knot: add keyFiles option

This useful to include tsig keys using nixops without adding those world-readable to the nix store.
2020-02-12 16:35:33 +00:00 · 2020-02-12 16:35:33 +00:00 · e2ef8b439f
commit e2ef8b439f
parent 88029bce39
2 changed files with 36 additions and 10 deletions
--- a/nixos/modules/services/networking/knot.nix
+++ b/nixos/modules/services/networking/knot.nix
@ -5,14 +5,16 @@ with lib;
 let
  cfg = config.services.knot;

-  configFile = pkgs.writeText "knot.conf" cfg.extraConfig;
-  socketFile = "/run/knot/knot.sock";
+  configFile = pkgs.writeTextFile {
+    name = "knot.conf";
+    text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
+           cfg.extraConfig;
+    checkPhase = lib.optionalString (cfg.keyFiles == []) ''
+      ${cfg.package}/bin/knotc --config=$out conf-check
+    '';
+  };

-  knotConfCheck = file: pkgs.runCommand "knot-config-checked"
-    { buildInputs = [ cfg.package ]; } ''
-    ln -s ${configFile} $out
-    knotc --config=${configFile} conf-check
-  '';
+  socketFile = "/run/knot/knot.sock";

  knot-cli-wrappers = pkgs.stdenv.mkDerivation {
    name = "knot-cli-wrappers";
@ -45,6 +47,19 @@ in {
        '';
      };

+      keyFiles = mkOption {
+        type = types.listOf types.path;
+        default = [];
+        description = ''
+          A list of files containing additional configuration
+          to be included using the include directive. This option
+          allows to include configuration like TSIG keys without
+          exposing them to the nix store readable to any process.
+          Note that using this option will also disable configuration
+          checks at build time.
+        '';
+      };
+
      extraConfig = mkOption {
        type = types.lines;
        default = "";
@ -81,7 +96,7 @@ in {

      serviceConfig = {
        Type = "notify";
-        ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
+        ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
        ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
        AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
--- a/nixos/tests/knot.nix
+++ b/nixos/tests/knot.nix
@ -28,6 +28,13 @@ let
    name = "knot-zones";
    paths = [ exampleZone delegatedZone ];
  };
+  # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
+  tsigFile = pkgs.writeText "tsig.conf" ''
+    key:
+      - id: slave_key
+        algorithm: hmac-sha256
+        secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
+  '';
 in {
  name = "knot";
  meta = with pkgs.stdenv.lib.maintainers; {
@ -48,6 +55,7 @@ in {
      };
      services.knot.enable = true;
      services.knot.extraArgs = [ "-v" ];
+      services.knot.keyFiles = [ tsigFile ];
      services.knot.extraConfig = ''
        server:
            listen: 0.0.0.0@53
@ -56,6 +64,7 @@ in {
        acl:
          - id: slave_acl
            address: 192.168.0.2
+            key: slave_key
            action: transfer

        remote:
@ -103,6 +112,7 @@ in {
        ];
      };
      services.knot.enable = true;
+      services.knot.keyFiles = [ tsigFile ];
      services.knot.extraArgs = [ "-v" ];
      services.knot.extraConfig = ''
        server:
@ -117,6 +127,7 @@ in {
        remote:
          - id: master
            address: 192.168.0.1@53
+            key: slave_key

        template:
          - id: default
@ -155,10 +166,10 @@ in {
        ];
      };
      environment.systemPackages = [ pkgs.knot-dns ];
-    };    
+    };
  };

-  testScript = { nodes, ... }: let 
+  testScript = { nodes, ... }: let
    master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
    master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;