pyrox.dev / nixpkgs
lol
fork atom

kresd service: add listenTLS option

Also fix some deficiencies in the systemd multi-socket stuff.

Vladimír Čunát 05d6a7ed 47d47925

options
unified split
Changed files
+23
nixos
modules
services
networking
kresd.nix
+23
nixos/modules/services/networking/kresd.nix 
···

       
46

       
46

       
 

       
        What addresses the server should listen on. (UDP+TCP 53)


     

       
47

       
47

       
 

       
      '';


     

       
48

       
48

       
 

       
    };


     

       

       
49

       
+

       
    listenTLS = mkOption {


     

       

       
50

       
+

       
      type = with types; listOf str;


     

       

       
51

       
+

       
      default = [];


     

       

       
52

       
+

       
      example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ];


     

       

       
53

       
+

       
      description = ''


     

       

       
54

       
+

       
        Addresses on which kresd should provide DNS over TLS (see RFC 7858).


     

       

       
55

       
+

       
        For detailed syntax see ListenStream in man systemd.socket.


     

       

       
56

       
+

       
      '';


     

       

       
57

       
+

       
    };


     

       
49

       
58

       
 

       
    # TODO: perhaps options for more common stuff like cache size or forwarding


     

       
50

       
59

       
 

       
  };


     

       
51

       
60

       
 

       



     
···

       
75

       
84

       
 

       
      socketConfig.FreeBind = true;


     

       
76

       
85

       
 

       
    };


     

       
77

       
86

       
 

       



     

       

       
87

       
+

       
    systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec {


     

       

       
88

       
+

       
      wantedBy = [ "sockets.target" ];


     

       

       
89

       
+

       
      before = wantedBy;


     

       

       
90

       
+

       
      partOf = [ "kresd.socket" ];


     

       

       
91

       
+

       
      listenStreams = cfg.listenTLS;


     

       

       
92

       
+

       
      socketConfig = {


     

       

       
93

       
+

       
        FileDescriptorName = "tls";


     

       

       
94

       
+

       
        FreeBind = true;


     

       

       
95

       
+

       
        Service = "kresd.service";


     

       

       
96

       
+

       
      };


     

       

       
97

       
+

       
    };


     

       

       
98

       
+

       



     

       
78

       
99

       
 

       
    systemd.sockets.kresd-control = rec {


     

       
79

       
100

       
 

       
      wantedBy = [ "sockets.target" ];


     

       
80

       
101

       
 

       
      before = wantedBy;


     
···

       
97

       
118

       
 

       
        Type = "notify";


     

       
98

       
119

       
 

       
        WorkingDirectory = cfg.cacheDir;


     

       
99

       
120

       
 

       
        Restart = "on-failure";


     

       

       
121

       
+

       
        Sockets = [ "kresd.socket" "kresd-control.socket" ]


     

       

       
122

       
+

       
          ++ optional (cfg.listenTLS != []) "kresd-tls.socket";


     

       
100

       
123

       
 

       
      };


     

       
101

       
124

       
 

       



     

       
102

       
125

       
 

       
      # Trust anchor goes from dns-root-data by default.