489ca7e5c0
As discussed in #18718 PrivateTmp is unnecessary because powerdns is chrooted to /var/lib/powerdns. I also added myself as co-maintainer.
50 lines
1.7 KiB
Nix
50 lines
1.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.powerdns;
|
|
configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}";
|
|
in {
|
|
options = {
|
|
services.powerdns = {
|
|
enable = mkEnableOption "Powerdns domain name server";
|
|
|
|
extraConfig = mkOption {
|
|
type = types.lines;
|
|
default = "launch=bind";
|
|
description = ''
|
|
Extra lines to be added verbatim to pdns.conf.
|
|
Powerdns will chroot to /var/lib/powerdns.
|
|
So any file, powerdns is supposed to be read,
|
|
should be in /var/lib/powerdns and needs to specified
|
|
relative to the chroot.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf config.services.powerdns.enable {
|
|
systemd.services.pdns = {
|
|
unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)";
|
|
description = "Powerdns name server";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"];
|
|
|
|
serviceConfig = {
|
|
Restart="on-failure";
|
|
RestartSec="1";
|
|
StartLimitInterval="0";
|
|
PrivateDevices=true;
|
|
CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
|
|
NoNewPrivileges=true;
|
|
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns";
|
|
ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
|
|
ProtectSystem="full";
|
|
ProtectHome=true;
|
|
RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
|
|
};
|
|
};
|
|
};
|
|
}
|