{ config, lib, pkgs, ... }: let cfg = config.services.flashdns; in { options.services.flashdns = { enable = lib.mkEnableOption "flashdns service"; port = lib.mkOption { type = lib.types.port; default = 6000; description = "Port for flashdns API"; }; dnsPort = lib.mkOption { type = lib.types.port; default = 53; description = "Port for flashdns DNS service"; }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/flashdns"; description = "Data directory for flashdns"; }; settings = lib.mkOption { type = lib.types.attrs; default = {}; description = "Additional configuration settings"; }; package = lib.mkOption { type = lib.types.package; default = pkgs.flashdns-server or (throw "flashdns-server package not found"); description = "Package to use for flashdns"; }; }; config = lib.mkIf cfg.enable { # Create system user users.users.flashdns = { isSystemUser = true; group = "flashdns"; description = "FlashDNS service user"; home = cfg.dataDir; }; users.groups.flashdns = {}; # Create systemd service systemd.services.flashdns = { description = "FlashDNS Distributed DNS Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" "iam.service" "flaredb.service" ]; requires = [ "iam.service" "flaredb.service" ]; serviceConfig = { Type = "simple"; User = "flashdns"; Group = "flashdns"; Restart = "on-failure"; RestartSec = "10s"; # State directory management StateDirectory = "flashdns"; StateDirectoryMode = "0750"; # Security hardening NoNewPrivileges = true; PrivateTmp = true; ProtectSystem = "strict"; ProtectHome = true; ReadWritePaths = [ cfg.dataDir ]; # DNS requires binding to privileged port 53 AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # Start command ExecStart = "${cfg.package}/bin/flashdns-server --grpc-addr 0.0.0.0:${toString cfg.port} --dns-addr 0.0.0.0:${toString cfg.dnsPort}"; }; }; }; }