public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #13000 from mayflower/feat/unbound-dnssec

Browse Source 
unbound: 1.5.3 -> 1.5.7, hardening, DNSSEC support & cleanup
This commit is contained in:
Franz Pletz 2016-02-16 02:13:35 +01:00
commit 932d2cbd2c
2 changed files with 38 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
nixos/modules/services/networking/unbound.nix
View File

@ -16,6 +16,11 @@ let
"forward-zone:\n name: .\n" + "forward-zone:\n name: .\n" +
concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses; concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses;
rootTrustAnchorFile = "${stateDir}/root.key";
trustAnchor = optionalString cfg.enableRootTrustAnchor
"auto-trust-anchor-file: ${rootTrustAnchorFile}";
confFile = pkgs.writeText "unbound.conf" '' confFile = pkgs.writeText "unbound.conf" ''
server: server:
directory: "${stateDir}" directory: "${stateDir}"
@ -24,6 +29,7 @@ let
pidfile: "" pidfile: ""
${interfaces} ${interfaces}
${access} ${access}
${trustAnchor}
${cfg.extraConfig} ${cfg.extraConfig}
${forward} ${forward}
''; '';
@ -38,28 +44,39 @@ in
services.unbound = { services.unbound = {
enable = mkOption { enable = mkOption {
default = false; default = false;
description = "Whether to enable the Unbound domain name server."; type = types.bool;
description = "Whether to enable the Unbound domain name server.";
}; };
allowedAccess = mkOption { allowedAccess = mkOption {
default = ["127.0.0.0/24"]; default = ["127.0.0.0/24"];
description = "What networks are allowed to use unbound as a resolver."; type = types.listOf types.str;
description = "What networks are allowed to use unbound as a resolver.";
}; };
interfaces = mkOption { interfaces = mkOption {
default = [ "127.0.0.1" "::1" ]; default = [ "127.0.0.1" "::1" ];
description = "What addresses the server should listen on."; type = types.listOf types.str;
description = "What addresses the server should listen on.";
}; };
forwardAddresses = mkOption { forwardAddresses = mkOption {
default = [ ]; default = [ ];
description = "What servers to forward queries to."; type = types.listOf types.str;
description = "What servers to forward queries to.";
};
enableRootTrustAnchor = mkOption {
default = true;
type = types.bool;
description = "Use and update root trust anchor for DNSSEC validation.";
}; };
extraConfig = mkOption { extraConfig = mkOption {
default = ""; default = "";
description = "Extra lines of unbound config."; type = types.str;
description = "Extra lines of unbound config.";
}; };
}; };
@ -88,9 +105,10 @@ in
preStart = '' preStart = ''
mkdir -m 0755 -p ${stateDir}/dev/ mkdir -m 0755 -p ${stateDir}/dev/
cp ${confFile} ${stateDir}/unbound.conf cp ${confFile} ${stateDir}/unbound.conf
chown unbound ${stateDir} ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile}
touch ${stateDir}/dev/random chown unbound ${stateDir} ${rootTrustAnchorFile}
touch ${stateDir}/dev/random
${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
''; '';

12
pkgs/tools/networking/unbound/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "unbound-${version}"; name = "unbound-${version}";
version = "1.5.3"; version = "1.5.7";
src = fetchurl { src = fetchurl {
url = "http://unbound.net/downloads/${name}.tar.gz"; url = "http://unbound.net/downloads/${name}.tar.gz";
sha256 = "1jly2apag4yg649w3flaq73wdrcfyxnhx5py9j73y7adxmswigbn"; sha256 = "1a0wfgp6wqpf7cxlcbprqhnjx6z9ywf0rhrpcf7x98l1mbjqh82b";
}; };
buildInputs = [ openssl expat libevent ]; buildInputs = [ openssl expat libevent ];
@ -17,15 +17,17 @@ stdenv.mkDerivation rec {
"--with-libevent=${libevent}" "--with-libevent=${libevent}"
"--localstatedir=/var" "--localstatedir=/var"
"--sysconfdir=/etc" "--sysconfdir=/etc"
"--enable-pie"
"--enable-relro-now"
]; ];
installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ]; installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
meta = { meta = with stdenv.lib; {
description = "Validating, recursive, and caching DNS resolver"; description = "Validating, recursive, and caching DNS resolver";
license = stdenv.lib.licenses.bsd3; license = licenses.bsd3;
homepage = http://www.unbound.net; homepage = http://www.unbound.net;
maintainers = [ stdenv.lib.maintainers.ehmry ]; maintainers = with maintainers; [ ehmry fpletz ];
platforms = stdenv.lib.platforms.unix; platforms = stdenv.lib.platforms.unix;
}; };
} }