nixpkgs/nixos/modules/services/networking/stubby.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

104 lines
3.2 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
with lib;
let
cfg = config.services.stubby;
settingsFormat = pkgs.formats.yaml { };
confFile = settingsFormat.generate "stubby.yml" cfg.settings;
in {
imports = [
(mkRemovedOptionModule [ "stubby" "debugLogging" ] "Use services.stubby.logLevel = \"debug\"; instead.")
] ++ map (x:
(mkRemovedOptionModule [ "services" "stubby" x ]
"Stubby configuration moved to services.stubby.settings.")) [
"authenticationMode"
"fallbackProtocols"
"idleTimeout"
"listenAddresses"
"queryPaddingBlocksize"
"roundRobinUpstreams"
"subnetPrivate"
"upstreamServers"
];
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
options = {
services.stubby = {
enable = mkEnableOption (lib.mdDoc "Stubby DNS resolver");
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
settings = mkOption {
type = types.attrsOf settingsFormat.type;
example = lib.literalExpression ''
pkgs.stubby.passthru.settingsExample // {
upstream_recursive_servers = [{
address_data = "158.64.1.29";
tls_auth_name = "kaitain.restena.lu";
tls_pubkey_pinset = [{
digest = "sha256";
value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
}];
}];
};
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
'';
description = lib.mdDoc ''
Content of the Stubby configuration file. All Stubby settings may be set or queried
here. The default settings are available at
`pkgs.stubby.passthru.settingsExample`. See
<https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby>.
A list of the public recursive servers can be found here:
<https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers>.
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
'';
};
logLevel = let
logLevels = {
emerg = 0;
alert = 1;
crit = 2;
error = 3;
warning = 4;
notice = 5;
info = 6;
debug = 7;
};
in mkOption {
default = null;
type = types.nullOr (types.enum (attrNames logLevels ++ attrValues logLevels));
apply = v: if isString v then logLevels.${v} else v;
description = lib.mdDoc "Log verbosity (syslog keyword or level).";
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
};
};
};
config = mkIf cfg.enable {
assertions = [{
assertion =
(cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB";
message = ''
services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB".
Is services.stubby.settings unset?
'';
}];
services.stubby.settings.appdata_dir = "/var/cache/stubby";
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
systemd.services.stubby = {
description = "Stubby local DNS resolver";
after = [ "network.target" ];
before = [ "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString (cfg.logLevel != null) "-v ${toString cfg.logLevel}"}";
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
DynamicUser = true;
CacheDirectory = "stubby";
Add stubby resolver daemon service module (#38667) * networking/stubby.nix: implementing systemd service module for stubby This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix. * networking/stubby.nix: merging back module list re-merging the module list to remove unecessary changes. * networking/stubby.nix: removing unecessary capabilities flag This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports. * networking/stubby.nix: adding debug level logging bool Adding the option to turn on debug logging. * networking/stubby.nix: clarifying idleTimeout and adding systemd target Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition. * networking/stubby.nix: Restrict options with types.enum This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting. * networking/stubby.nix: cleaning up documentation Cleaning up docs, adding literal tags to settings, and removing whitespace. * networking/stubby.nix: fixing missing linebreak in comments * networking/stubby.nix: cleaning errant comments
2018-05-16 13:16:30 +00:00
};
};
};
}