1 files changed, 126 insertions, 0 deletions
diff --git a/modules/knot.nix b/modules/knot.nix
new file mode 100644
index 00000000..a4691324
--- /dev/null
+++ b/modules/knot.nix
@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.knot;
+  configFile = pkgs.writeTextFile {
+    name = "knot.conf";
+    text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
+           cfg.extraConfig;
+    checkPhase = lib.optionalString (cfg.keyFiles == []) ''
+      ${cfg.package}/bin/knotc --config=$out conf-check
+    '';
+  };
+  socketFile = "/run/knot/knot.sock";
+  knot-cli-wrappers = pkgs.stdenv.mkDerivation {
+    name = "knot-cli-wrappers";
+    buildInputs = [ pkgs.makeWrapper ];
+    buildCommand = ''
+      mkdir -p $out/bin
+      makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \
+        --add-flags "--config=${configFile}" \
+        --add-flags "--socket=${socketFile}"
+      makeWrapper ${cfg.package}/bin/keymgr "$out/bin/keymgr" \
+        --add-flags "--config=${configFile}"
+      for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck
+      do
+        ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable"
+      done
+      mkdir -p "$out/share"
+      ln -s '${cfg.package}/share/man' "$out/share/"
+    '';
+  };
+in {
+  disabledModules = [ "services/networking/knot.nix" ];
+  options = {
+    services.knot = {
+      enable = mkEnableOption "Knot authoritative-only DNS server";
+      extraArgs = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          List of additional command line paramters for knotd
+        '';
+      };
+      keyFiles = mkOption {
+        type = types.listOf types.path;
+        default = [];
+        description = ''
+          A list of files containing additional configuration
+          to be included using the include directive. This option
+          allows to include configuration like TSIG keys without
+          exposing them to the nix store readable to any process.
+          Note that using this option will also disable configuration
+          checks at build time.
+        '';
+      };
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra lines to be added verbatim to knot.conf
+        '';
+      };
+      package = mkOption {
+        type = types.package;
+        default = pkgs.knot-dns;
+        defaultText = "pkgs.knot-dns";
+        description = ''
+          Which Knot DNS package to use
+        '';
+      };
+      cliWrappers = mkOption {
+        readOnly = true;
+        type = types.package;
+        default = knot-cli-wrappers;
+        defaultText = "knot-cli-wrappers";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    users.users.knot = {
+      isSystemUser = true;
+      group = "knot";
+      description = "Knot daemon user";
+    };
+    users.groups.knot.gid = null;
+    systemd.services.knot = {
+      unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
+      description = cfg.package.meta.description;
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network.target" ];
+      after = ["network.target" ];
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
+        ExecReload = "${cfg.cliWrappers}/bin/knotc reload";
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
+        NoNewPrivileges = true;
+        User = "knot";
+        RuntimeDirectory = "knot";
+        StateDirectory = "knot";
+        StateDirectoryMode = "0700";
+        PrivateDevices = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+        SystemCallArchitectures = "native";
+        Restart = "on-abort";
+      };
+    };
+    environment.systemPackages = [ cfg.cliWrappers ];
+  };
+}

diff --git a/modules/knot.nix b/modules/knot.nix new file mode 100644 index 00000000..a4691324 --- /dev/null +++ b/modules/knot.nix
@@ -0,0 +1,126 @@
	1	{ config, lib, pkgs, ... }:
	2
	3	with lib;
	4
	5	let
	6	cfg = config.services.knot;
	7
	8	configFile = pkgs.writeTextFile {
	9	name = "knot.conf";
	10	text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
	11	cfg.extraConfig;
	12	checkPhase = lib.optionalString (cfg.keyFiles == []) ''
	13	${cfg.package}/bin/knotc --config=$out conf-check
	14	'';
	15	};
	16
	17	socketFile = "/run/knot/knot.sock";
	18
	19	knot-cli-wrappers = pkgs.stdenv.mkDerivation {
	20	name = "knot-cli-wrappers";
	21	buildInputs = [ pkgs.makeWrapper ];
	22	buildCommand = ''
	23	mkdir -p $out/bin
	24	makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \
	25	--add-flags "--config=${configFile}" \
	26	--add-flags "--socket=${socketFile}"
	27	makeWrapper ${cfg.package}/bin/keymgr "$out/bin/keymgr" \
	28	--add-flags "--config=${configFile}"
	29	for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck
	30	do
	31	ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable"
	32	done
	33	mkdir -p "$out/share"
	34	ln -s '${cfg.package}/share/man' "$out/share/"
	35	'';
	36	};
	37	in {
	38	disabledModules = [ "services/networking/knot.nix" ];
	39
	40	options = {
	41	services.knot = {
	42	enable = mkEnableOption "Knot authoritative-only DNS server";
	43
	44	extraArgs = mkOption {
	45	type = types.listOf types.str;
	46	default = [];
	47	description = ''
	48	List of additional command line paramters for knotd
	49	'';
	50	};
	51
	52	keyFiles = mkOption {
	53	type = types.listOf types.path;
	54	default = [];
	55	description = ''
	56	A list of files containing additional configuration
	57	to be included using the include directive. This option
	58	allows to include configuration like TSIG keys without
	59	exposing them to the nix store readable to any process.
	60	Note that using this option will also disable configuration
	61	checks at build time.
	62	'';
	63	};
	64
	65	extraConfig = mkOption {
	66	type = types.lines;
	67	default = "";
	68	description = ''
	69	Extra lines to be added verbatim to knot.conf
	70	'';
	71	};
	72
	73	package = mkOption {
	74	type = types.package;
	75	default = pkgs.knot-dns;
	76	defaultText = "pkgs.knot-dns";
	77	description = ''
	78	Which Knot DNS package to use
	79	'';
	80	};
	81
	82	cliWrappers = mkOption {
	83	readOnly = true;
	84	type = types.package;
	85	default = knot-cli-wrappers;
	86	defaultText = "knot-cli-wrappers";
	87	};
	88	};
	89	};
	90
	91	config = mkIf cfg.enable {
	92	users.users.knot = {
	93	isSystemUser = true;
	94	group = "knot";
	95	description = "Knot daemon user";
	96	};
	97
	98	users.groups.knot.gid = null;
	99	systemd.services.knot = {
	100	unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
	101	description = cfg.package.meta.description;
	102	wantedBy = [ "multi-user.target" ];
	103	wants = [ "network.target" ];
	104	after = ["network.target" ];
	105
	106	serviceConfig = {
	107	Type = "notify";
	108	ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
	109	ExecReload = "${cfg.cliWrappers}/bin/knotc reload";
	110	CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
	111	AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
	112	NoNewPrivileges = true;
	113	User = "knot";
	114	RuntimeDirectory = "knot";
	115	StateDirectory = "knot";
	116	StateDirectoryMode = "0700";
	117	PrivateDevices = true;
	118	RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
	119	SystemCallArchitectures = "native";
	120	Restart = "on-abort";
	121	};
	122	};
	123
	124	environment.systemPackages = [ cfg.cliWrappers ];
	125	};
	126	}