diff options
author | Vladimír Čunát <v@cunat.cz> | 2020-01-26 21:15:20 +0100 |
---|---|---|
committer | Vladimír Čunát <v@cunat.cz> | 2020-01-31 15:22:52 +0100 |
commit | ae74a0e27cab1034266bc868e889fcdffd23a188 (patch) | |
tree | 3db894f92c12098525e0aa866500825cea2d7737 /nixos/modules/services/networking/kresd.nix | |
parent | 0a8fb01b80397f1a4349d8b03dcda73a536b7b9d (diff) | |
download | nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.tar nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.tar.gz nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.tar.bz2 nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.tar.lz nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.tar.xz nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.tar.zst nixlib-ae74a0e27cab1034266bc868e889fcdffd23a188.zip |
(nixos/)knot-resolver: 4.3.0 -> 5.0.0
Minor incompatibilities due to moving to upstream defaults: - capabilities are used instead of systemd.socket units - the control socket moved: /run/kresd/control -> /run/knot-resolver/control/1 - cacheDir moved and isn't configurable anymore - different user+group names, without static IDs Thanks Mic92 for multiple ideas.
Diffstat (limited to 'nixos/modules/services/networking/kresd.nix')
-rw-r--r-- | nixos/modules/services/networking/kresd.nix | 134 |
1 files changed, 52 insertions, 82 deletions
diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index 3551e30c2e61..ce16b90b9cc1 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -3,12 +3,34 @@ with lib; let - cfg = config.services.kresd; - configFile = pkgs.writeText "kresd.conf" '' - ${optionalString (cfg.listenDoH != []) "modules.load('http')"} - ${cfg.extraConfig}; - ''; + + # Convert systemd-style address specification to kresd config line(s). + # On Nix level we don't attempt to precisely validate the address specifications. + mkListen = kind: addr: let + al_v4 = builtins.match "([0-9.]\+):([0-9]\+)" addr; + al_v6 = builtins.match "\\[(.\+)]:([0-9]\+)" addr; + al_portOnly = builtins.match "()([0-9]\+)" addr; + al = findFirst (a: a != null) + (throw "services.kresd.*: incorrect address specification '${addr}'") + [ al_v4 al_v6 al_portOnly ]; + port = last al; + addrSpec = if al_portOnly == null then "'${head al}'" else "{'::', '127.0.0.1'}"; + in # freebind is set for compatibility with earlier kresd services; + # it could be configurable, for example. + '' + net.listen(${addrSpec}, ${port}, { kind = '${kind}', freebind = true }) + ''; + + configFile = pkgs.writeText "kresd.conf" ( + optionalString (cfg.listenDoH != []) '' + modules.load('http') + '' + + concatMapStrings (mkListen "dns") cfg.listenPlain + + concatMapStrings (mkListen "tls") cfg.listenTLS + + concatMapStrings (mkListen "doh") cfg.listenDoH + + cfg.extraConfig + ); package = pkgs.knot-resolver.override { extraFeatures = cfg.listenDoH != []; @@ -25,6 +47,7 @@ in { value ) ) + (mkRemovedOptionModule [ "services" "kresd" "cacheDir" ] "Please use (bind-)mounting instead.") ]; ###### interface @@ -35,8 +58,8 @@ in { description = '' Whether to enable knot-resolver domain name server. DNSSEC validation is turned on by default. - You can run <literal>sudo nc -U /run/kresd/control</literal> - and give commands interactively to kresd. + You can run <literal>sudo nc -U /run/knot-resolver/control/1</literal> + and give commands interactively to kresd@1.service. ''; }; extraConfig = mkOption { @@ -46,16 +69,10 @@ in { Extra lines to be added verbatim to the generated configuration file. ''; }; - cacheDir = mkOption { - type = types.path; - default = "/var/cache/kresd"; - description = '' - Directory for caches. They are intended to survive reboots. - ''; - }; listenPlain = mkOption { type = with types; listOf str; default = [ "[::1]:53" "127.0.0.1:53" ]; + example = [ "53" ]; description = '' What addresses and ports the server should listen on. For detailed syntax see ListenStream in man systemd.socket. @@ -84,82 +101,35 @@ in { ###### implementation config = mkIf cfg.enable { - environment.etc."kresd.conf".source = configFile; # not required + environment.etc."knot-resolver/kresd.conf".source = configFile; # not required - users.users.kresd = - { uid = config.ids.uids.kresd; - group = "kresd"; + users.users.knot-resolver = + { isSystemUser = true; + group = "knot-resolver"; description = "Knot-resolver daemon user"; }; - users.groups.kresd.gid = config.ids.gids.kresd; + users.groups.knot-resolver.gid = null; - systemd.sockets.kresd = rec { - wantedBy = [ "sockets.target" ]; - before = wantedBy; - listenStreams = cfg.listenPlain; - socketConfig = { - ListenDatagram = listenStreams; - FreeBind = true; - FileDescriptorName = "dns"; - }; - }; + systemd.packages = [ package ]; # the units are patched inside the package a bit - systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec { - wantedBy = [ "sockets.target" ]; - before = wantedBy; - partOf = [ "kresd.socket" ]; - listenStreams = cfg.listenTLS; - socketConfig = { - FileDescriptorName = "tls"; - FreeBind = true; - Service = "kresd.service"; - }; + systemd.targets.kresd = { + wantedBy = [ "multi-user.target" ]; + wants = [ "kres-cache-gc.service" "kresd@1.service" ]; }; - - systemd.sockets.kresd-doh = mkIf (cfg.listenDoH != []) rec { - wantedBy = [ "sockets.target" ]; - before = wantedBy; - partOf = [ "kresd.socket" ]; - listenStreams = cfg.listenDoH; - socketConfig = { - FileDescriptorName = "doh"; - FreeBind = true; - Service = "kresd.service"; - }; + systemd.services."kresd@".serviceConfig = { + ExecStart = "${package}/bin/kresd --noninteractive " + + "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; + # Ensure correct ownership in case UID or GID changes. + CacheDirectory = "knot-resolver"; + CacheDirectoryMode = "0750"; }; - systemd.sockets.kresd-control = rec { - wantedBy = [ "sockets.target" ]; - before = wantedBy; - partOf = [ "kresd.socket" ]; - listenStreams = [ "/run/kresd/control" ]; - socketConfig = { - FileDescriptorName = "control"; - Service = "kresd.service"; - SocketMode = "0660"; # only root user/group may connect and control kresd - }; - }; - - systemd.tmpfiles.rules = [ "d '${cfg.cacheDir}' 0770 kresd kresd - -" ]; - - systemd.services.kresd = { - description = "Knot-resolver daemon"; + environment.etc."tmpfiles.d/knot-resolver.conf".source = + "${package}/lib/tmpfiles.d/knot-resolver.conf"; - serviceConfig = { - User = "kresd"; - Type = "notify"; - WorkingDirectory = cfg.cacheDir; - Restart = "on-failure"; - Sockets = [ "kresd.socket" "kresd-control.socket" ] - ++ optional (cfg.listenTLS != []) "kresd-tls.socket"; - }; - - # Trust anchor goes from dns-root-data by default. - script = '' - exec '${package}/bin/kresd' --config '${configFile}' --forks=1 - ''; - - requires = [ "kresd.socket" ]; - }; + # Try cleaning up the previously default location of cache file. + # Note that /var/cache/* should always be safe to remove. + # TODO: remove later, probably between 20.09 and 21.03 + systemd.tmpfiles.rules = [ "R /var/cache/kresd" ]; }; } |