public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/nsd: Don't override bind via nixpkgs.config

Browse Source 
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:

  (import ./nixos {
    configuration = { lib, pkgs, ... }: {
      services.nsd.enable = true;
      services.nsd.zones = import (pkgs.writeText "foo.nix" ''
        { "foo.".data = "xyz";
          "foo.".dnssec = true;
        }
      '');
    };
  }).vm

With this change, generating zones via import-from-derivation is now
possible again.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
This commit is contained in:
aszlig 2019-01-04 01:49:50 +01:00
parent e753bc125f
commit 751bdacc9b
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/modules/services/networking/nsd.nix
View File

@ -437,6 +437,8 @@ let
dnssec = length (attrNames dnssecZones) != 0; dnssec = length (attrNames dnssecZones) != 0;
dnssecTools = pkgs.bind.override { enablePython = true; };
signZones = optionalString dnssec '' signZones = optionalString dnssec ''
mkdir -p ${stateDir}/dnssec mkdir -p ${stateDir}/dnssec
chown ${username}:${username} ${stateDir}/dnssec chown ${username}:${username} ${stateDir}/dnssec
@ -445,8 +447,8 @@ let
${concatStrings (mapAttrsToList signZone dnssecZones)} ${concatStrings (mapAttrsToList signZone dnssecZones)}
''; '';
signZone = name: zone: '' signZone = name: zone: ''
${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} ${dnssecTools}/bin/dnssec-keymgr -g ${dnssecTools}/bin/dnssec-keygen -s ${dnssecTools}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name}
${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} ${dnssecTools}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name}
${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name}
''; '';
policyFile = name: policy: pkgs.writeText "${name}.policy" '' policyFile = name: policy: pkgs.writeText "${name}.policy" ''
@ -953,10 +955,6 @@ in
''; '';
}; };
nixpkgs.config = mkIf dnssec {
bind.enablePython = true;
};
systemd.timers."nsd-dnssec" = mkIf dnssec { systemd.timers."nsd-dnssec" = mkIf dnssec {
description = "Automatic DNSSEC key rollover"; description = "Automatic DNSSEC key rollover";