forked from mirrors/nixpkgs
Merge pull request #79266 from Mic92/knot
nixos/knot: add keyFiles option
This commit is contained in:
Jörg Thalheim
GitHub
commit
466c1df3e2
|
|
@ -5,14 +5,16 @@ with lib;
|
|||
let
|
||||
cfg = config.services.knot;
|
||||
|
||||
configFile = pkgs.writeText "knot.conf" cfg.extraConfig;
|
||||
socketFile = "/run/knot/knot.sock";
|
||||
configFile = pkgs.writeTextFile {
|
||||
name = "knot.conf";
|
||||
text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
|
||||
cfg.extraConfig;
|
||||
checkPhase = lib.optionalString (cfg.keyFiles == []) ''
|
||||
${cfg.package}/bin/knotc --config=$out conf-check
|
||||
'';
|
||||
};
|
||||
|
||||
knotConfCheck = file: pkgs.runCommand "knot-config-checked"
|
||||
{ buildInputs = [ cfg.package ]; } ''
|
||||
ln -s ${configFile} $out
|
||||
knotc --config=${configFile} conf-check
|
||||
'';
|
||||
socketFile = "/run/knot/knot.sock";
|
||||
|
||||
knot-cli-wrappers = pkgs.stdenv.mkDerivation {
|
||||
name = "knot-cli-wrappers";
|
||||
|
|
@ -45,6 +47,19 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
keyFiles = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
description = ''
|
||||
A list of files containing additional configuration
|
||||
to be included using the include directive. This option
|
||||
allows to include configuration like TSIG keys without
|
||||
exposing them to the nix store readable to any process.
|
||||
Note that using this option will also disable configuration
|
||||
checks at build time.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
|
@ -65,6 +80,13 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf config.services.knot.enable {
|
||||
users.users.knot = {
|
||||
isSystemUser = true;
|
||||
group = "knot";
|
||||
description = "Knot daemon user";
|
||||
};
|
||||
|
||||
users.groups.knot.gid = null;
|
||||
systemd.services.knot = {
|
||||
unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
|
||||
description = cfg.package.meta.description;
|
||||
|
|
@ -74,12 +96,12 @@ in {
|
|||
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
|
||||
ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
|
||||
ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
|
||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
|
||||
NoNewPrivileges = true;
|
||||
DynamicUser = "yes";
|
||||
User = "knot";
|
||||
RuntimeDirectory = "knot";
|
||||
StateDirectory = "knot";
|
||||
StateDirectoryMode = "0700";
|
||||
|
|
|
|||
|
|
@ -28,6 +28,13 @@ let
|
|||
name = "knot-zones";
|
||||
paths = [ exampleZone delegatedZone ];
|
||||
};
|
||||
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
|
||||
tsigFile = pkgs.writeText "tsig.conf" ''
|
||||
key:
|
||||
- id: slave_key
|
||||
algorithm: hmac-sha256
|
||||
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
|
||||
'';
|
||||
in {
|
||||
name = "knot";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
|
|
@ -48,6 +55,7 @@ in {
|
|||
};
|
||||
services.knot.enable = true;
|
||||
services.knot.extraArgs = [ "-v" ];
|
||||
services.knot.keyFiles = [ tsigFile ];
|
||||
services.knot.extraConfig = ''
|
||||
server:
|
||||
listen: 0.0.0.0@53
|
||||
|
|
@ -56,6 +64,7 @@ in {
|
|||
acl:
|
||||
- id: slave_acl
|
||||
address: 192.168.0.2
|
||||
key: slave_key
|
||||
action: transfer
|
||||
|
||||
remote:
|
||||
|
|
@ -103,6 +112,7 @@ in {
|
|||
];
|
