blob: 30ce4b49fa8d2d7225349c8546bff011bb82d223 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.unbound;
username = "unbound";
stateDir = "/var/lib/unbound";
access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess;
interfaces = concatMapStrings (x: " interface: ${x}\n") cfg.interfaces;
forward = optionalString (length cfg.forwardAddresses != 0)
"forward-zone:\n name: .\n" +
concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses;
confFile = pkgs.writeText "unbound.conf"
''
server:
directory: "${stateDir}"
username: ${username}
# make sure unbound can access entropy from inside the chroot.
# e.g. on linux the use these commands (on BSD, devfs(8) is used):
# mount --bind -n /dev/random /etc/unbound/dev/random
# and mount --bind -n /dev/log /etc/unbound/dev/log
chroot: "${stateDir}"
# logfile: "${stateDir}/unbound.log" #uncomment to use logfile.
pidfile: "${stateDir}/unbound.pid"
verbosity: 1 # uncomment and increase to get more logging.
# listen on all interfaces, answer queries from the local subnet.
${interfaces}
${access}
${forward}
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.unbound = {
enable = mkOption {
default = false;
description = "
Whether to enable the Unbound domain name server.
";
};
allowedAccess = mkOption {
default = ["127.0.0.0/24"];
description = "
What networks are allowed to use us as a resolver.
";
};
interfaces = mkOption {
default = [ "127.0.0.0" "::1" ];
description = "
What addresses the server should listen to.
";
};
forwardAddresses = mkOption {
default = [ ];
description = "
What servers to forward the queries to.
";
};
extraConfig = mkOption {
default = "";
description = "
Extra unbound config
";
};
};
};
###### implementation
config = mkIf config.services.unbound.enable {
environment.systemPackages = [ pkgs.unbound ];
users.extraUsers = singleton
{ name = username;
uid = config.ids.uids.unbound;
description = "unbound daemon user";
home = "/tmp";
};
jobs.unbound =
{ description = "Unbound name server job";
preStart =
''
${pkgs.coreutils}/bin/mkdir -p ${stateDir}
'';
daemonType = "fork";
exec = "${pkgs.unbound}/sbin/unbound -c ${confFile}";
};
};
}
|