New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/knot: add keyFiles option #79266
Conversation
Because of
Maybe rather than |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand your use case and the change is fine with me.
I haven't really thought about best practices for managing these secrets (for knot service). |
I though about adding an |
I wonder if the risk of omitting the quotation marks is too high (leaking secrets by accident) 🤔 EDIT: I expect such mistakes can be detected in eval-time by some type-checking. |
Usually when using nixops is using something like |
About passwordFile like options: #78640 |
With the latest commit knot now can do automatic DNSSEC signing. |
@@ -5,14 +5,16 @@ with lib; | |||
let | |||
cfg = config.services.knot; | |||
|
|||
configFile = pkgs.writeText "knot.conf" cfg.extraConfig; | |||
socketFile = "/run/knot/knot.sock"; | |||
configFile = pkgs.writeTextFile { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to convert nix attrsets to yaml using remarshal
. However the yaml subset chosen by knot is too restrictive for that (i.e. expect keys to appear in a certain order).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you seen this thread? If a few people tries this out in practice, I suppose we could make it available as another optional attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not aware of keys being expected in particular order, though (perhaps I misunderstand). In any case the yaml is stricter than what I see usually (and new yaml is even a super-set of json IIRC).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had an issue with an acl rule where the id
key was not the first key, which lead to an error. This broke already in the nixos test. Anyway this PR should not interfere with migrating to a different contribute type...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, that's a known restriction, though not by me until now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I have an idea how to approach this; hopefully I can get it to work soon. I'll link from here when that happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It didn't really go the way I imagined, but let's continue on #81460
Instead of adding an option to disable configuration checks I added a |
Here is a real-world example: https://github.com/Mic92/dotfiles/blob/34a97d3292b833fbad8f716f9c37a28eb4121eb1/nixos/eve/modules/knot/default.nix Also the nixos test covers the new feature as well. |
Otherwise knot tries to write to non-writable directories. This for example breaks dnssec signing. While it's possible to overwrite these path in the configuration, having a sane defaults is nicer.
This makes it hard to include secret files. Also using tools like keymgr becomes harder.
This useful to include tsig keys using nixops without adding those world-readable to the nix store.
I dropped DynamicUser. Also because of #79928 |
@ju1m If you would have a short look at it and give me a thumbs up, I would go forward and merge it! |
nixos/knot: add keyFiles option (cherry picked from commit 466c1df)
Add an option to include configuration not in the nix store.
The use case for this are nixops like tools where the configuration
is not world-readable. Because of knot's DynamicUser we need to
install those files with the correct permission on startup into /var/lib/knot.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)