diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-16 02:13:35 +0100 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-02-16 02:13:35 +0100 |
| commit | 932d2cbd2c955d80856b2750bfb4059cfe4bee74 (patch) | |
| tree | ac5b285560e59d1fa089510508a8d354bec9b439 /nixos | |
| parent | d58ae071fd81a623f6a7c028db3940755faec1e2 (diff) | |
| parent | f415c07703496a468ebee17e90b05f3b9a69cc93 (diff) | |
| download | nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.tar nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.tar.gz nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.tar.bz2 nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.tar.lz nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.tar.xz nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.tar.zst nixlib-932d2cbd2c955d80856b2750bfb4059cfe4bee74.zip | |
Merge pull request #13000 from mayflower/feat/unbound-dnssec
unbound: 1.5.3 -> 1.5.7, hardening, DNSSEC support & cleanup
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/unbound.nix | 44 |
1 files changed, 31 insertions, 13 deletions
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 73b10c1d5611..e154aed0843a 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -16,6 +16,11 @@ let "forward-zone:\n name: .\n" + concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses; + rootTrustAnchorFile = "${stateDir}/root.key"; + + trustAnchor = optionalString cfg.enableRootTrustAnchor + "auto-trust-anchor-file: ${rootTrustAnchorFile}"; + confFile = pkgs.writeText "unbound.conf" '' server: directory: "${stateDir}" @@ -24,6 +29,7 @@ let pidfile: "" ${interfaces} ${access} + ${trustAnchor} ${cfg.extraConfig} ${forward} ''; @@ -38,28 +44,39 @@ in services.unbound = { enable = mkOption { - default = false; - description = "Whether to enable the Unbound domain name server."; + default = false; + type = types.bool; + description = "Whether to enable the Unbound domain name server."; }; allowedAccess = mkOption { - default = ["127.0.0.0/24"]; - description = "What networks are allowed to use unbound as a resolver."; + default = ["127.0.0.0/24"]; + type = types.listOf types.str; + description = "What networks are allowed to use unbound as a resolver."; }; interfaces = mkOption { - default = [ "127.0.0.1" "::1" ]; - description = "What addresses the server should listen on."; + default = [ "127.0.0.1" "::1" ]; + type = types.listOf types.str; + description = "What addresses the server should listen on."; }; forwardAddresses = mkOption { - default = [ ]; - description = "What servers to forward queries to."; + default = [ ]; + type = types.listOf types.str; + description = "What servers to forward queries to."; + }; + + enableRootTrustAnchor = mkOption { + default = true; + type = types.bool; + description = "Use and update root trust anchor for DNSSEC validation."; }; extraConfig = mkOption { - default = ""; - description = "Extra lines of unbound config."; + default = ""; + type = types.str; + description = "Extra lines of unbound config."; }; }; @@ -88,9 +105,10 @@ in preStart = '' mkdir -m 0755 -p ${stateDir}/dev/ - cp ${confFile} ${stateDir}/unbound.conf - chown unbound ${stateDir} - touch ${stateDir}/dev/random + cp ${confFile} ${stateDir}/unbound.conf + ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} + chown unbound ${stateDir} ${rootTrustAnchorFile} + touch ${stateDir}/dev/random ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random ''; |