diff options
author | Pol Dellaiera <pol.dellaiera@protonmail.com> | 2024-04-04 21:43:08 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-04-04 21:43:08 +0200 |
commit | 53e51b19d48fb3e54b81c65caade88188d1cf31d (patch) | |
tree | 77b8d934c69722ad84b1dfdad3c9b0d5d4108124 /nixos | |
parent | 053ab7f57cb02e4e1945618f1e6dba148a5419a5 (diff) | |
parent | e7cc6269022c0430685c51a86b8b9b5d48e45126 (diff) |
Merge pull request #298742 from FabianRig/technitium-dns-server-module
nixos/technitium-dns-server: init module
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/technitium-dns-server.nix | 109 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/technitium-dns-server.nix | 21 |
4 files changed, 132 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 178be2ab25c40..6578b52918c60 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1155,6 +1155,7 @@ ./services/networking/tayga.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix + ./services/networking/technitium-dns-server.nix ./services/networking/teleport.nix ./services/networking/tetrd.nix ./services/networking/tftpd.nix diff --git a/nixos/modules/services/networking/technitium-dns-server.nix b/nixos/modules/services/networking/technitium-dns-server.nix new file mode 100644 index 0000000000000..0c8499e072d4f --- /dev/null +++ b/nixos/modules/services/networking/technitium-dns-server.nix @@ -0,0 +1,109 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.technitium-dns-server; + stateDir = "/var/lib/technitium-dns-server"; + inherit (lib) + mkEnableOption + mkPackageOption + mkOption + mkIf + types + ; +in +{ + options.services.technitium-dns-server = { + enable = mkEnableOption "Technitium DNS Server"; + + package = mkPackageOption pkgs "technitium-dns-server" { }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall. + Standard ports are 53 (UDP and TCP, for DNS), 5380 and 53443 (TCP, HTTP and HTTPS for web interface). + Specify different or additional ports in options firewallUDPPorts and firewallTCPPorts if necessary. + ''; + }; + + firewallUDPPorts = mkOption { + type = with types; listOf int; + default = [ 53 ]; + description = '' + List of UDP ports to open in firewall. + ''; + }; + + firewallTCPPorts = mkOption { + type = with types; listOf int; + default = [ + 53 + 5380 # web interface HTTP + 53443 # web interface HTTPS + ]; + description = '' + List of TCP ports to open in firewall. + You might want to open ports 443 and 853 if you intend to use DNS over HTTPS or DNS over TLS. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.technitium-dns-server = { + description = "Technitium DNS Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/technitium-dns-server ${stateDir}"; + + DynamicUser = true; + + StateDirectory = "technitium-dns-server"; + WorkingDirectory = stateDir; + BindPaths = stateDir; + + Restart = "always"; + RestartSec = 10; + TimeoutStopSec = 10; + KillSignal = "SIGINT"; + + # Harden the service + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedUDPPorts = cfg.firewallUDPPorts; + allowedTCPPorts = cfg.firewallTCPPorts; + }; + }; + + meta.maintainers = with lib.maintainers; [ fabianrig ]; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index cc8f5959f006d..0069610b3f7d6 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -916,6 +916,7 @@ in { tang = handleTest ./tang.nix {}; taskserver = handleTest ./taskserver.nix {}; tayga = handleTest ./tayga.nix {}; + technitium-dns-server = handleTest ./technitium-dns-server.nix {}; teeworlds = handleTest ./teeworlds.nix {}; telegraf = handleTest ./telegraf.nix {}; teleport = handleTest ./teleport.nix {}; diff --git a/nixos/tests/technitium-dns-server.nix b/nixos/tests/technitium-dns-server.nix new file mode 100644 index 0000000000000..016c9d4ecead5 --- /dev/null +++ b/nixos/tests/technitium-dns-server.nix @@ -0,0 +1,21 @@ +import ./make-test-python.nix ({pkgs, lib, ...}: +{ + name = "technitium-dns-server"; + + nodes = { + machine = {pkgs, ...}: { + services.technitium-dns-server = { + enable = true; + openFirewall = true; + }; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("technitium-dns-server.service") + machine.wait_for_open_port(53) + ''; + + meta.maintainers = with lib.maintainers; [ fabianrig ]; +}) |