From 3087df3e8f563152c9333e0d3e1b6e74235cde2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 12 Nov 2020 18:57:50 +0100 Subject: [PATCH 1/4] knot-resolver: add support for new DoH implementation By default. I'm not a DoH fan, but the difference in runtime closure is really tiny (216 KiB by du). I somehow forgot this during update. Some of the newly running tests were failing and got disabled. --- pkgs/servers/dns/knot-resolver/default.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/dns/knot-resolver/default.nix b/pkgs/servers/dns/knot-resolver/default.nix index aabfcd9796e4..f7a07acf04b4 100644 --- a/pkgs/servers/dns/knot-resolver/default.nix +++ b/pkgs/servers/dns/knot-resolver/default.nix @@ -3,6 +3,7 @@ , runCommand, pkgconfig, meson, ninja, makeWrapper # build+runtime deps. , knot-dns, luajitPackages, libuv, gnutls, lmdb, systemd, dns-root-data +, nghttp2 # test-only deps. , cmocka, which, cacert , extraFeatures ? false /* catch-all if defaults aren't enough */ @@ -11,7 +12,7 @@ let # un-indented, over the whole file result = if extraFeatures then wrapped-full else unwrapped; -inherit (stdenv.lib) optional optionals; +inherit (stdenv.lib) optional optionals optionalString; lua = luajitPackages; unwrapped = stdenv.mkDerivation rec { @@ -38,6 +39,11 @@ unwrapped = stdenv.mkDerivation rec { # ExecStart can't be overwritten in overrides. # We need that to use wrapped executable and correct config file. sed '/^ExecStart=/d' -i systemd/kresd@.service.in + '' + # some tests have issues with network sandboxing, apparently + + optionalString doInstallCheck '' + echo 'os.exit(77)' > daemon/lua/trust_anchors.test/bootstrap.test.lua + sed '/^[[:blank:]]*test_dstaddr,$/d' -i tests/config/doh2.test.lua ''; preConfigure = '' @@ -49,6 +55,7 @@ unwrapped = stdenv.mkDerivation rec { # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ] ++ optional stdenv.isLinux systemd # passing sockets, sd_notify + ++ [ nghttp2 ] ## optional dependencies; TODO: libedit, dnstap ; @@ -71,7 +78,7 @@ unwrapped = stdenv.mkDerivation rec { ''; doInstallCheck = with stdenv; hostPlatform == buildPlatform; - installCheckInputs = [ cmocka which cacert lua.cqueues lua.basexx ]; + installCheckInputs = [ cmocka which cacert lua.cqueues lua.basexx lua.http ]; installCheckPhase = '' meson test --print-errorlogs ''; From e61ef63e4e4644a451a4ed66f2f2ac7b48f2c26a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 12 Nov 2020 19:04:12 +0100 Subject: [PATCH 2/4] kresd service: switch .listenDoH to new implementation Beware: extraFeatures are not needed *for this* anymore, but their removal may still cause a regression in some configs (example: prefill module). --- nixos/modules/services/networking/kresd.nix | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index ccb34163d5f3..6f1c4c48b430 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -23,18 +23,14 @@ let ''; configFile = pkgs.writeText "kresd.conf" ( - optionalString (cfg.listenDoH != []) '' - modules.load('http') - '' + "" + concatMapStrings (mkListen "dns") cfg.listenPlain + concatMapStrings (mkListen "tls") cfg.listenTLS - + concatMapStrings (mkListen "doh") cfg.listenDoH + + concatMapStrings (mkListen "doh2") cfg.listenDoH + cfg.extraConfig ); - package = if cfg.listenDoH == [] - then pkgs.knot-resolver # never force `extraFeatures = false` - else pkgs.knot-resolver.override { extraFeatures = true; }; + package = pkgs.knot-resolver; in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; @@ -92,7 +88,7 @@ in { default = []; example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ]; description = '' - Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 8484). + Addresses and ports on which kresd should provide DNS over HTTPS/2 (see RFC 8484). For detailed syntax see ListenStream in man systemd.socket. ''; }; From cd5c7c0ee6ccfa1c1b3b9b0831604bc180cee4b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 12 Nov 2020 19:16:04 +0100 Subject: [PATCH 3/4] knot-resolver: drop capabilities after startup By default. I forgot to add this a long time ago. The difference in runtime closure is really tiny (232 KiB by du). --- pkgs/servers/dns/knot-resolver/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/dns/knot-resolver/default.nix b/pkgs/servers/dns/knot-resolver/default.nix index f7a07acf04b4..cdbdbdc56eba 100644 --- a/pkgs/servers/dns/knot-resolver/default.nix +++ b/pkgs/servers/dns/knot-resolver/default.nix @@ -3,7 +3,7 @@ , runCommand, pkgconfig, meson, ninja, makeWrapper # build+runtime deps. , knot-dns, luajitPackages, libuv, gnutls, lmdb, systemd, dns-root-data -, nghttp2 +, nghttp2, libcap_ng # optionals, in principle # test-only deps. , cmocka, which, cacert , extraFeatures ? false /* catch-all if defaults aren't enough */ @@ -55,7 +55,7 @@ unwrapped = stdenv.mkDerivation rec { # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ] ++ optional stdenv.isLinux systemd # passing sockets, sd_notify - ++ [ nghttp2 ] + ++ [ nghttp2 libcap_ng ] ## optional dependencies; TODO: libedit, dnstap ; From 335798d243cc550a6b32a411c63a55f361f9e32f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 17 Nov 2020 20:05:51 +0100 Subject: [PATCH 4/4] knot-resolver: fix a stupid system breaking non-systemd I hope this will fix darwin build (no good way of testing locally). --- pkgs/servers/dns/knot-resolver/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/servers/dns/knot-resolver/default.nix b/pkgs/servers/dns/knot-resolver/default.nix index cdbdbdc56eba..f88772bda0bc 100644 --- a/pkgs/servers/dns/knot-resolver/default.nix +++ b/pkgs/servers/dns/knot-resolver/default.nix @@ -74,6 +74,7 @@ unwrapped = stdenv.mkDerivation rec { postInstall = '' rm "$out"/lib/libkres.a rm "$out"/lib/knot-resolver/upgrade-4-to-5.lua # not meaningful on NixOS + '' + optionalString stdenv.targetPlatform.isLinux '' rm -r "$out"/lib/sysusers.d/ # ATM more likely to harm than help '';