Merge pull request #298742 from FabianRig/technitium-dns-server-module

nixos/technitium-dns-server: init module

4 files changed, 132 insertions, 0 deletions

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 178be2ab25c40..6578b52918c60 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1155,6 +1155,7 @@
   ./services/networking/tayga.nix
   ./services/networking/tcpcrypt.nix
   ./services/networking/teamspeak3.nix
+  ./services/networking/technitium-dns-server.nix
   ./services/networking/teleport.nix
   ./services/networking/tetrd.nix
   ./services/networking/tftpd.nix
diff --git a/nixos/modules/services/networking/technitium-dns-server.nix b/nixos/modules/services/networking/technitium-dns-server.nix
new file mode 100644
index 0000000000000..0c8499e072d4f
--- /dev/null
+++ b/nixos/modules/services/networking/technitium-dns-server.nix
@@ -0,0 +1,109 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.technitium-dns-server;
+  stateDir = "/var/lib/technitium-dns-server";
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    mkIf
+    types
+    ;
+in
+{
+  options.services.technitium-dns-server = {
+    enable = mkEnableOption "Technitium DNS Server";
+
+    package = mkPackageOption pkgs "technitium-dns-server" { };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open ports in the firewall.
+        Standard ports are 53 (UDP and TCP, for DNS), 5380 and 53443 (TCP, HTTP and HTTPS for web interface).
+        Specify different or additional ports in options firewallUDPPorts and firewallTCPPorts if necessary.
+      '';
+    };
+
+    firewallUDPPorts = mkOption {
+      type = with types; listOf int;
+      default = [ 53 ];
+      description = ''
+        List of UDP ports to open in firewall.
+      '';
+    };
+
+    firewallTCPPorts = mkOption {
+      type = with types; listOf int;
+      default = [
+        53
+        5380 # web interface HTTP
+        53443 # web interface HTTPS
+      ];
+      description = ''
+        List of TCP ports to open in firewall.
+        You might want to open ports 443 and 853 if you intend to use DNS over HTTPS or DNS over TLS.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.technitium-dns-server = {
+      description = "Technitium DNS Server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/technitium-dns-server ${stateDir}";
+
+        DynamicUser = true;
+
+        StateDirectory = "technitium-dns-server";
+        WorkingDirectory = stateDir;
+        BindPaths = stateDir;
+
+        Restart = "always";
+        RestartSec = 10;
+        TimeoutStopSec = 10;
+        KillSignal = "SIGINT";
+
+        # Harden the service
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedUDPPorts = cfg.firewallUDPPorts;
+      allowedTCPPorts = cfg.firewallTCPPorts;
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ fabianrig ];
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index cc8f5959f006d..0069610b3f7d6 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -916,6 +916,7 @@ in {
   tang = handleTest ./tang.nix {};
   taskserver = handleTest ./taskserver.nix {};
   tayga = handleTest ./tayga.nix {};
+  technitium-dns-server = handleTest ./technitium-dns-server.nix {};
   teeworlds = handleTest ./teeworlds.nix {};
   telegraf = handleTest ./telegraf.nix {};
   teleport = handleTest ./teleport.nix {};
diff --git a/nixos/tests/technitium-dns-server.nix b/nixos/tests/technitium-dns-server.nix
new file mode 100644
index 0000000000000..016c9d4ecead5
--- /dev/null
+++ b/nixos/tests/technitium-dns-server.nix
@@ -0,0 +1,21 @@
+import ./make-test-python.nix ({pkgs, lib, ...}:
+{
+  name = "technitium-dns-server";
+
+  nodes = {
+    machine = {pkgs, ...}: {
+      services.technitium-dns-server = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("technitium-dns-server.service")
+    machine.wait_for_open_port(53)
+  '';
+
+  meta.maintainers = with lib.maintainers; [ fabianrig ];
+})