commit e2ef8b439fbb48308f7387396fa84946259b2bb1 · pyrox.dev/nixpkgs

+23 -8

nixos/modules/services/networking/knot.nix

···

       5
       5
        
       let

     

       6
       6
        
         cfg = config.services.knot;

     

       7
       7
        
       

     

       8
       8
       -
         configFile = pkgs.writeText "knot.conf" cfg.extraConfig;

     

       9
       9
       -
         socketFile = "/run/knot/knot.sock";

     

       8
       8
       +
         configFile = pkgs.writeTextFile {

     

       9
       9
       +
           name = "knot.conf";

     

       10
       10
       +
           text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +

     

       11
       11
       +
                  cfg.extraConfig;

     

       12
       12
       +
           checkPhase = lib.optionalString (cfg.keyFiles == []) ''

     

       13
       13
       +
             ${cfg.package}/bin/knotc --config=$out conf-check

     

       14
       14
       +
           '';

     

       15
       15
       +
         };

     

       10
       16
        
       

     

       11
       11
       -
         knotConfCheck = file: pkgs.runCommand "knot-config-checked"

     

       12
       12
       -
           { buildInputs = [ cfg.package ]; } ''

     

       13
       13
       -
           ln -s ${configFile} $out

     

       14
       14
       -
           knotc --config=${configFile} conf-check

     

       15
       15
       -
         '';

     

       17
       17
       +
         socketFile = "/run/knot/knot.sock";

     

       16
       18
        
       

     

       17
       19
        
         knot-cli-wrappers = pkgs.stdenv.mkDerivation {

     

       18
       20
        
           name = "knot-cli-wrappers";

     
···

       45
       47
        
               '';

     

       46
       48
        
             };

     

       47
       49
        
       

     

       50
       50
       +
             keyFiles = mkOption {

     

       51
       51
       +
               type = types.listOf types.path;

     

       52
       52
       +
               default = [];

     

       53
       53
       +
               description = ''

     

       54
       54
       +
                 A list of files containing additional configuration

     

       55
       55
       +
                 to be included using the include directive. This option

     

       56
       56
       +
                 allows to include configuration like TSIG keys without

     

       57
       57
       +
                 exposing them to the nix store readable to any process.

     

       58
       58
       +
                 Note that using this option will also disable configuration

     

       59
       59
       +
                 checks at build time.

     

       60
       60
       +
               '';

     

       61
       61
       +
             };

     

       62
       62
       +
       

     

       48
       63
        
             extraConfig = mkOption {

     

       49
       64
        
               type = types.lines;

     

       50
       65
        
               default = "";

     
···

       81
       96
        
       

     

       82
       97
        
             serviceConfig = {

     

       83
       98
        
               Type = "notify";

     

       84
       84
       -
               ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";

     

       99
       99
       +
               ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";

     

       85
       100
        
               ExecReload = "${knot-cli-wrappers}/bin/knotc reload";

     

       86
       101
        
               CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";

     

       87
       102
        
               AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";

+13 -2

nixos/tests/knot.nix

···

       28
       28
        
           name = "knot-zones";

     

       29
       29
        
           paths = [ exampleZone delegatedZone ];

     

       30
       30
        
         };

     

       31
       31
       +
         # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!

     

       32
       32
       +
         tsigFile = pkgs.writeText "tsig.conf" ''

     

       33
       33
       +
           key:

     

       34
       34
       +
             - id: slave_key

     

       35
       35
       +
               algorithm: hmac-sha256

     

       36
       36
       +
               secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=

     

       37
       37
       +
         '';

     

       31
       38
        
       in {

     

       32
       39
        
         name = "knot";

     

       33
       40
        
         meta = with pkgs.stdenv.lib.maintainers; {

     
···

       48
       55
        
             };

     

       49
       56
        
             services.knot.enable = true;

     

       50
       57
        
             services.knot.extraArgs = [ "-v" ];

     

       58
       58
       +
             services.knot.keyFiles = [ tsigFile ];

     

       51
       59
        
             services.knot.extraConfig = ''

     

       52
       60
        
               server:

     

       53
       61
        
                   listen: 0.0.0.0@53

     
···

       56
       64
        
               acl:

     

       57
       65
        
                 - id: slave_acl

     

       58
       66
        
                   address: 192.168.0.2

     

       67
       67
       +
                   key: slave_key

     

       59
       68
        
                   action: transfer

     

       60
       69
        
       

     

       61
       70
        
               remote:

     
···

       103
       112
        
               ];

     

       104
       113
        
             };

     

       105
       114
        
             services.knot.enable = true;

     

       115
       115
       +
             services.knot.keyFiles = [ tsigFile ];

     

       106
       116
        
             services.knot.extraArgs = [ "-v" ];

     

       107
       117
        
             services.knot.extraConfig = ''

     

       108
       118
        
               server:

     
···

       117
       127
        
               remote:

     

       118
       128
        
                 - id: master

     

       119
       129
        
                   address: 192.168.0.1@53

     

       130
       130
       +
                   key: slave_key

     

       120
       131
        
       

     

       121
       132
        
               template:

     

       122
       133
        
                 - id: default

     
···

       155
       166
        
               ];

     

       156
       167
        
             };

     

       157
       168
        
             environment.systemPackages = [ pkgs.knot-dns ];

     

       158
       158
       -
           };    

     

       169
       169
       +
           };

     

       159
       170
        
         };

     

       160
       171
        
       

     

       161
       161
       -
         testScript = { nodes, ... }: let 

     

       172
       172
       +
         testScript = { nodes, ... }: let

     

       162
       173
        
           master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;

     

       163
       174
        
           master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;

     

       164
       175