nixos/modules/services/networking/dnsdist.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / services / networking / dnsdist.nix

at 18.09-beta 1.6 kB view raw

 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.dnsdist;
 7  configFile = pkgs.writeText "dndist.conf" ''
 8    setLocal('${cfg.listenAddress}:${toString cfg.listenPort}')
 9    ${cfg.extraConfig}
10    '';
11in {
12  options = {
13    services.dnsdist = {
14      enable = mkEnableOption "dnsdist domain name server";
15
16      listenAddress = mkOption {
17        type = types.str;
18        description = "Listen IP Address";
19        default = "0.0.0.0";
20      };
21      listenPort = mkOption {
22        type = types.int;
23        description = "Listen port";
24        default = 53;
25      };
26
27      extraConfig = mkOption {
28        type = types.lines;
29        default = ''
30        '';
31        description = ''
32          Extra lines to be added verbatim to dnsdist.conf.
33        '';
34      };
35    };
36  };
37
38  config = mkIf config.services.dnsdist.enable {
39    systemd.services.dnsdist = {
40      description = "dnsdist load balancer";
41      wantedBy = [ "multi-user.target" ];
42      after = ["network.target"];
43
44      serviceConfig = {
45        Restart="on-failure";
46        RestartSec="1";
47        DynamicUser = true;
48        StartLimitInterval="0";
49        PrivateTmp=true;
50        PrivateDevices=true;
51        CapabilityBoundingSet="CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
52        ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}";
53        ProtectSystem="full";
54        ProtectHome=true;
55        RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
56        LimitNOFILE="16384";
57        TasksMax="8192";
58      };
59    };
60  };
61}