diff options
| author | Emery Hemingway <emery@vfemail.net> | 2014-08-26 21:24:09 -0400 |
|---|---|---|
| committer | Emery Hemingway <emery@vfemail.net> | 2014-08-26 21:24:09 -0400 |
| commit | aedbfdff8485044529953585bc7d042ece080b00 (patch) | |
| tree | d7ddcb8ac61c02d7b1e36bb1aef1d2017d80d667 /nixos/modules/services/networking/unbound.nix | |
| parent | 686fa594ab63d117416ab1199ac2daf22a466709 (diff) | |
| download | nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.tar nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.tar.gz nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.tar.bz2 nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.tar.lz nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.tar.xz nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.tar.zst nixpkgs-aedbfdff8485044529953585bc7d042ece080b00.zip | |
unbound: run in chroot
Diffstat (limited to 'nixos/modules/services/networking/unbound.nix')
| -rw-r--r-- | nixos/modules/services/networking/unbound.nix | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 415ff13bdda..73b10c1d561 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -6,8 +6,6 @@ let cfg = config.services.unbound; - username = "unbound"; - stateDir = "/var/lib/unbound"; access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess; @@ -21,21 +19,13 @@ let confFile = pkgs.writeText "unbound.conf" '' server: directory: "${stateDir}" - username: ${username} - # make sure unbound can access entropy from inside the chroot. - # e.g. on linux the use these commands (on BSD, devfs(8) is used): - # mount --bind -n /dev/random /etc/unbound/dev/random - # and mount --bind -n /dev/log /etc/unbound/dev/log + username: unbound chroot: "${stateDir}" - # logfile: "${stateDir}/unbound.log" #uncomment to use logfile. - pidfile: "${stateDir}/unbound.pid" - verbosity: 1 # uncomment and increase to get more logging. + pidfile: "" ${interfaces} ${access} - - ${forward} - ${cfg.extraConfig} + ${forward} ''; in @@ -82,7 +72,7 @@ in environment.systemPackages = [ pkgs.unbound ]; users.extraUsers = singleton { - name = username; + name = "unbound"; uid = config.ids.uids.unbound; description = "unbound daemon user"; home = stateDir; @@ -96,8 +86,18 @@ in wants = [" nss-lookup.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.unbound ]; - serviceConfig.ExecStart = "${pkgs.unbound}/sbin/unbound -d -c ${confFile}"; + preStart = '' + mkdir -m 0755 -p ${stateDir}/dev/ + cp ${confFile} ${stateDir}/unbound.conf + chown unbound ${stateDir} + touch ${stateDir}/dev/random + ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random + ''; + + serviceConfig = { + ExecStart = "${pkgs.unbound}/sbin/unbound -d -c ${stateDir}/unbound.conf"; + ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; + }; }; }; |