From 751bdacc9b726bf8e4623a7375e96563ee3614a5 Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 4 Jan 2019 01:49:50 +0100 Subject: [PATCH 1/2] nixos/nsd: Don't override bind via nixpkgs.config When generating values for the services.nsd.zones attribute using values from pkgs, we'll run into an infinite recursion because the nsd module has a condition on the top-level definition of nixpkgs.config. While it would work to push the definition a few levels down, it will still only work if we don't use bind tools for generating zones. As far as I could see, Python support for BIND seems to be only needed for the dnssec-* tools, so instead of using nixpkgs.config, we now directly override pkgs.bind instead of globally in nixpkgs. To illustrate the problem with a small test case, instantiating the following Nix expression from the nixpkgs source root will cause the mentioned infinite recursion: (import ./nixos { configuration = { lib, pkgs, ... }: { services.nsd.enable = true; services.nsd.zones = import (pkgs.writeText "foo.nix" '' { "foo.".data = "xyz"; "foo.".dnssec = true; } ''); }; }).vm With this change, generating zones via import-from-derivation is now possible again. Signed-off-by: aszlig Cc: @pngwjpgh --- nixos/modules/services/networking/nsd.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index cde47bf23eae..492845eb4ec7 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -437,6 +437,8 @@ let dnssec = length (attrNames dnssecZones) != 0; + dnssecTools = pkgs.bind.override { enablePython = true; }; + signZones = optionalString dnssec '' mkdir -p ${stateDir}/dnssec chown ${username}:${username} ${stateDir}/dnssec @@ -445,8 +447,8 @@ let ${concatStrings (mapAttrsToList signZone dnssecZones)} ''; signZone = name: zone: '' - ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} - ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${dnssecTools}/bin/dnssec-keymgr -g ${dnssecTools}/bin/dnssec-keygen -s ${dnssecTools}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${dnssecTools}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} ''; policyFile = name: policy: pkgs.writeText "${name}.policy" '' @@ -953,10 +955,6 @@ in ''; }; - nixpkgs.config = mkIf dnssec { - bind.enablePython = true; - }; - systemd.timers."nsd-dnssec" = mkIf dnssec { description = "Automatic DNSSEC key rollover"; From 6446d9eee88e6a708f7d48c69bb0d9001bac9f7a Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 4 Jan 2019 01:59:28 +0100 Subject: [PATCH 2/2] nixos/nsd: Improve checking for empty dnssec zones While at it (see previous commit), using attrNames in combination with length is a bit verbose for checking whether the filtered attribute set is empty, so let's just compare it against an empty attribute set. Signed-off-by: aszlig --- nixos/modules/services/networking/nsd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 492845eb4ec7..8b918dab86dd 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -435,7 +435,7 @@ let dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs); - dnssec = length (attrNames dnssecZones) != 0; + dnssec = dnssecZones != {}; dnssecTools = pkgs.bind.override { enablePython = true; };