01b90dce78
This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed.
141 lines
3.7 KiB
Nix
141 lines
3.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.services.unbound;
|
|
|
|
stateDir = "/var/lib/unbound";
|
|
|
|
access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess;
|
|
|
|
interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces;
|
|
|
|
isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1";
|
|
|
|
forward =
|
|
optionalString (any isLocalAddress cfg.forwardAddresses) ''
|
|
do-not-query-localhost: no
|
|
'' +
|
|
optionalString (cfg.forwardAddresses != []) ''
|
|
forward-zone:
|
|
name: .
|
|
'' +
|
|
concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses;
|
|
|
|
rootTrustAnchorFile = "${stateDir}/root.key";
|
|
|
|
trustAnchor = optionalString cfg.enableRootTrustAnchor
|
|
"auto-trust-anchor-file: ${rootTrustAnchorFile}";
|
|
|
|
confFile = pkgs.writeText "unbound.conf" ''
|
|
server:
|
|
directory: "${stateDir}"
|
|
username: unbound
|
|
chroot: "${stateDir}"
|
|
pidfile: ""
|
|
${interfaces}
|
|
${access}
|
|
${trustAnchor}
|
|
${cfg.extraConfig}
|
|
${forward}
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
services.unbound = {
|
|
|
|
enable = mkEnableOption "Unbound domain name server";
|
|
|
|
allowedAccess = mkOption {
|
|
default = [ "127.0.0.0/24" ];
|
|
type = types.listOf types.str;
|
|
description = "What networks are allowed to use unbound as a resolver.";
|
|
};
|
|
|
|
interfaces = mkOption {
|
|
default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1";
|
|
type = types.listOf types.str;
|
|
description = "What addresses the server should listen on.";
|
|
};
|
|
|
|
forwardAddresses = mkOption {
|
|
default = [ ];
|
|
type = types.listOf types.str;
|
|
description = "What servers to forward queries to.";
|
|
};
|
|
|
|
enableRootTrustAnchor = mkOption {
|
|
default = true;
|
|
type = types.bool;
|
|
description = "Use and update root trust anchor for DNSSEC validation.";
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
default = "";
|
|
type = types.lines;
|
|
description = ''
|
|
Extra unbound config. See
|
|
<citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8
|
|
</manvolnum></citerefentry>.
|
|
'';
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [ pkgs.unbound ];
|
|
|
|
users.users.unbound = {
|
|
description = "unbound daemon user";
|
|
isSystemUser = true;
|
|
};
|
|
|
|
networking.resolvconf.useLocalResolver = mkDefault true;
|
|
|
|
systemd.services.unbound = {
|
|
description = "Unbound recursive Domain Name Server";
|
|
after = [ "network.target" ];
|
|
before = [ "nss-lookup.target" ];
|
|
wants = [ "nss-lookup.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
preStart = ''
|
|
mkdir -m 0755 -p ${stateDir}/dev/
|
|
cp ${confFile} ${stateDir}/unbound.conf
|
|
${optionalString cfg.enableRootTrustAnchor ''
|
|
${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!"
|
|
chown unbound ${stateDir} ${rootTrustAnchorFile}
|
|
''}
|
|
touch ${stateDir}/dev/random
|
|
${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random
|
|
'';
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf";
|
|
ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random";
|
|
|
|
ProtectSystem = true;
|
|
ProtectHome = true;
|
|
PrivateDevices = true;
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
};
|
|
};
|
|
|
|
# If networkmanager is enabled, ask it to interface with unbound.
|
|
networking.networkmanager.dns = "unbound";
|
|
|
|
};
|
|
|
|
}
|