kresd service: add listenTLS option · pyrox.dev/nixpkgs@05d6a7e

pyrox.dev / nixpkgs

fork atom

lol

fork atom

kresd service: add listenTLS option

Also fix some deficiencies in the systemd multi-socket stuff.

Vladimír Čunát 8 years ago 05d6a7ed 47d47925

+23

1 changed file

expand all

unified split

nixos

modules

services

networking

kresd.nix

+23

nixos/modules/services/networking/kresd.nix

··· 46 46 What addresses the server should listen on. (UDP+TCP 53) 47 47 ''; 48 48 }; 49 + listenTLS = mkOption { 50 + type = with types; listOf str; 51 + default = []; 52 + example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ]; 53 + description = '' 54 + Addresses on which kresd should provide DNS over TLS (see RFC 7858). 55 + For detailed syntax see ListenStream in man systemd.socket. 56 + ''; 57 + }; 49 58 # TODO: perhaps options for more common stuff like cache size or forwarding 50 59 }; 51 60 ··· 75 84 socketConfig.FreeBind = true; 76 85 }; 77 86 87 + systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec { 88 + wantedBy = [ "sockets.target" ]; 89 + before = wantedBy; 90 + partOf = [ "kresd.socket" ]; 91 + listenStreams = cfg.listenTLS; 92 + socketConfig = { 93 + FileDescriptorName = "tls"; 94 + FreeBind = true; 95 + Service = "kresd.service"; 96 + }; 97 + }; 98 + 78 99 systemd.sockets.kresd-control = rec { 79 100 wantedBy = [ "sockets.target" ]; 80 101 before = wantedBy; ··· 97 118 Type = "notify"; 98 119 WorkingDirectory = cfg.cacheDir; 99 120 Restart = "on-failure"; 121 + Sockets = [ "kresd.socket" "kresd-control.socket" ] 122 + ++ optional (cfg.listenTLS != []) "kresd-tls.socket"; 100 123 }; 101 124 102 125 # Trust anchor goes from dns-root-data by default.