nixpkgs/nixos/modules/services/networking/unbound.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.unbound;

  stateDir = "/var/lib/unbound";

  access = concatMapStringsSep "\n  " (x: "access-control: ${x} allow") cfg.allowedAccess;

  interfaces = concatMapStringsSep "\n  " (x: "interface: ${x}") cfg.interfaces;

  isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1";

  forward =
    optionalString (any isLocalAddress cfg.forwardAddresses) ''
      do-not-query-localhost: no
    '' +
    optionalString (cfg.forwardAddresses != []) ''
      forward-zone:
        name: .
    '' +
    concatMapStringsSep "\n" (x: "    forward-addr: ${x}") cfg.forwardAddresses;

  rootTrustAnchorFile = "${stateDir}/root.key";

  trustAnchor = optionalString cfg.enableRootTrustAnchor
    "auto-trust-anchor-file: ${rootTrustAnchorFile}";

  confFile = pkgs.writeText "unbound.conf" ''
    server:
      directory: "${stateDir}"
      username: unbound
      chroot: "${stateDir}"
      pidfile: ""
      ${interfaces}
      ${access}
      ${trustAnchor}
    ${cfg.extraConfig}
    ${forward}
  '';

in

{

  ###### interface

  options = {
    services.unbound = {

      enable = mkEnableOption "Unbound domain name server";

      allowedAccess = mkOption {
        default = [ "127.0.0.0/24" ];
        type = types.listOf types.str;
        description = "What networks are allowed to use unbound as a resolver.";
      };

      interfaces = mkOption {
        default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1";
        type = types.listOf types.str;
        description = "What addresses the server should listen on.";
      };

      forwardAddresses = mkOption {
        default = [ ];
        type = types.listOf types.str;
        description = "What servers to forward queries to.";
      };

      enableRootTrustAnchor = mkOption {
        default = true;
        type = types.bool;
        description = "Use and update root trust anchor for DNSSEC validation.";
      };

      extraConfig = mkOption {
        default = "";
        type = types.lines;
        description = ''
          Extra unbound config. See
          <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8
          </manvolnum></citerefentry>.
        '';
      };

    };
  };

  ###### implementation

  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.unbound ];

    users.users.unbound = {
      description = "unbound daemon user";
      isSystemUser = true;
    };

    systemd.services.unbound = {
      description = "Unbound recursive Domain Name Server";
      after = [ "network.target" ];
      before = [ "nss-lookup.target" ];
      wants = [ "nss-lookup.target" ];
      wantedBy = [ "multi-user.target" ];

      preStart = ''
        mkdir -m 0755 -p ${stateDir}/dev/
        cp ${confFile} ${stateDir}/unbound.conf
        ${optionalString cfg.enableRootTrustAnchor ''
          ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!"
          chown unbound ${stateDir} ${rootTrustAnchorFile}
        ''}
        touch ${stateDir}/dev/random
        ${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random
      '';

      serviceConfig = {
        ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf";
        ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random";

        ProtectSystem = true;
        ProtectHome = true;
        PrivateDevices = true;
        Restart = "always";
        RestartSec = "5s";
      };
    };

    # If networkmanager is enabled, ask it to interface with unbound.
    networking.networkmanager.dns = "unbound";

  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
			`let`

			`cfg = config.services.unbound;`

			`stateDir = "/var/lib/unbound";`

nixos/unbound: correct indented interface/access lists 2017-11-03 08:36:11 +00:00			`access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess;`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
nixos/unbound: correct indented interface/access lists 2017-11-03 08:36:11 +00:00			`interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces;`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
unbound service: extend isLocalAddress to handle ipv6 2016-09-16 09:47:36 +02:00			`isLocalAddress = x: substring 0 3 x == "::1" \|\| substring 0 9 x == "127.0.0.1";`
unbound service: convenient handling of local forward addresses do-not-query-localhost defaults to yes; with this patch, unbound is configured to query localhost if any of the forward addresses are local. 2016-08-30 19:20:08 +02:00
			`forward =`
			`optionalString (any isLocalAddress cfg.forwardAddresses) ''`
			`do-not-query-localhost: no`
			`'' +`
			`optionalString (cfg.forwardAddresses != []) ''`
			`forward-zone:`
			`name: .`
			`'' +`
			`concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses;`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
unbound service: add fetching root anchor for DNSSEC 2016-02-15 03:35:25 +01:00			`rootTrustAnchorFile = "${stateDir}/root.key";`

