~aasg/nixexprs

ref: ac337f9dfa220039d41bc55f313e06f4205a01b0 nixexprs/modules/services/networking/trust-dns.nix -rw-r--r-- 1.4 KiB
ac337f9d — Aluísio Augusto Silva Gonçalves Revert "trust-dns: Patch to set SO_REUSEADDR on UDP sockets" 9 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
{ config, lib, pkgs, ... }:
with lib;
let
  format = pkgs.formats.toml { };
  cfg = config.services.trust-dns;
  configFile = format.generate "named.toml" cfg.settings;
in
{
  options = {
    services.trust-dns = {
      enable = mkEnableOption "Trust-DNS authoritative server";

      package = mkOption {
        type = types.package;
        default = pkgs.trust-dns;
        defaultText = "pkgs.trust-dns";
        description = "Trust-DNS package to use.";
      };

      settings = mkOption {
        type = format.type;
        default = { };
        description = "Additional Trust-DNS settings.";
      };
    };
  };

  config = mkIf cfg.enable {
    services.trust-dns.settings = {
      directory = "/var/lib/trust-dns";
    };

    environment.systemPackages = [ cfg.package ];

    systemd.services.trust-dns = {
      description = "Trust-DNS authoritative server";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        ExecStart = "${cfg.package}/bin/named -c ${configFile}";
        DynamicUser = true;
        ConfigurationDirectory = "trust-dns";
        StateDirectory = "trust-dns";
        Restart = "on-abnormal";
        AmbientCapabilities = "cap_net_bind_service";
        CapabilityBoundingSet = "cap_net_bind_service";
        NoNewPrivileges = true;
        PrivateDevices = true;
      };
    };
  };
}