diff options
| author | Joachim F <joachifm@users.noreply.github.com> | 2016-09-17 10:56:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-09-17 10:56:42 +0200 |
| commit | e06ead81bf61feb790d5706cbfbc41940a06ec4a (patch) | |
| tree | 10722290445ca4f8df80a96e52d8d43c618d448e | |
| parent | d9a4d942ab4b568010ff0fb97d9e3c071487a7d8 (diff) | |
| parent | 22d6c97855b99e770855474f394cd4a3192d98d9 (diff) | |
| download | nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.tar nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.tar.gz nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.tar.bz2 nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.tar.lz nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.tar.xz nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.tar.zst nixlib-e06ead81bf61feb790d5706cbfbc41940a06ec4a.zip | |
Merge pull request #18630 from joachifm/unbound-improvements
Unbound service improvements
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/unbound.nix | 33 |
2 files changed, 23 insertions, 12 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 70d843864116..2618514fbe5a 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -74,7 +74,6 @@ rtkit = 45; dovecot2 = 46; dovenull2 = 47; - unbound = 48; prayer = 49; mpd = 50; clamav = 51; @@ -332,7 +331,6 @@ #rtkit = 45; # unused dovecot2 = 46; #dovenull = 47; # unused - #unbound = 48; # unused prayer = 49; mpd = 50; clamav = 51; diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index ed0744c44ccf..6375ebee3209 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -12,9 +12,17 @@ let interfaces = concatMapStrings (x: " interface: ${x}\n") cfg.interfaces; - forward = optionalString (length cfg.forwardAddresses != 0) - "forward-zone:\n name: .\n" + - concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses; + isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1"; + + forward = + optionalString (any isLocalAddress cfg.forwardAddresses) '' + do-not-query-localhost: no + '' + + optionalString (cfg.forwardAddresses != []) '' + forward-zone: + name: . + '' + + concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses; rootTrustAnchorFile = "${stateDir}/root.key"; @@ -72,7 +80,11 @@ in extraConfig = mkOption { default = ""; type = types.str; - description = "Extra lines of unbound config."; + description = '' + Extra unbound config. See + <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8 + </manvolnum></citerefentry>. + ''; }; }; @@ -84,12 +96,9 @@ in environment.systemPackages = [ pkgs.unbound ]; - users.extraUsers = singleton { - name = "unbound"; - uid = config.ids.uids.unbound; + users.users.unbound = { description = "unbound daemon user"; - home = stateDir; - createHome = true; + isSystemUser = true; }; systemd.services.unbound = { @@ -107,12 +116,16 @@ in chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random - ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random + ${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random ''; serviceConfig = { ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf"; ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; + + ProtectSystem = true; + ProtectHome = true; + PrivateDevices = true; }; }; |