about summary refs log tree commit diff
path: root/nixos/modules/services/networking
diff options
context:
space:
mode:
authorSandro Jäckel <sandro.jaeckel@gmail.com>2024-02-08 20:32:38 +0100
committerSandro Jäckel <sandro.jaeckel@gmail.com>2024-02-12 22:49:03 +0100
commit80e79ded15d1fc954de36e3e7c77725ea3fb3489 (patch)
treec6db9e6f959e176caec23bfd18a37c033446eee9 /nixos/modules/services/networking
parentcd5c10f69676a36ae44254b8cfd58f528a062f65 (diff)
downloadnixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar
nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.gz
nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.bz2
nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.lz
nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.xz
nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.zst
nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.zip
nixos/unbound: check validity of config file
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r--nixos/modules/services/networking/unbound.nix25


1 files changed, 24 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix
index 616b32f11797..8438e472e11e 100644
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@@ -24,12 +24,24 @@ let
   confNoServer = concatStringsSep "\n" ((mapAttrsToList (toConf "") (builtins.removeAttrs cfg.settings [ "server" ])) ++ [""]);
   confServer = concatStringsSep "\n" (mapAttrsToList (toConf "  ") (builtins.removeAttrs cfg.settings.server [ "define-tag" ]));
 
-  confFile = pkgs.writeText "unbound.conf" ''
+  confFileUnchecked = pkgs.writeText "unbound.conf" ''
     server:
     ${optionalString (cfg.settings.server.define-tag != "") (toOption "  " "define-tag" cfg.settings.server.define-tag)}
     ${confServer}
     ${confNoServer}
   '';
+  confFile = if cfg.checkconf then pkgs.runCommandLocal "unbound-checkconf" { } ''
+    cp ${confFileUnchecked} unbound.conf
+
+    # fake stateDir which is not accesible in the sandbox
+    mkdir -p $PWD/state
+    sed -i unbound.conf \
+      -e '/auto-trust-anchor-file/d' \
+      -e "s|${cfg.stateDir}|$PWD/state|"
+    ${cfg.package}/bin/unbound-checkconf unbound.conf
+
+    cp ${confFileUnchecked} $out
+  '' else confFileUnchecked;
 
   rootTrustAnchorFile = "${cfg.stateDir}/root.key";
 
@@ -62,6 +74,17 @@ in {
         description = lib.mdDoc "Directory holding all state for unbound to run.";
       };
 
+      checkconf = mkOption {
+        type = types.bool;
+        default = !cfg.settings ? include;
+        defaultText = "!config.services.unbound.settings ? include";
+        description = lib.mdDoc ''
+          Wether to check the resulting config file with unbound checkconf for syntax errors.
+
+          If settings.include is used, then this options is disabled, as the import can likely not be resolved at build time.
+        '';
+      };
+
       resolveLocalQueries = mkOption {
         type = types.bool;
         default = true;

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-28 00:22:05 +0000