nixpkgs/nixos/modules/services/networking/powerdns.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.powerdns;
  configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";
in {
  options = {
    services.powerdns = {
      enable = mkEnableOption "Powerdns domain name server";

      extraConfig = mkOption {
        type = types.lines;
        default = "launch=bind";
        description = ''
          Extra lines to be added verbatim to pdns.conf.
          Powerdns will chroot to /var/lib/powerdns.
          So any file, powerdns is supposed to be read,
          should be in /var/lib/powerdns and needs to specified
          relative to the chroot.
        '';
      };
    };
  };

  config = mkIf config.services.powerdns.enable {
    systemd.services.pdns = {
      unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)";
      description = "Powerdns name server";
      wantedBy = [ "multi-user.target" ];
      after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"];

      serviceConfig = {
        Restart="on-failure";
        RestartSec="1";
        StartLimitInterval="0";
        PrivateDevices=true;
        CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
        NoNewPrivileges=true;
        ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns";
        ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
        ProtectSystem="full";
        ProtectHome=true;
        RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
      };
    };
  };
}
powerdns: init at 4.0.1 fixes #18703 2016-09-17 23:30:27 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.services.powerdns;`
			`configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";`
			`in {`
			`options = {`
			`services.powerdns = {`
			`enable = mkEnableOption "Powerdns domain name server";`

			`extraConfig = mkOption {`
			`type = types.lines;`
			`default = "launch=bind";`
			`description = ''`
			`Extra lines to be added verbatim to pdns.conf.`
			`Powerdns will chroot to /var/lib/powerdns.`
			`So any file, powerdns is supposed to be read,`
			`should be in /var/lib/powerdns and needs to specified`
			`relative to the chroot.`
			`'';`
			`};`
			`};`
			`};`

			`config = mkIf config.services.powerdns.enable {`
			`systemd.services.pdns = {`
			`unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)";`
			`description = "Powerdns name server";`
			`wantedBy = [ "multi-user.target" ];`
			`after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"];`

			`serviceConfig = {`
			`Restart="on-failure";`
			`RestartSec="1";`
			`StartLimitInterval="0";`
			`PrivateDevices=true;`
			`CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";`
			`NoNewPrivileges=true;`
			`ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns";`
			`ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";`
			`ProtectSystem="full";`
			`ProtectHome=true;`
			`RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";`
			`};`
			`};`
			`};`
			`}`