From 5cb67ef83295f8b145b8d8b518a9ace89d50dbfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Wed, 2 Nov 2011 20:59:12 +0000 Subject: [PATCH] Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 --- modules/misc/ids.nix | 1 + modules/module-list.nix | 1 + modules/services/networking/unbound.nix | 110 ++++++++++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 modules/services/networking/unbound.nix diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 6f97ebab7438..5200d117bc15 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -66,6 +66,7 @@ in rtkit = 45; dovecot2 = 46; dovenull2 = 47; + unbound = 48; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/modules/module-list.nix b/modules/module-list.nix index f6ee93137938..13e56dc8f681 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -126,6 +126,7 @@ ./services/networking/radvd.nix ./services/networking/rdnssd.nix ./services/networking/sabnzbd.nix + ./services/networking/unbound.nix ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix ./services/networking/cntlm.nix diff --git a/modules/services/networking/unbound.nix b/modules/services/networking/unbound.nix new file mode 100644 index 000000000000..6211acfcc845 --- /dev/null +++ b/modules/services/networking/unbound.nix @@ -0,0 +1,110 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + + cfg = config.services.unbound; + + username = "unbound"; + + stateDir = "/var/lib/unbound"; + + access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess; + + interfaces = concatMapStrings (x: " interface: ${x}\n") cfg.interfaces; + + forward = optionalString (length cfg.forwardAddresses != 0) + "forward-zone:\n name: .\n" + + concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses; + + confFile = pkgs.writeText "unbound.conf" + '' + server: + directory: "${stateDir}" + username: ${username} + # make sure unbound can access entropy from inside the chroot. + # e.g. on linux the use these commands (on BSD, devfs(8) is used): + # mount --bind -n /dev/random /etc/unbound/dev/random + # and mount --bind -n /dev/log /etc/unbound/dev/log + chroot: "${stateDir}" + # logfile: "${stateDir}/unbound.log" #uncomment to use logfile. + pidfile: "${stateDir}/unbound.pid" + verbosity: 1 # uncomment and increase to get more logging. + # listen on all interfaces, answer queries from the local subnet. + ${interfaces} + ${access} + ${forward} + ''; + +in + +{ + + ###### interface + + options = { + + services.unbound = { + + enable = mkOption { + default = true; + description = " + Whether to enable the Unbound domain name server. + "; + }; + + allowedAccess = mkOption { + default = ["127.0.0.0/24"]; + description = " + What networks are allowed to use us as a resolver. + "; + }; + + interfaces = mkOption { + default = [ "127.0.0.0" "::1" ]; + description = " + What addresses the server should listen to + "; + }; + + forwardAddresses = mkOption { + default = [ ]; + description = " + What servers to forward the queries to. + "; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.unbound.enable { + environment.systemPackages = [ pkgs.unbound ]; + + users.extraUsers = singleton + { name = username; + uid = config.ids.uids.unbound; + description = "unbound daemon user"; + home = "/tmp"; + }; + + jobs.unbound = + { description = "Unbound name server job"; + + preStart = + '' + ${pkgs.coreutils}/bin/mkdir -p ${stateDir} + ''; + + daemonType = "fork"; + + exec = "${pkgs.unbound}/sbin/unbound -c ${confFile}"; + }; + + }; + +}