-
Notifications
You must be signed in to change notification settings - Fork 2
/
module.nix
126 lines (120 loc) · 3.62 KB
/
module.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
packages: { config, lib, ... }:
let cfg = config.services.eon;
in {
options.services.eon = {
enable =
lib.mkEnableOption "OCaml DNS Server using effects-based direct-style IO";
package = lib.mkOption {
type = lib.types.package;
default = packages.${config.nixpkgs.hostPlatform.system}.default;
};
# todo multiple zones, primary and secondary servers
zoneFiles =
lib.mkOption { type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); };
port = lib.mkOption {
type = lib.types.int;
default = 53;
};
user = lib.mkOption {
type = lib.types.str;
default = "eon";
};
group = lib.mkOption {
type = lib.types.str;
default = cfg.user;
};
logLevel = lib.mkOption {
type = lib.types.int;
default = 1;
};
application = lib.mkOption {
type = lib.types.enum [ "eon" "resolved" "netcatd" "tund" "capd" ];
default = "eon";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = true;
};
capnpAddress = lib.mkOption {
type = lib.types.string;
default = "0.0.0.0";
};
capnpPort = lib.mkOption {
type = lib.types.int;
default = 7000;
};
capnpSecretKeyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
};
prod = lib.mkOption {
type = lib.types.bool;
default = true;
};
acmeServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = lib.mdDoc ''
ACME Directory Resource URI.
'';
};
primaries = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = lib.mkIf cfg.enable {
systemd.services.eon = {
description = "eon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${cfg.package.out}/bin/${cfg.application} "
+ (lib.strings.concatMapStrings (zonefile: "-z ${zonefile} ")
cfg.zoneFiles) + "-p ${builtins.toString cfg.port} "
+ "-l ${builtins.toString cfg.logLevel} "
+ (if cfg.application == "capd" then
"--capnp-secret-key-file ${
if cfg.capnpSecretKeyFile != null then
cfg.capnpSecretKeyFile
else
"/var/lib/eon/capnp-secret.pem"
} " + "--capnp-listen-address tcp:${cfg.capnpAddress}:${
builtins.toString cfg.capnpPort
} " + "--state-dir /var/lib/eon "
+ "${if cfg.prod then "--prod" else ""}"
+ "${if cfg.acmeServer != null then
"--endpint ${cfg.acmeServer}"
else
""}"
+ "${
let args = builtins.map (primary: " --primary ${primary}") cfg.primaries; in
builtins.concatStringsSep "" args
}"
else
"");
Restart = "always";
RestartSec = "1s";
User = cfg.user;
Group = cfg.group;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ] ++
# for TUNSETIFF
(if cfg.application == "tund" then [ "CAP_NET_ADMIN" ] else [ ]);
};
};
users.users = {
"${cfg.user}" = {
description = "eon";
useDefaultShell = true;
group = cfg.group;
isSystemUser = true;
};
};
users.groups."${cfg.group}" = { };
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ]
++ (if cfg.application == "capd" then [ cfg.capnpPort ] else [ ]);
allowedUDPPorts = [ cfg.port ];
};
};
}