nixos/knot: add keyFiles option #79266
Conversation
|
Because of Maybe rather than |
|
I haven't really thought about best practices for managing these secrets (for knot service). |
|
I though about adding an |
|
I wonder if the risk of omitting the quotation marks is too high (leaking secrets by accident) 🤔 EDIT: I expect such mistakes can be detected in eval-time by some type-checking. |
Usually when using nixops is using something like |
|
About passwordFile like options: #78640 |
|
With the latest commit knot now can do automatic DNSSEC signing. |
Mic92
changed the title
| @@ -5,14 +5,16 @@ with lib; | |||
| let | |||
| cfg = config.services.knot; | |||
|
|
|||
| configFile = pkgs.writeText "knot.conf" cfg.extraConfig; | |||
| socketFile = "/run/knot/knot.sock"; | |||
| configFile = pkgs.writeTextFile { | |||
There was a problem hiding this comment.
I tried to convert nix attrsets to yaml using remarshal. However the yaml subset chosen by knot is too restrictive for that (i.e. expect keys to appear in a certain order).
There was a problem hiding this comment.
Have you seen this thread? If a few people tries this out in practice, I suppose we could make it available as another optional attribute.
There was a problem hiding this comment.
I'm not aware of keys being expected in particular order, though (perhaps I misunderstand). In any case the yaml is stricter than what I see usually (and new yaml is even a super-set of json IIRC).
There was a problem hiding this comment.
I had an issue with an acl rule where the id key was not the first key, which lead to an error. This broke already in the nixos test. Anyway this PR should not interfere with migrating to a different contribute type...
There was a problem hiding this comment.
Oh, that's a known restriction, though not by me until now.
There was a problem hiding this comment.
I think I have an idea how to approach this; hopefully I can get it to work soon. I'll link from here when that happens.
There was a problem hiding this comment.
It didn't really go the way I imagined, but let's continue on #81460
|
Instead of adding an option to disable configuration checks I added a |
|
Here is a real-world example: https://github.com/Mic92/dotfiles/blob/34a97d3292b833fbad8f716f9c37a28eb4121eb1/nixos/eve/modules/knot/default.nix Also the nixos test covers the new feature as well. |
Otherwise knot tries to write to non-writable directories. This for example breaks dnssec signing. While it's possible to overwrite these path in the configuration, having a sane defaults is nicer.
This makes it hard to include secret files. Also using tools like keymgr becomes harder.
This useful to include tsig keys using nixops without adding those world-readable to the nix store.
|
I dropped DynamicUser. Also because of #79928 |
|
@ju1m If you would have a short look at it and give me a thumbs up, I would go forward and merge it! |
nixos/knot: add keyFiles option (cherry picked from commit 466c1df)
Add an option to include configuration not in the nix store.
The use case for this are nixops like tools where the configuration
is not world-readable. Because of knot's DynamicUser we need to
install those files with the correct permission on startup into /var/lib/knot.
Motivation for this change
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)