JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/powerdns: add secretFile option

Browse Source
This commit is contained in:
netali 2022-12-26 02:01:03 +01:00
parent 00a40e2cf4
commit 64a957a7d1
No known key found for this signature in database
GPG Key ID: 9C55E636426B40A9
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nixos/modules/services/networking/powerdns.nix
View File

@ -5,6 +5,7 @@ with lib;
let
cfg = config.services.powerdns;
configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";
finalConfigDir = if cfg.secretFile == null then configDir else "/run/pdns";
in {
options = {
services.powerdns = {
@ -19,6 +20,19 @@ in {
for details on supported values.
'';
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/powerdns.env";
description = lib.mdDoc ''
Environment variables from this file will be interpolated into the
final config file using envsubst with this syntax: `$ENVIRONMENT`
or `''${VARIABLE}`.
The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`.
This is useful to avoid putting secrets into the nix store.
'';
};
};
};
@ -31,7 +45,13 @@ in {
after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ];
serviceConfig = {
ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile;
ExecStartPre = lib.optional (cfg.secretFile != null)
(pkgs.writeShellScript "pdns-pre-start" ''
umask 077
${pkgs.envsubst}/bin/envsubst -i "${configDir}/pdns.conf" > ${finalConfigDir}/pdns.conf
'');
ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${finalConfigDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
};
};