2021-05-28 22:01:25 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2018-05-16 15:16:30 +02:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.services.stubby;
|
2021-05-28 22:01:25 +02:00
|
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
|
|
confFile = settingsFormat.generate "stubby.yml" cfg.settings;
|
|
|
|
in {
|
|
|
|
imports = map (x:
|
|
|
|
(mkRemovedOptionModule [ "services" "stubby" x ]
|
|
|
|
"Stubby configuration moved to services.stubby.settings.")) [
|
|
|
|
"authenticationMode"
|
|
|
|
"fallbackProtocols"
|
|
|
|
"idleTimeout"
|
|
|
|
"listenAddresses"
|
|
|
|
"queryPaddingBlocksize"
|
|
|
|
"roundRobinUpstreams"
|
|
|
|
"subnetPrivate"
|
|
|
|
"upstreamServers"
|
|
|
|
];
|
2018-05-16 15:16:30 +02:00
|
|
|
|
|
|
|
options = {
|
|
|
|
services.stubby = {
|
|
|
|
|
|
|
|
enable = mkEnableOption "Stubby DNS resolver";
|
|
|
|
|
2021-05-28 22:01:25 +02:00
|
|
|
settings = mkOption {
|
|
|
|
type = types.attrsOf settingsFormat.type;
|
|
|
|
example = lib.literalExpression ''
|
|
|
|
pkgs.stubby.passthru.settingsExample // {
|
|
|
|
upstream_recursive_servers = [{
|
|
|
|
address_data = "158.64.1.29";
|
|
|
|
tls_auth_name = "kaitain.restena.lu";
|
|
|
|
tls_pubkey_pinset = [{
|
|
|
|
digest = "sha256";
|
|
|
|
value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
|
|
|
|
}];
|
|
|
|
}];
|
|
|
|
};
|
2018-05-16 15:16:30 +02:00
|
|
|
'';
|
2022-07-28 23:19:15 +02:00
|
|
|
description = lib.mdDoc ''
|
2021-05-28 22:01:25 +02:00
|
|
|
Content of the Stubby configuration file. All Stubby settings may be set or queried
|
|
|
|
here. The default settings are available at
|
2022-07-28 23:19:15 +02:00
|
|
|
`pkgs.stubby.passthru.settingsExample`. See
|
|
|
|
<https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby>.
|
2021-05-28 22:01:25 +02:00
|
|
|
A list of the public recursive servers can be found here:
|
2022-07-28 23:19:15 +02:00
|
|
|
<https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers>.
|
2018-05-16 15:16:30 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
debugLogging = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
2022-07-28 23:19:15 +02:00
|
|
|
description = lib.mdDoc "Enable or disable debug level logging.";
|
2018-05-16 15:16:30 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2021-05-28 22:01:25 +02:00
|
|
|
assertions = [{
|
|
|
|
assertion =
|
|
|
|
(cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB";
|
|
|
|
message = ''
|
|
|
|
services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB".
|
|
|
|
Is services.stubby.settings unset?
|
|
|
|
'';
|
|
|
|
}];
|
|
|
|
|
|
|
|
services.stubby.settings.appdata_dir = "/var/cache/stubby";
|
|
|
|
|
2018-05-16 15:16:30 +02:00
|
|
|
systemd.services.stubby = {
|
|
|
|
description = "Stubby local DNS resolver";
|
|
|
|
after = [ "network.target" ];
|
|
|
|
before = [ "nss-lookup.target" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
|
|
|
serviceConfig = {
|
2020-03-15 06:17:12 +01:00
|
|
|
Type = "notify";
|
2018-05-16 15:16:30 +02:00
|
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
|
|
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
|
|
|
|
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
|
|
|
|
DynamicUser = true;
|
2020-02-24 11:51:43 +01:00
|
|
|
CacheDirectory = "stubby";
|
2018-05-16 15:16:30 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|