nixos/modules/services/networking/powerdns.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / powerdns.nix
at 17.09-beta 1.7 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.powerdns;
 7  configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";
 8in {
 9  options = {
10    services.powerdns = {
11      enable = mkEnableOption "Powerdns domain name server";
12
13      extraConfig = mkOption {
14        type = types.lines;
15        default = "launch=bind";
16        description = ''
17          Extra lines to be added verbatim to pdns.conf.
18          Powerdns will chroot to /var/lib/powerdns.
19          So any file, powerdns is supposed to be read,
20          should be in /var/lib/powerdns and needs to specified
21          relative to the chroot.
22        '';
23      };
24    };
25  };
26
27  config = mkIf config.services.powerdns.enable {
28    systemd.services.pdns = {
29      unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)";
30      description = "Powerdns name server";
31      wantedBy = [ "multi-user.target" ];
32      after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"];
33
34      serviceConfig = {
35        Restart="on-failure";
36        RestartSec="1";
37        StartLimitInterval="0";
38        PrivateDevices=true;
39        CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
40        NoNewPrivileges=true;
41        ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns";
42        ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
43        ProtectSystem="full";
44        ProtectHome=true;
45        RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
46      };
47    };
48  };
49}