||||
};
|
||||
services.knot.enable = true;
|
||||
services.knot.keyFiles = [ tsigFile ];
|
||||
services.knot.extraArgs = [ "-v" ];
|
||||
services.knot.extraConfig = ''
|
||||
server:
|
||||
|
|
@ -117,6 +127,7 @@ in {
|
|||
remote:
|
||||
- id: master
|
||||
address: 192.168.0.1@53
|
||||
key: slave_key
|
||||
|
||||
template:
|
||||
- id: default
|
||||
|
|
@ -155,10 +166,10 @@ in {
|
|||
];
|
||||
};
|
||||
environment.systemPackages = [ pkgs.knot-dns ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }: let
|
||||
testScript = { nodes, ... }: let
|
||||
master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
|
||||
master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{ stdenv, fetchurl, pkgconfig, gnutls, liburcu, lmdb, libcap_ng, libidn2, libunistring
|
||||
, systemd, nettle, libedit, zlib, libiconv, libintl
|
||||
, autoreconfHook
|
||||
}:
|
||||
|
||||
let inherit (stdenv.lib) optional optionals; in
|
||||
|
|
@ -16,7 +17,19 @@ stdenv.mkDerivation rec {
|
|||
|
||||
outputs = [ "bin" "out" "dev" ];
|
||||
|
||||
nativeBuildInputs = [ pkgconfig ];
|
||||
configureFlags = [
|
||||
"--with-configdir=/etc/knot"
|
||||
"--with-rundir=/run/knot"
|
||||
"--with-storage=/var/lib/knot"
|
||||
];
|
||||
|
||||
patches = [
|
||||
# Don't try to create directories like /var/lib/knot at build time.
|
||||
# They are later created from NixOS itself.
|
||||
./dont-create-run-time-dirs.patch
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ pkgconfig autoreconfHook ];
|
||||
buildInputs = [
|
||||
gnutls liburcu libidn2 libunistring
|
||||
nettle libedit
|
||||
|
|
@ -33,7 +46,9 @@ stdenv.mkDerivation rec {
|
|||
doCheck = true;
|
||||
doInstallCheck = false; # needs pykeymgr?
|
||||
|
||||
postInstall = ''rm -r "$out"/var "$out"/lib/*.la'';
|
||||
postInstall = ''
|
||||
rm -r "$out"/lib/*.la
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Authoritative-only DNS server from .cz domain registry";
|
||||
|
|
|
|||
32
pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch
Normal file
32
pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
diff --git a/samples/Makefile.am b/samples/Makefile.am
|
||||
index c253c91..107401d 100644
|
||||
--- a/samples/Makefile.am
|
||||
+++ b/samples/Makefile.am
|
||||
@@ -19,11 +19,6 @@ EXTRA_DIST = knot.sample.conf.in example.com.zone
|
||||
|
||||
if HAVE_DAEMON
|
||||
|
||||
-install-data-local: knot.sample.conf
|
||||
- if [ \! -f $(DESTDIR)/$(config_dir)/knot.sample.conf ]; then \
|
||||
- $(INSTALL) -d $(DESTDIR)/$(config_dir); \
|
||||
- $(INSTALL_DATA) knot.sample.conf $(srcdir)/example.com.zone $(DESTDIR)/$(config_dir); \
|
||||
- fi
|
||||
uninstall-local:
|
||||
-rm -rf $(DESTDIR)/$(config_dir)/knot.sample.conf \
|
||||
$(DESTDIR)/$(config_dir)/example.com.zone
|
||||
diff --git a/src/utils/Makefile.inc b/src/utils/Makefile.inc
|
||||
index e6765d9..d859d23 100644
|
||||
--- a/src/utils/Makefile.inc
|
||||
+++ b/src/utils/Makefile.inc
|
||||
@@ -79,11 +79,6 @@ endif HAVE_DNSTAP
|
||||
endif HAVE_UTILS
|
||||
|
||||
if HAVE_DAEMON
|
||||
-# Create storage and run-time directories
|
||||
-install-data-hook:
|
||||
- $(INSTALL) -d $(DESTDIR)/@config_dir@
|
||||
- $(INSTALL) -d $(DESTDIR)/@run_dir@
|
||||
- $(INSTALL) -d $(DESTDIR)/@storage_dir@
|
||||
|
||||
sbin_PROGRAMS = knotc knotd
|
||||
|
||||
Loading…
Reference in a new issue