diff options
author | Marc 'risson' Schmitt <marc.schmitt@risson.space> | 2020-02-08 20:17:23 +0100 |
---|---|---|
committer | Marc 'risson' Schmitt <marc.schmitt@risson.space> | 2021-05-03 21:27:15 +0200 |
commit | 52f6733203397c79b866b0b4f7ee33b952414e2e (patch) | |
tree | 5d6bb9e834f16dc8eb7a530363ca255c2ea5c6bd /nixos/tests/unbound.nix | |
parent | 62f241d4457381b1a0cdd0903501ad5f90e888c1 (diff) | |
download | nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.tar nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.tar.gz nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.tar.bz2 nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.tar.lz nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.tar.xz nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.tar.zst nixpkgs-52f6733203397c79b866b0b4f7ee33b952414e2e.zip |
nixos/unbound: deprecate extraConfig in favor of settings
Follow RFC 42 by having a settings option that is then converted into an unbound configuration file instead of having an extraConfig option. Existing options have been renamed or kept if possible. An enableRemoteAccess has been added. It sets remote-control setting to true in unbound.conf which in turn enables the new wrapping of unbound-control to access the server locally. Also includes options 'remoteAccessInterfaces' and 'remoteAccessPort' for remote access. Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Diffstat (limited to 'nixos/tests/unbound.nix')
-rw-r--r-- | nixos/tests/unbound.nix | 68 |
1 files changed, 40 insertions, 28 deletions
diff --git a/nixos/tests/unbound.nix b/nixos/tests/unbound.nix index ca9718ac633..e24c3ef6c99 100644 --- a/nixos/tests/unbound.nix +++ b/nixos/tests/unbound.nix @@ -61,13 +61,16 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - interfaces = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ]; - allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - extraConfig = '' - server: - local-data: "example.local. IN A 1.2.3.4" - local-data: "example.local. IN AAAA abcd::eeff" - ''; + settings = { + server = { + interface = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ]; + access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ]; + local-data = [ + ''"example.local. IN A 1.2.3.4"'' + ''"example.local. IN AAAA abcd::eeff"'' + ]; + }; + }; }; }; @@ -90,19 +93,25 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - allowedAccess = [ "192.168.0.0/24" "fd21::/64" "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" - "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" - "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; - forwardAddresses = [ - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address - (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address - ]; - extraConfig = '' - server: - tls-service-pem: ${cert}/cert.pem - tls-service-key: ${cert}/key.pem - ''; + settings = { + server = { + interface = [ "::1" "127.0.0.1" "192.168.0.2" "fd21::2" + "192.168.0.2@853" "fd21::2@853" "::1@853" "127.0.0.1@853" + "192.168.0.2@443" "fd21::2@443" "::1@443" "127.0.0.1@443" ]; + access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ]; + tls-service-pem = "${cert}/cert.pem"; + tls-service-key = "${cert}/key.pem"; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv6.addresses).address + (lib.head nodes.authoritative.config.networking.interfaces.eth1.ipv4.addresses).address + ]; + } + ]; + }; }; }; @@ -122,12 +131,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: services.unbound = { enable = true; - allowedAccess = [ "::1" "127.0.0.0/8" ]; - interfaces = [ "::1" "127.0.0.1" ]; + settings = { + server = { + interface = [ "::1" "127.0.0.1" ]; + access-control = [ "::1 allow" "127.0.0.0/8 allow" ]; + }; + include = "/etc/unbound/extra*.conf"; + }; localControlSocketPath = "/run/unbound/unbound.ctl"; - extraConfig = '' - include: "/etc/unbound/extra*.conf" - ''; }; users.users = { @@ -143,12 +154,13 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: unauthorizeduser = { isSystemUser = true; }; }; + # Used for testing configuration reloading environment.etc = { "unbound-extra1.conf".text = '' forward-zone: - name: "example.local." - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} - forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} + name: "example.local." + forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv6.addresses).address} + forward-addr: ${(lib.head nodes.resolver.config.networking.interfaces.eth1.ipv4.addresses).address} ''; "unbound-extra2.conf".text = '' auth-zone: |