diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-15 03:35:25 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-15 03:59:42 +0100 |
commit | 483e78d0f078d9449f892058b914a864d80d09f8 (patch) | |
tree | 13ce5bcb9e21e59579457cb837a035f2f2b6b183 /nixos | |
parent | 9ba533ee4a68db8afda83b6f6584424c1aee8b76 (diff) | |
download | nixlib-483e78d0f078d9449f892058b914a864d80d09f8.tar nixlib-483e78d0f078d9449f892058b914a864d80d09f8.tar.gz nixlib-483e78d0f078d9449f892058b914a864d80d09f8.tar.bz2 nixlib-483e78d0f078d9449f892058b914a864d80d09f8.tar.lz nixlib-483e78d0f078d9449f892058b914a864d80d09f8.tar.xz nixlib-483e78d0f078d9449f892058b914a864d80d09f8.tar.zst nixlib-483e78d0f078d9449f892058b914a864d80d09f8.zip |
unbound service: add fetching root anchor for DNSSEC
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/unbound.nix | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index bad0d2d4e858..e154aed0843a 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -16,6 +16,11 @@ let "forward-zone:\n name: .\n" + concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses; + rootTrustAnchorFile = "${stateDir}/root.key"; + + trustAnchor = optionalString cfg.enableRootTrustAnchor + "auto-trust-anchor-file: ${rootTrustAnchorFile}"; + confFile = pkgs.writeText "unbound.conf" '' server: directory: "${stateDir}" @@ -24,6 +29,7 @@ let pidfile: "" ${interfaces} ${access} + ${trustAnchor} ${cfg.extraConfig} ${forward} ''; @@ -61,6 +67,12 @@ in description = "What servers to forward queries to."; }; + enableRootTrustAnchor = mkOption { + default = true; + type = types.bool; + description = "Use and update root trust anchor for DNSSEC validation."; + }; + extraConfig = mkOption { default = ""; type = types.str; @@ -94,7 +106,8 @@ in preStart = '' mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf - chown unbound ${stateDir} + ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} + chown unbound ${stateDir} ${rootTrustAnchorFile} touch ${stateDir}/dev/random ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random ''; |