diff options
author | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-02-08 20:32:38 +0100 |
---|---|---|
committer | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-02-12 22:49:03 +0100 |
commit | 80e79ded15d1fc954de36e3e7c77725ea3fb3489 (patch) | |
tree | c6db9e6f959e176caec23bfd18a37c033446eee9 /nixos/modules/services/networking | |
parent | cd5c10f69676a36ae44254b8cfd58f528a062f65 (diff) | |
download | nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.gz nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.bz2 nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.lz nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.xz nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.tar.zst nixlib-80e79ded15d1fc954de36e3e7c77725ea3fb3489.zip |
nixos/unbound: check validity of config file
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/unbound.nix | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 616b32f11797..8438e472e11e 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -24,12 +24,24 @@ let confNoServer = concatStringsSep "\n" ((mapAttrsToList (toConf "") (builtins.removeAttrs cfg.settings [ "server" ])) ++ [""]); confServer = concatStringsSep "\n" (mapAttrsToList (toConf " ") (builtins.removeAttrs cfg.settings.server [ "define-tag" ])); - confFile = pkgs.writeText "unbound.conf" '' + confFileUnchecked = pkgs.writeText "unbound.conf" '' server: ${optionalString (cfg.settings.server.define-tag != "") (toOption " " "define-tag" cfg.settings.server.define-tag)} ${confServer} ${confNoServer} ''; + confFile = if cfg.checkconf then pkgs.runCommandLocal "unbound-checkconf" { } '' + cp ${confFileUnchecked} unbound.conf + + # fake stateDir which is not accesible in the sandbox + mkdir -p $PWD/state + sed -i unbound.conf \ + -e '/auto-trust-anchor-file/d' \ + -e "s|${cfg.stateDir}|$PWD/state|" + ${cfg.package}/bin/unbound-checkconf unbound.conf + + cp ${confFileUnchecked} $out + '' else confFileUnchecked; rootTrustAnchorFile = "${cfg.stateDir}/root.key"; @@ -62,6 +74,17 @@ in { description = lib.mdDoc "Directory holding all state for unbound to run."; }; + checkconf = mkOption { + type = types.bool; + default = !cfg.settings ? include; + defaultText = "!config.services.unbound.settings ? include"; + description = lib.mdDoc '' + Wether to check the resulting config file with unbound checkconf for syntax errors. + + If settings.include is used, then this options is disabled, as the import can likely not be resolved at build time. + ''; + }; + resolveLocalQueries = mkOption { type = types.bool; default = true; |