public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #79266 from Mic92/knot

Browse Source 
nixos/knot: add keyFiles option
This commit is contained in:
Jörg Thalheim 2020-02-15 11:15:03 +00:00 committed by GitHub
commit 466c1df3e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 93 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
nixos/modules/services/networking/knot.nix
View File

@ -5,14 +5,16 @@ with lib;
let let
cfg = config.services.knot; cfg = config.services.knot;
configFile = pkgs.writeText "knot.conf" cfg.extraConfig; configFile = pkgs.writeTextFile {
socketFile = "/run/knot/knot.sock"; name = "knot.conf";
text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
cfg.extraConfig;
checkPhase = lib.optionalString (cfg.keyFiles == []) ''
${cfg.package}/bin/knotc --config=$out conf-check
'';
};
knotConfCheck = file: pkgs.runCommand "knot-config-checked" socketFile = "/run/knot/knot.sock";
{ buildInputs = [ cfg.package ]; } ''
ln -s ${configFile} $out
knotc --config=${configFile} conf-check
'';
knot-cli-wrappers = pkgs.stdenv.mkDerivation { knot-cli-wrappers = pkgs.stdenv.mkDerivation {
name = "knot-cli-wrappers"; name = "knot-cli-wrappers";
@ -45,6 +47,19 @@ in {
''; '';
}; };
keyFiles = mkOption {
type = types.listOf types.path;
default = [];
description = ''
A list of files containing additional configuration
to be included using the include directive. This option
allows to include configuration like TSIG keys without
exposing them to the nix store readable to any process.
Note that using this option will also disable configuration
checks at build time.
'';
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -65,6 +80,13 @@ in {
}; };
config = mkIf config.services.knot.enable { config = mkIf config.services.knot.enable {
users.users.knot = {
isSystemUser = true;
group = "knot";
description = "Knot daemon user";
};
users.groups.knot.gid = null;
systemd.services.knot = { systemd.services.knot = {
unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
description = cfg.package.meta.description; description = cfg.package.meta.description;
@ -74,12 +96,12 @@ in {
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
NoNewPrivileges = true; NoNewPrivileges = true;
DynamicUser = "yes"; User = "knot";
RuntimeDirectory = "knot"; RuntimeDirectory = "knot";
StateDirectory = "knot"; StateDirectory = "knot";
StateDirectoryMode = "0700"; StateDirectoryMode = "0700";

11
nixos/tests/knot.nix
View File

@ -28,6 +28,13 @@ let
name = "knot-zones"; name = "knot-zones";
paths = [ exampleZone delegatedZone ]; paths = [ exampleZone delegatedZone ];
}; };
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
tsigFile = pkgs.writeText "tsig.conf" ''
key:
- id: slave_key
algorithm: hmac-sha256
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
'';
in { in {
name = "knot"; name = "knot";
meta = with pkgs.stdenv.lib.maintainers; { meta = with pkgs.stdenv.lib.maintainers; {
@ -48,6 +55,7 @@ in {
}; };
services.knot.enable = true; services.knot.enable = true;
services.knot.extraArgs = [ "-v" ]; services.knot.extraArgs = [ "-v" ];
services.knot.keyFiles = [ tsigFile ];
services.knot.extraConfig = '' services.knot.extraConfig = ''
server: server:
listen: 0.0.0.0@53 listen: 0.0.0.0@53
@ -56,6 +64,7 @@ in {
acl: acl:
- id: slave_acl - id: slave_acl
address: 192.168.0.2 address: 192.168.0.2
key: slave_key
action: transfer action: transfer
remote: remote:
@ -103,6 +112,7 @@ in {
]; ];
}; };
services.knot.enable = true; services.knot.enable = true;
services.knot.keyFiles = [ tsigFile ];
services.knot.extraArgs = [ "-v" ]; services.knot.extraArgs = [ "-v" ];
services.knot.extraConfig = '' services.knot.extraConfig = ''
server: server:
@ -117,6 +127,7 @@ in {
remote: remote:
- id: master - id: master
address: 192.168.0.1@53 address: 192.168.0.1@53
key: slave_key
template: template:
- id: default - id: default

19
pkgs/servers/dns/knot-dns/default.nix
View File

@ -1,5 +1,6 @@
{ stdenv, fetchurl, pkgconfig, gnutls, liburcu, lmdb, libcap_ng, libidn2, libunistring { stdenv, fetchurl, pkgconfig, gnutls, liburcu, lmdb, libcap_ng, libidn2, libunistring
, systemd, nettle, libedit, zlib, libiconv, libintl , systemd, nettle, libedit, zlib, libiconv, libintl
, autoreconfHook
}: }:
let inherit (stdenv.lib) optional optionals; in let inherit (stdenv.lib) optional optionals; in
@ -16,7 +17,19 @@ stdenv.mkDerivation rec {
outputs = [ "bin" "out" "dev" ]; outputs = [ "bin" "out" "dev" ];
nativeBuildInputs = [ pkgconfig ]; configureFlags = [
"--with-configdir=/etc/knot"
"--with-rundir=/run/knot"
"--with-storage=/var/lib/knot"
];
patches = [
# Don't try to create directories like /var/lib/knot at build time.
# They are later created from NixOS itself.
./dont-create-run-time-dirs.patch
];
nativeBuildInputs = [ pkgconfig autoreconfHook ];
buildInputs = [ buildInputs = [
gnutls liburcu libidn2 libunistring gnutls liburcu libidn2 libunistring
nettle libedit nettle libedit
@ -33,7 +46,9 @@ stdenv.mkDerivation rec {
doCheck = true; doCheck = true;
doInstallCheck = false; # needs pykeymgr? doInstallCheck = false; # needs pykeymgr?
postInstall = ''rm -r "$out"/var "$out"/lib/*.la''; postInstall = ''
rm -r "$out"/lib/*.la
'';
meta = with stdenv.lib; { meta = with stdenv.lib; {
description = "Authoritative-only DNS server from .cz domain registry"; description = "Authoritative-only DNS server from .cz domain registry";

32
pkgs/servers/dns/knot-dns/dont-create-run-time-dirs.patch Normal file
View File

@ -0,0 +1,32 @@
diff --git a/samples/Makefile.am b/samples/Makefile.am
index c253c91..107401d 100644
--- a/samples/Makefile.am
+++ b/samples/Makefile.am
@@ -19,11 +19,6 @@ EXTRA_DIST = knot.sample.conf.in example.com.zone
if HAVE_DAEMON
-install-data-local: knot.sample.conf
- if [ \! -f $(DESTDIR)/$(config_dir)/knot.sample.conf ]; then \
- $(INSTALL) -d $(DESTDIR)/$(config_dir); \
- $(INSTALL_DATA) knot.sample.conf $(srcdir)/example.com.zone $(DESTDIR)/$(config_dir); \
- fi
uninstall-local:
-rm -rf $(DESTDIR)/$(config_dir)/knot.sample.conf \
$(DESTDIR)/$(config_dir)/example.com.zone
diff --git a/src/utils/Makefile.inc b/src/utils/Makefile.inc
index e6765d9..d859d23 100644
--- a/src/utils/Makefile.inc
+++ b/src/utils/Makefile.inc
@@ -79,11 +79,6 @@ endif HAVE_DNSTAP
endif HAVE_UTILS
if HAVE_DAEMON
-# Create storage and run-time directories
-install-data-hook:
- $(INSTALL) -d $(DESTDIR)/@config_dir@
- $(INSTALL) -d $(DESTDIR)/@run_dir@
- $(INSTALL) -d $(DESTDIR)/@storage_dir@
sbin_PROGRAMS = knotc knotd