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue