colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5e602f88d1
nixpkgs/nixos/modules/services/networking/unbound.nix

185 lines
5.0 KiB
Nix
Raw Normal View History

Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 14:26:48 +00:00
{ config, lib, pkgs, ... }:
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 14:26:48 +00:00
with lib;
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
let
cfg = config.services.unbound;
stateDir = "/var/lib/unbound";
nixos/unbound: correct indented interface/access lists
2017-11-03 08:36:11 +00:00
access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess;
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
nixos/unbound: correct indented interface/access lists
2017-11-03 08:36:11 +00:00
interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces;
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
unbound service: extend isLocalAddress to handle ipv6
2016-09-16 07:47:36 +00:00
isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1";
unbound service: convenient handling of local forward addresses do-not-query-localhost defaults to yes; with this patch, unbound is configured to query localhost if any of the forward addresses are local.
2016-08-30 17:20:08 +00:00
forward =
optionalString (any isLocalAddress cfg.forwardAddresses) ''
do-not-query-localhost: no
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
''
+ optionalString (cfg.forwardAddresses != []) ''
unbound service: convenient handling of local forward addresses do-not-query-localhost defaults to yes; with this patch, unbound is configured to query localhost if any of the forward addresses are local.
2016-08-30 17:20:08 +00:00
forward-zone:
name: .
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
''
+ concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses;
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
unbound service: add fetching root anchor for DNSSEC
2016-02-15 02:35:25 +00:00
rootTrustAnchorFile = "${stateDir}/root.key";
trustAnchor = optionalString cfg.enableRootTrustAnchor
"auto-trust-anchor-file: ${rootTrustAnchorFile}";
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
confFile = pkgs.writeText "unbound.conf" ''
server:
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
ip-freebind: yes
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
directory: "${stateDir}"
unbound: run in chroot
2014-08-27 01:24:09 +00:00
username: unbound
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
chroot: ""
unbound: run in chroot
2014-08-27 01:24:09 +00:00
pidfile: ""
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
# when running under systemd there is no need to daemonize
do-daemonize: no
Adding extraConfig to unbound svn path=/nixos/trunk/; revision=30211
2011-11-03 18:49:54 +00:00
${interfaces}
${access}
unbound service: add fetching root anchor for DNSSEC
2016-02-15 02:35:25 +00:00
${trustAnchor}
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
${cfg.extraConfig}
unbound: run in chroot
2014-08-27 01:24:09 +00:00
${forward}
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
'';
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
in
{
###### interface
options = {
services.unbound = {
unbound service: use mkEnableOption
2016-08-30 17:28:30 +00:00
enable = mkEnableOption "Unbound domain name server";
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
nixos/unbound: add package option
2019-12-12 23:49:47 +00:00
package = mkOption {
type = types.package;
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
default = pkgs.unbound-with-systemd;
defaultText = "pkgs.unbound-with-systemd";
nixos/unbound: add package option
2019-12-12 23:49:47 +00:00
description = "The unbound package to use";
};
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
allowedAccess = mkOption {
unbound service: whitespace fixes
2016-08-30 17:30:28 +00:00
default = [ "127.0.0.0/24" ];
unbound service: add types to options
2016-02-15 02:37:45 +00:00
type = types.listOf types.str;
unbound service: retab
2016-02-07 17:40:15 +00:00
description = "What networks are allowed to use unbound as a resolver.";
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
};
interfaces = mkOption {
nixos/unbound: add restart (#41885)
2018-06-12 12:29:25 +00:00
default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1";
unbound service: add types to options
2016-02-15 02:37:45 +00:00
type = types.listOf types.str;
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
description = ''
What addresses the server should listen on. This supports the interface syntax documented in
<citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
'';
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
};
forwardAddresses = mkOption {
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
default = [];
unbound service: add types to options
2016-02-15 02:37:45 +00:00
type = types.listOf types.str;
unbound service: retab
2016-02-07 17:40:15 +00:00
description = "What servers to forward queries to.";
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
};
unbound service: add fetching root anchor for DNSSEC
2016-02-15 02:35:25 +00:00
enableRootTrustAnchor = mkOption {
default = true;
type = types.bool;
description = "Use and update root trust anchor for DNSSEC validation.";
};
Adding extraConfig to unbound svn path=/nixos/trunk/; revision=30211
2011-11-03 18:49:54 +00:00
extraConfig = mkOption {
unbound service: retab
2016-02-07 17:40:15 +00:00
default = "";
nixos: use types.lines for extraConfig
2016-10-23 17:33:41 +00:00
type = types.lines;
unbound service: add reference to man:unbound.conf(8)
2016-09-01 16:47:40 +00:00
description = ''
Extra unbound config. See
<citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8
</manvolnum></citerefentry>.
'';
Adding extraConfig to unbound svn path=/nixos/trunk/; revision=30211
2011-11-03 18:49:54 +00:00
};
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
};
};
###### implementation
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
config = mkIf cfg.enable {
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
nixos/unbound: add package option
2019-12-12 23:49:47 +00:00
environment.systemPackages = [ cfg.package ];
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
unbound service: use auto-generated uid 1. The preStart script ensures consistent ownership, even if the unbound user's uid has changed 2. The unbound daemon does not generate data that needs to be private to it, so it would not matter that a different service would end up owning its data (as long as unbound remains enabled, it should reclaim ownership soon enough anyway). Thus, there's no clear benefit to allocate a dedicated uid for the unbound service. This releases uid/gid 48. Also, because the preStart script creates the data directory, there's no need to specify a homedir or ask for its creation.
2016-09-01 16:48:13 +00:00
users.users.unbound = {
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
description = "unbound daemon user";
unbound service: use auto-generated uid 1. The preStart script ensures consistent ownership, even if the unbound user's uid has changed 2. The unbound daemon does not generate data that needs to be private to it, so it would not matter that a different service would end up owning its data (as long as unbound remains enabled, it should reclaim ownership soon enough anyway). Thus, there's no clear benefit to allocate a dedicated uid for the unbound service. This releases uid/gid 48. Also, because the preStart script creates the data directory, there's no need to specify a homedir or ask for its creation.
2016-09-01 16:48:13 +00:00
isSystemUser = true;
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
};
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
resolvconf service: init This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed.
2019-07-15 17:18:49 +00:00
networking.resolvconf.useLocalResolver = mkDefault true;
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
environment.etc."unbound/unbound.conf".source = confFile;
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
systemd.services.unbound = {
unbound service: whitespace fixes
2016-08-30 17:30:28 +00:00
description = "Unbound recursive Domain Name Server";
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
after = [ "network.target" ];
before = [ "nss-lookup.target" ];
unbound: fix typo in systemd Before
2017-10-10 20:08:36 +00:00
wants = [ "nss-lookup.target" ];
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
wantedBy = [ "multi-user.target" ];
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
preStart = lib.mkIf cfg.enableRootTrustAnchor ''
${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!"
unbound: run in chroot
2014-08-27 01:24:09 +00:00
'';
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
restartTriggers = [
confFile
];
unbound: run in chroot
2014-08-27 01:24:09 +00:00
serviceConfig = {
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
ExecStart = "${cfg.package}/bin/unbound -p -d -c /etc/unbound/unbound.conf";
ExecReload = "+/run/current-system/sw/bin/kill -HUP $MAINPID";
unbound service: some pre-chroot isolation While entering the chroot should provide the same amount of isolation, the preStart script will run with full root privileges and so would benefit from some isolation as well (in particular due to unbound-anchor, which can perform network I/O).
2016-09-01 16:53:06 +00:00
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
NotifyAccess = "main";
Type = "notify";
AmbientCapabilities = [
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"CAP_SYS_RESOURCE"
];
User = "unbound";
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
unbound service: some pre-chroot isolation While entering the chroot should provide the same amount of isolation, the preStart script will run with full root privileges and so would benefit from some isolation as well (in particular due to unbound-anchor, which can perform network I/O).
2016-09-01 16:53:06 +00:00
PrivateDevices = true;
nixos/modules/services/networking/unbound: update systemd unit Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. With this change I am (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound was `unbound` user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the `Type` set to `notify`, therefore we are also using the `unbound-with-systemd` package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit "running". This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Aditionally to the much stricter runtime environmet I removed the `/dev/urandom` mount lines we previously had in the code (that would randomly fail during `stop`-phase). The `preStart` script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another beneefit of the refactoring is that we can now issue reloads via either `pkill -HUP unbound` or `systemctl reload unbound` to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. I went for /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use `unbound-control` without passing a custom configuration location.
2020-05-07 11:17:14 +00:00
PrivateTmp = true;
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectSystem = "strict";
RuntimeDirectory = "unbound";
ConfigurationDirectory = "unbound";
StateDirectory = "unbound";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@clock"
"@cpu-emulation"
"@debug"
"@keyring"
"@module"
"mount"
"@obsolete"
"@resources"
];
RestrictNamespaces = true;
LockPersonality = true;
RestrictSUIDSGID = true;
ReadWritePaths = [ "/run/unbound" "${stateDir}" ];
unbound: run in chroot
2014-08-27 01:24:09 +00:00
};
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-04-20 15:16:36 +00:00
};
networkmanager: Expand dns description, integrate with other services (#41898) Rather than special-casing the dns options in networkmanager.nix, use the module system to let unbound and systemd-resolved contribute to the newtorkmanager config.
2018-06-29 17:41:46 +00:00
# If networkmanager is enabled, ask it to interface with unbound.
networking.networkmanager.dns = "unbound";
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197
2011-11-02 20:59:12 +00:00
};
}
Reference in New Issue Copy Permalink