Merge pull request #18630 from joachifm/unbound-improvements

Unbound service improvements
2016-09-17 10:56:42 +02:00 · 2016-09-17 10:56:42 +02:00 · e06ead81bf
commit e06ead81bf
parent d9a4d942ab 22d6c97855
2 changed files with 23 additions and 12 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -74,7 +74,6 @@
      rtkit = 45;
      dovecot2 = 46;
      dovenull2 = 47;
-      unbound = 48;
      prayer = 49;
      mpd = 50;
      clamav = 51;
@ -332,7 +331,6 @@
      #rtkit = 45; # unused
      dovecot2 = 46;
      #dovenull = 47; # unused
-      #unbound = 48; # unused
      prayer = 49;
      mpd = 50;
      clamav = 51;
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@ -12,9 +12,17 @@ let

  interfaces = concatMapStrings (x: "  interface: ${x}\n") cfg.interfaces;

-  forward = optionalString (length cfg.forwardAddresses != 0)
-    "forward-zone:\n  name: .\n" +
-    concatMapStrings (x: "  forward-addr: ${x}\n") cfg.forwardAddresses;
+  isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1";
+
+  forward =
+    optionalString (any isLocalAddress cfg.forwardAddresses) ''
+      do-not-query-localhost: no
+    '' +
+    optionalString (cfg.forwardAddresses != []) ''
+      forward-zone:
+        name: .
+    '' +
+    concatMapStringsSep "\n" (x: "    forward-addr: ${x}") cfg.forwardAddresses;

  rootTrustAnchorFile = "${stateDir}/root.key";

@ -72,7 +80,11 @@ in
      extraConfig = mkOption {
        default = "";
        type = types.str;
-        description = "Extra lines of unbound config.";
+        description = ''
+          Extra unbound config. See
+          <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8
+          </manvolnum></citerefentry>.
+        '';
      };

    };
@ -84,12 +96,9 @@ in

    environment.systemPackages = [ pkgs.unbound ];

-    users.extraUsers = singleton {
-      name = "unbound";
-      uid = config.ids.uids.unbound;
+    users.users.unbound = {
      description = "unbound daemon user";
-      home = stateDir;
-      createHome = true;
+      isSystemUser = true;
    };

    systemd.services.unbound = {
@ -107,12 +116,16 @@ in
        chown unbound ${stateDir} ${rootTrustAnchorFile}
        ''}
        touch ${stateDir}/dev/random
-        ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
+        ${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random
      '';

      serviceConfig = {
        ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf";
        ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random";
+
+        ProtectSystem = true;
+        ProtectHome = true;
+        PrivateDevices = true;
      };
    };