public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #100063 from aanderse/nixos/powerdns

Browse Source 
nixos/powerdns: use upstream systemd unit
This commit is contained in:
Aaron Andersen 2020-10-24 18:47:43 -04:00 committed by GitHub
commit a160fa008d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 90 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/doc/manual/release-notes/rl-2103.xml
View File

@ -99,6 +99,16 @@
to <literal>/run/pdns-recursor</literal> to match upstream. to <literal>/run/pdns-recursor</literal> to match upstream.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please
be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link>
provided by upstream before upgrading. Worth specifically noting is that the service now runs
entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal>
and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from
<literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

40
nixos/modules/services/networking/powerdns.nix
View File

@ -8,42 +8,40 @@ let
in { in {
options = { options = {
services.powerdns = { services.powerdns = {
enable = mkEnableOption "Powerdns domain name server"; enable = mkEnableOption "PowerDNS domain name server";
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = "launch=bind"; default = "launch=bind";
description = '' description = ''
Extra lines to be added verbatim to pdns.conf. PowerDNS configuration. Refer to
Powerdns will chroot to /var/lib/powerdns. <link xlink:href="https://doc.powerdns.com/authoritative/settings.html"/>
So any file, powerdns is supposed to be read, for details on supported values.
should be in /var/lib/powerdns and needs to specified
relative to the chroot.
''; '';
}; };
}; };
}; };
config = mkIf config.services.powerdns.enable { config = mkIf cfg.enable {
systemd.packages = [ pkgs.powerdns ];
systemd.services.pdns = { systemd.services.pdns = {
unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)";
description = "Powerdns name server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"]; after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ];
serviceConfig = { serviceConfig = {
Restart="on-failure"; ExecStart = [ "" "${pkgs.powerdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
RestartSec="1";
StartLimitInterval="0";
PrivateDevices=true;
CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
NoNewPrivileges=true;
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns";
ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
ProtectSystem="full";
ProtectHome=true;
RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
}; };
}; };
users.users.pdns = {
isSystemUser = true;
group = "pdns";
description = "PowerDNS";
};
users.groups.pdns = {};
}; };
} }

58
nixos/tests/powerdns.nix
View File

@ -1,13 +1,65 @@
import ./make-test-python.nix ({ pkgs, ... }: { # This test runs PowerDNS authoritative server with the
# generic MySQL backend (gmysql) to connect to a
# MariaDB server using UNIX sockets authentication.
import ./make-test-python.nix ({ pkgs, lib, ... }: {
name = "powerdns"; name = "powerdns";
nodes.server = { ... }: { nodes.server = { ... }: {
services.powerdns.enable = true; services.powerdns.enable = true;
environment.systemPackages = [ pkgs.dnsutils ]; services.powerdns.extraConfig = ''
launch=gmysql
gmysql-user=pdns
'';
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "powerdns" ];
ensureUsers = lib.singleton
{ name = "pdns";
ensurePermissions = { "powerdns.*" = "ALL PRIVILEGES"; };
};
};
environment.systemPackages = with pkgs;
[ dnsutils powerdns mariadb ];
}; };
testScript = '' testScript = ''
import re
with subtest("PowerDNS database exists"):
server.wait_for_unit("mysql")
server.succeed("echo 'SHOW DATABASES;' | sudo -u pdns mysql -u pdns >&2")
with subtest("Loading the MySQL schema works"):
server.succeed(
"sudo -u pdns mysql -u pdns -D powerdns <"
"${pkgs.powerdns}/share/doc/pdns/schema.mysql.sql"
)
with subtest("PowerDNS server starts"):
server.wait_for_unit("pdns") server.wait_for_unit("pdns")
server.succeed("dig version.bind txt chaos \@127.0.0.1") server.succeed("dig version.bind txt chaos @127.0.0.1 >&2")
with subtest("Adding an example zone works"):
# Extract configuration file needed by pdnsutil
unit = server.succeed("systemctl cat pdns")
conf = re.search("(--config-dir=[^ ]+)", unit).group(1)
pdnsutil = "sudo -u pdns pdnsutil " + conf
server.succeed(f"{pdnsutil} create-zone example.com ns1.example.com")
server.succeed(f"{pdnsutil} add-record example.com ns1 A 192.168.1.2")
with subtest("Querying the example zone works"):
reply = server.succeed("dig +noall +answer ns1.example.com @127.0.0.1")
assert (
"192.168.1.2" in reply
), f""""
The reply does not contain the expected IP address:
Expected:
ns1.example.com. 3600 IN A 192.168.1.2
Reply:
{reply}"""
''; '';
}) })

11
pkgs/servers/dns/powerdns/default.nix
View File

@ -1,29 +1,28 @@
{ stdenv, fetchurl, pkgconfig, nixosTests { stdenv, fetchurl, pkgconfig, nixosTests
, boost, libyamlcpp, libsodium, sqlite, protobuf, openssl, systemd , boost, libyamlcpp, libsodium, sqlite, protobuf, openssl, systemd
, mysql57, postgresql, lua, openldap, geoip, curl, opendbx, unixODBC , mysql57, postgresql, lua, openldap, geoip, curl, unixODBC
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "powerdns"; pname = "powerdns";
version = "4.2.3"; version = "4.3.1";
src = fetchurl { src = fetchurl {
url = "https://downloads.powerdns.com/releases/pdns-${version}.tar.bz2"; url = "https://downloads.powerdns.com/releases/pdns-${version}.tar.bz2";
sha256 = "1vf03hssk9rfhvhzfc5ca2r4ly67wq0czr0ysvdrk8pnb0yk6yfi"; sha256 = "0if27znz528sir52y9i4gcfhdsym7yxiwjgffy9lpscf1426q56m";
}; };
nativeBuildInputs = [ pkgconfig ]; nativeBuildInputs = [ pkgconfig ];
buildInputs = [ buildInputs = [
boost mysql57.connector-c postgresql lua openldap sqlite protobuf geoip boost mysql57.connector-c postgresql lua openldap sqlite protobuf geoip
libyamlcpp libsodium curl opendbx unixODBC openssl systemd libyamlcpp libsodium curl unixODBC openssl systemd
]; ];
# nix destroy with-modules arguments, when using configureFlags # nix destroy with-modules arguments, when using configureFlags
preConfigure = '' preConfigure = ''
configureFlagsArray=( configureFlagsArray=(
"--with-modules=bind gmysql geoip godbc gpgsql gsqlite3 ldap lua mydns opendbx pipe random remote" "--with-modules=bind gmysql geoip godbc gpgsql gsqlite3 ldap lua2 pipe random remote"
--with-sqlite3 --with-sqlite3
--with-socketdir=/var/lib/powerdns
--with-libcrypto=${openssl.dev} --with-libcrypto=${openssl.dev}
--with-libsodium --with-libsodium
--enable-tools --enable-tools