~aasg/nixexprs

0f74d5e478bbcf77d01fd9e6bde8c35cb418beb8 — Aluísio Augusto Silva Gonçalves 8 months ago 8f8da4f
trust-dns: Use systemd's DynamicUser feature

We don't really need a static user.  Zone files can be owned by root and
world-readable, and DNSSEC keys… guess I'll figure them out shortly.
1 files changed, 7 insertions(+), 21 deletions(-)

M modules/services/networking/trust-dns.nix
M modules/services/networking/trust-dns.nix => modules/services/networking/trust-dns.nix +7 -21
@@ 17,18 17,6 @@ in
        description = "Trust-DNS package to use.";
      };

      user = mkOption {
        type = types.str;
        default = "trust-dns";
        description = "User under which the Trust-DNS server runs";
      };

      group = mkOption {
        type = types.str;
        default = "trust-dns";
        description = "Group under which the Trust-DNS server runs";
      };

      settings = mkOption {
        type = format.type;
        default = { };


@@ 38,6 26,10 @@ in
  };

  config = mkIf cfg.enable {
    services.trust-dns.settings = {
      directory = "/var/lib/trust-dns";
    };

    environment.systemPackages = [ cfg.package ];

    systemd.services.trust-dns = {


@@ 48,20 40,14 @@ in
      serviceConfig = {
        Type = "simple";
        ExecStart = "${cfg.package}/bin/named -c ${configFile}";
        User = cfg.user;
        Group = cfg.group;
        DynamicUser = true;
        ConfigurationDirectory = "trust-dns";
        StateDirectory = "trust-dns";
        Restart = "on-abnormal";
        StartLimitInterval = 14400;
        StartLimitBurst = 10;
        AmbientCapabilities = "cap_net_bind_service";
        CapabilityBoundingSet = "cap_net_bind_service";
        NoNewPrivileges = true;
        LimitNPROC = 512;
        LimitNOFILE = 1048576;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
        TimeoutStopSec = "5s";
      };
    };
  };