Message ID | 20190419212255.20209-1-julien@lepiller.eu |
---|---|
State | Accepted |
Headers | show |
Series | [bug#35329] gnu: knot-service: Add includes field in configuration. | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | success | Successfully applied |
Julien Lepiller <julien@lepiller.eu> skribis: > * gnu/services/dns.scm (knot-configuration): Add includes field. > (verify-knot-configuration): Check includes content. > (knot-config-file): Serialize includes. > * doc/guix.texi (DNS Services): Document it. [...] > +@item @code{includes} (default: @code{'()}) > +A list of strings or file-like objects denoting other files that must be > +included at the top of the configuration file. This is especially useful ^ I’d make a new paragraph here. > +for including key configuration from outside the store, since keys should > +not be readable by every user. It can also be used to add configuration > +not supported by this interface. What about: @cindex secrets, Knot service This can be used to manage secrets out-of-band. For example, secret keys may be stored in an out-of-band file not managed by Guix, and thus not visible in @file{/gnu/store}---e.g., you could store secret key configuration in @file{/etc/knot/secrets.conf} and add this file to the @code{includes} list. It can also be used […] LGTM! Thanks, LUdo’.
Le Wed, 24 Apr 2019 14:34:15 +0200, Ludovic Courtès <ludo@gnu.org> a écrit : > Julien Lepiller <julien@lepiller.eu> skribis: > > > * gnu/services/dns.scm (knot-configuration): Add includes field. > > (verify-knot-configuration): Check includes content. > > (knot-config-file): Serialize includes. > > * doc/guix.texi (DNS Services): Document it. > > [...] > > > +@item @code{includes} (default: @code{'()}) > > +A list of strings or file-like objects denoting other files that > > must be +included at the top of the configuration file. This is > > especially useful > ^ > I’d make a new paragraph here. > > > +for including key configuration from outside the store, since keys > > should +not be readable by every user. It can also be used to add > > configuration +not supported by this interface. > > What about: > > @cindex secrets, Knot service > This can be used to manage secrets out-of-band. For example, secret > keys may be stored in an out-of-band file not managed by Guix, and > thus not visible in @file{/gnu/store}---e.g., you could store secret > key configuration in @file{/etc/knot/secrets.conf} and add this file > to the @code{includes} list. > > It can also be used […] > > LGTM! > > Thanks, > LUdo’. Push as 92eb600f8a94afa36142f8f145efaa485b632433, thanks!
diff --git a/doc/guix.texi b/doc/guix.texi index 8c7522f286..d61fd1c7a9 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -19814,6 +19814,13 @@ The Knot package. @item @code{run-directory} (default: @code{"/var/run/knot"}) The run directory. This directory will be used for pid file and sockets. +@item @code{includes} (default: @code{'()}) +A list of strings or file-like objects denoting other files that must be +included at the top of the configuration file. This is especially useful +for including key configuration from outside the store, since keys should +not be readable by every user. It can also be used to add configuration +not supported by this interface. + @item @code{listen-v4} (default: @code{"0.0.0.0"}) An ip address on which to listen. diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm index 1ef754b360..445e03570a 100644 --- a/gnu/services/dns.scm +++ b/gnu/services/dns.scm @@ -207,6 +207,8 @@ (default knot)) (run-directory knot-configuration-run-directory (default "/var/run/knot")) + (includes knot-configuration-includes + (default '())) (listen-v4 knot-configuration-listen-v4 (default "0.0.0.0")) (listen-v6 knot-configuration-listen-v6 @@ -296,6 +298,8 @@ (error-out "knot configuration field must be a package.")) (unless (string? (knot-configuration-run-directory config)) (error-out "run-directory must be a string.")) + (unless (list? (knot-configuration-includes config)) + (error-out "includes must be a list of strings or file-like objects.")) (unless (list? (knot-configuration-keys config)) (error-out "keys must be a list of knot-key-configuration.")) (for-each (lambda (key) (verify-knot-key-configuration key)) @@ -529,6 +533,10 @@ #~(begin (call-with-output-file #$output (lambda (port) + (if (knot-configuration-includes config) + (for-each (lambda (inc) + (format port "include: ~a\n" inc)) + (knot-configuration-includes config))) (format port "server:\n") (format port " rundir: ~a\n" #$(knot-configuration-run-directory config)) (format port " user: knot\n")