benpye/test.nix Secret

## test.nix
  systemd.services.coredns = {
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      ExecStart =
        let configFile = pkgs.writeText "Corefile"
          '' //STUFF
          '';
        in
          "${pkgs.coredns}/bin/coredns -conf=${configFile}";

      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      Type = "simple";
      User = "coredns";
      Group = "coredns";
      Restart = "on-failure";
      StartLimitInterval = 86400;
      StartLimitBurst = 5;
      AmbientCapabilities = "cap_net_bind_service";
      CapabilityBoundingSet = "cap_net_bind_service";
      NoNewPrivileges = true;
      LimitNPROC = 64;
      LimitNOFILE = 1048576;
      PrivateTmp = true;
      PrivateDevices = true;
      ProtectHome = true;
      ProtectSystem = "strict";
      ReadWriteDirectories = cfg.dataDir;
    };
  };
	systemd.services.coredns = {
	after = [ "network.target" ];
	wantedBy = [ "multi-user.target" ];

	serviceConfig = {
	ExecStart =
	let configFile = pkgs.writeText "Corefile"
	'' //STUFF
	'';
	in
	"${pkgs.coredns}/bin/coredns -conf=${configFile}";

	ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
	Type = "simple";
	User = "coredns";
	Group = "coredns";
	Restart = "on-failure";
	StartLimitInterval = 86400;
	StartLimitBurst = 5;
	AmbientCapabilities = "cap_net_bind_service";
	CapabilityBoundingSet = "cap_net_bind_service";
	NoNewPrivileges = true;
	LimitNPROC = 64;
	LimitNOFILE = 1048576;
	PrivateTmp = true;
	PrivateDevices = true;
	ProtectHome = true;
	ProtectSystem = "strict";
	ReadWriteDirectories = cfg.dataDir;
	};
	};