Merge pull request #298742 from FabianRig/technitium-dns-server-module

nixos/technitium-dns-server: init module
2024-04-04 21:43:08 +02:00 · 2024-04-04 21:43:08 +02:00 · 53e51b19d4
commit 53e51b19d4
parent 053ab7f57c e7cc626902
5 changed files with 137 additions and 0 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1155,6 +1155,7 @@
  ./services/networking/tayga.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
+  ./services/networking/technitium-dns-server.nix
  ./services/networking/teleport.nix
  ./services/networking/tetrd.nix
  ./services/networking/tftpd.nix
--- a/nixos/modules/services/networking/technitium-dns-server.nix
+++ b/nixos/modules/services/networking/technitium-dns-server.nix
@ -0,0 +1,109 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.technitium-dns-server;
+  stateDir = "/var/lib/technitium-dns-server";
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    mkIf
+    types
+    ;
+in
+{
+  options.services.technitium-dns-server = {
+    enable = mkEnableOption "Technitium DNS Server";
+
+    package = mkPackageOption pkgs "technitium-dns-server" { };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open ports in the firewall.
+        Standard ports are 53 (UDP and TCP, for DNS), 5380 and 53443 (TCP, HTTP and HTTPS for web interface).
+        Specify different or additional ports in options firewallUDPPorts and firewallTCPPorts if necessary.
+      '';
+    };
+
+    firewallUDPPorts = mkOption {
+      type = with types; listOf int;
+      default = [ 53 ];
+      description = ''
+        List of UDP ports to open in firewall.
+      '';
+    };
+
+    firewallTCPPorts = mkOption {
+      type = with types; listOf int;
+      default = [
+        53
+        5380 # web interface HTTP
+        53443 # web interface HTTPS
+      ];
+      description = ''
+        List of TCP ports to open in firewall.
+        You might want to open ports 443 and 853 if you intend to use DNS over HTTPS or DNS over TLS.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.technitium-dns-server = {
+      description = "Technitium DNS Server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/technitium-dns-server ${stateDir}";
+
+        DynamicUser = true;
+
+        StateDirectory = "technitium-dns-server";
+        WorkingDirectory = stateDir;
+        BindPaths = stateDir;
+
+        Restart = "always";
+        RestartSec = 10;
+        TimeoutStopSec = 10;
+        KillSignal = "SIGINT";
+
+        # Harden the service
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedUDPPorts = cfg.firewallUDPPorts;
+      allowedTCPPorts = cfg.firewallTCPPorts;
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ fabianrig ];
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -916,6 +916,7 @@ in {
  tang = handleTest ./tang.nix {};
  taskserver = handleTest ./taskserver.nix {};
  tayga = handleTest ./tayga.nix {};
+  technitium-dns-server = handleTest ./technitium-dns-server.nix {};
  teeworlds = handleTest ./teeworlds.nix {};
  telegraf = handleTest ./telegraf.nix {};
  teleport = handleTest ./teleport.nix {};
--- a/nixos/tests/technitium-dns-server.nix
+++ b/nixos/tests/technitium-dns-server.nix
@ -0,0 +1,21 @@
+import ./make-test-python.nix ({pkgs, lib, ...}:
+{
+  name = "technitium-dns-server";
+
+  nodes = {
+    machine = {pkgs, ...}: {
+      services.technitium-dns-server = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("technitium-dns-server.service")
+    machine.wait_for_open_port(53)
+  '';
+
+  meta.maintainers = with lib.maintainers; [ fabianrig ];
+})
--- a/pkgs/by-name/te/technitium-dns-server/package.nix
+++ b/pkgs/by-name/te/technitium-dns-server/package.nix
@ -4,6 +4,7 @@
  fetchurl,
  makeWrapper,
  dotnet-sdk_8,
+  nixosTests,
 }:
 stdenvNoCC.mkDerivation rec {
  pname = "technitium-dns-server";
@ -35,6 +36,10 @@ stdenvNoCC.mkDerivation rec {
    runHook postInstall
  '';

+  passthru.tests = {
+    inherit (nixosTests) technitium-dns-server;
+  };
+
  meta = {
    changelog = "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md";
    description = "Authorative and Recursive DNS server for Privacy and Security";