New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nixops-dns: init #34511
nixos/nixops-dns: init #34511
Conversation
in | ||
|
||
{ | ||
options = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more thing that needs to be considered - nixops database location. Current nixops-dns implementation will always look into current user home dir https://github.com/kamilchm/nixops-dns/blob/f6c3f79a09e649033b49e9403d654bdc1308612f/main.go#L20-L28
Do you have an idea how to make it usable in a system service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried to address this via user option (The user the nixops-dns daemon should run as.) which propagates to serviceConfig User = cfg.user;
bellow. Not sure about the group tho.
]; | ||
extraConfig = '' | ||
bind-interfaces | ||
listen-address=127.0.0.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it not make more sense to set listenAddress
to port 53 and give the service cap_net_bind_service
capability to bind privileged ports? You can take a look at the caddy service on how to do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be able to still resolve internet domains via dnsmasq while only *.ops
are forwarded to nixops-dns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be an option to disable dnsmasq in the nixops-dns module to make it less opinionated. Also it is a sane default some other people maybe prefer to run unbound
or knot-resolver
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92 do you consider this a blocker or can it be added/iterated upon later?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll update this to make dnsmasq setup an option (enabled by default).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
c258f3c
to
cef80c3
Compare
Motivation for this change
More awesome NixOps experience.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)