			`trustAnchor = optionalString cfg.enableRootTrustAnchor`
			`"auto-trust-anchor-file: ${rootTrustAnchorFile}";`

unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`confFile = pkgs.writeText "unbound.conf" ''`
			`server:`
			`directory: "${stateDir}"`
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`username: unbound`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`chroot: "${stateDir}"`
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`pidfile: ""`
Adding extraConfig to unbound svn path=/nixos/trunk/; revision=30211 2011-11-03 18:49:54 +00:00			`${interfaces}`
			`${access}`
unbound service: add fetching root anchor for DNSSEC 2016-02-15 03:35:25 +01:00			`${trustAnchor}`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`${cfg.extraConfig}`
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`${forward}`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`'';`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
			`in`

			`{`

			`###### interface`

			`options = {`
			`services.unbound = {`

unbound service: use mkEnableOption 2016-08-30 19:28:30 +02:00			`enable = mkEnableOption "Unbound domain name server";`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
			`allowedAccess = mkOption {`
unbound service: whitespace fixes 2016-08-30 19:30:28 +02:00			`default = [ "127.0.0.0/24" ];`
unbound service: add types to options 2016-02-15 03:37:45 +01:00			`type = types.listOf types.str;`
unbound service: retab 2016-02-07 18:40:15 +01:00			`description = "What networks are allowed to use unbound as a resolver.";`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00			`};`

			`interfaces = mkOption {`
nixos/unbound: add restart (#41885) 2018-06-12 12:29:25 +00:00			`default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1";`
unbound service: add types to options 2016-02-15 03:37:45 +01:00			`type = types.listOf types.str;`
unbound service: retab 2016-02-07 18:40:15 +01:00			`description = "What addresses the server should listen on.";`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00			`};`

			`forwardAddresses = mkOption {`
unbound service: retab 2016-02-07 18:40:15 +01:00			`default = [ ];`
unbound service: add types to options 2016-02-15 03:37:45 +01:00			`type = types.listOf types.str;`
unbound service: retab 2016-02-07 18:40:15 +01:00			`description = "What servers to forward queries to.";`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00			`};`

unbound service: add fetching root anchor for DNSSEC 2016-02-15 03:35:25 +01:00			`enableRootTrustAnchor = mkOption {`
			`default = true;`
			`type = types.bool;`
			`description = "Use and update root trust anchor for DNSSEC validation.";`
			`};`

Adding extraConfig to unbound svn path=/nixos/trunk/; revision=30211 2011-11-03 18:49:54 +00:00			`extraConfig = mkOption {`
unbound service: retab 2016-02-07 18:40:15 +01:00			`default = "";`
nixos: use types.lines for extraConfig 2016-10-23 19:33:41 +02:00			`type = types.lines;`
unbound service: add reference to man:unbound.conf(8) 2016-09-01 18:47:40 +02:00			`description = ''`
			`Extra unbound config. See`
			`<citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8`
			`</manvolnum></citerefentry>.`
			`'';`
Adding extraConfig to unbound svn path=/nixos/trunk/; revision=30211 2011-11-03 18:49:54 +00:00			`};`

Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00			`};`
			`};`

			`###### implementation`

unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`config = mkIf cfg.enable {`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`environment.systemPackages = [ pkgs.unbound ];`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
unbound service: use auto-generated uid 1. The preStart script ensures consistent ownership, even if the unbound user's uid has changed 2. The unbound daemon does not generate data that needs to be private to it, so it would not matter that a different service would end up owning its data (as long as unbound remains enabled, it should reclaim ownership soon enough anyway). Thus, there's no clear benefit to allocate a dedicated uid for the unbound service. This releases uid/gid 48. Also, because the preStart script creates the data directory, there's no need to specify a homedir or ask for its creation. 2016-09-01 18:48:13 +02:00			`users.users.unbound = {`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`description = "unbound daemon user";`
unbound service: use auto-generated uid 1. The preStart script ensures consistent ownership, even if the unbound user's uid has changed 2. The unbound daemon does not generate data that needs to be private to it, so it would not matter that a different service would end up owning its data (as long as unbound remains enabled, it should reclaim ownership soon enough anyway). Thus, there's no clear benefit to allocate a dedicated uid for the unbound service. This releases uid/gid 48. Also, because the preStart script creates the data directory, there's no need to specify a homedir or ask for its creation. 2016-09-01 18:48:13 +02:00			`isSystemUser = true;`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`};`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`systemd.services.unbound = {`
unbound service: whitespace fixes 2016-08-30 19:30:28 +02:00			`description = "Unbound recursive Domain Name Server";`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`after = [ "network.target" ];`
			`before = [ "nss-lookup.target" ];`
unbound: fix typo in systemd Before 2017-10-10 20:08:36 +00:00			`wants = [ "nss-lookup.target" ];`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`wantedBy = [ "multi-user.target" ];`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`preStart = ''`
			`mkdir -m 0755 -p ${stateDir}/dev/`
unbound service: retab 2016-02-07 18:40:15 +01:00			`cp ${confFile} ${stateDir}/unbound.conf`
unbound service: do not initialize root cert When enableRootTrustAnchor is set to false, there is really no point in initializing the root key before starting unbound. Fixes #15605. 2016-05-21 13:12:48 +02:00			`${optionalString cfg.enableRootTrustAnchor ''`
nixos/unbound: add restart (#41885) 2018-06-12 12:29:25 +00:00			`${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} \|\| echo "Root anchor updated!"`
			`chown unbound ${stateDir} ${rootTrustAnchorFile}`
unbound service: do not initialize root cert When enableRootTrustAnchor is set to false, there is really no point in initializing the root key before starting unbound. Fixes #15605. 2016-05-21 13:12:48 +02:00			`''}`
unbound service: retab 2016-02-07 18:40:15 +01:00			`touch ${stateDir}/dev/random`
unbound service: non-blocking random in chroot /dev/random is an exhaustible resource. Presumably, unbound will not be used to generate long-term encryption keys and so allowing it to use /dev/random only increases the risk of entropy exhaustion for no benefit. 2016-08-30 19:22:53 +02:00			`${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random`
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`'';`

			`serviceConfig = {`
unbound: drop sbin directory 2016-03-06 12:50:41 +00:00			`ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf";`
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random";`
unbound service: some pre-chroot isolation While entering the chroot should provide the same amount of isolation, the preStart script will run with full root privileges and so would benefit from some isolation as well (in particular due to unbound-anchor, which can perform network I/O). 2016-09-01 18:53:06 +02:00
			`ProtectSystem = true;`
			`ProtectHome = true;`
			`PrivateDevices = true;`
nixos/unbound: add restart (#41885) 2018-06-12 12:29:25 +00:00			`Restart = "always";`
			`RestartSec = "5s";`
unbound: run in chroot 2014-08-26 21:24:09 -04:00			`};`
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-04-20 11:16:36 -04:00			`};`
Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00
networkmanager: Expand dns description, integrate with other services (#41898) Rather than special-casing the dns options in networkmanager.nix, use the module system to let unbound and systemd-resolved contribute to the newtorkmanager config. 2018-06-29 13:41:46 -04:00			`# If networkmanager is enabled, ask it to interface with unbound.`
			`networking.networkmanager.dns = "unbound";`

Adding a module for unbound. svn path=/nixos/trunk/; revision=30197 2011-11-02 20:59:12 +00:00			`};`

			`}`