nixos/stubby: reduce to a settings-style configuration
Extract the example configuration from the package to provide a working example. Remove pkgs.stubby from `environment.systemPackages`.
This commit is contained in:
parent
b679d2d97d
commit
02cb654a4d
|
@ -190,6 +190,14 @@
|
||||||
usage in non-X11 environments, e.g. Wayland.
|
usage in non-X11 environments, e.g. Wayland.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <literal>services.stubby</literal> module was converted to
|
||||||
|
a
|
||||||
|
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link>
|
||||||
|
configuration.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
|
@ -78,3 +78,5 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
added, decoupling the setting of `SSH_ASKPASS` from
|
added, decoupling the setting of `SSH_ASKPASS` from
|
||||||
`services.xserver.enable`. This allows easy usage in non-X11 environments,
|
`services.xserver.enable`. This allows easy usage in non-X11 environments,
|
||||||
e.g. Wayland.
|
e.g. Wayland.
|
||||||
|
|
||||||
|
- The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
|
||||||
|
|
|
@ -4,177 +4,48 @@ with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.services.stubby;
|
cfg = config.services.stubby;
|
||||||
|
settingsFormat = pkgs.formats.yaml { };
|
||||||
|
confFile = settingsFormat.generate "stubby.yml" cfg.settings;
|
||||||
|
in {
|
||||||
|
imports = map (x:
|
||||||
|
(mkRemovedOptionModule [ "services" "stubby" x ]
|
||||||
|
"Stubby configuration moved to services.stubby.settings.")) [
|
||||||
|
"authenticationMode"
|
||||||
|
"fallbackProtocols"
|
||||||
|
"idleTimeout"
|
||||||
|
"listenAddresses"
|
||||||
|
"queryPaddingBlocksize"
|
||||||
|
"roundRobinUpstreams"
|
||||||
|
"subnetPrivate"
|
||||||
|
"upstreamServers"
|
||||||
|
];
|
||||||
|
|
||||||
fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols;
|
|
||||||
listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses;
|
|
||||||
|
|
||||||
# By default, the recursive resolvers maintained by the getdns
|
|
||||||
# project itself are enabled. More information about both getdns's servers,
|
|
||||||
# as well as third party options for upstream resolvers, can be found here:
|
|
||||||
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
|
|
||||||
#
|
|
||||||
# You can override these values by supplying a yaml-formatted array of your
|
|
||||||
# preferred upstream resolvers in the following format:
|
|
||||||
#
|
|
||||||
# 106 # - address_data: IPv4 or IPv6 address of the upstream
|
|
||||||
# port: Port for UDP/TCP (default is 53)
|
|
||||||
# tls_auth_name: Authentication domain name checked against the server
|
|
||||||
# certificate
|
|
||||||
# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
|
|
||||||
# certificate
|
|
||||||
# - digest: Only "sha256" is currently supported
|
|
||||||
# value: Base64 encoded value of the sha256 fingerprint of the public
|
|
||||||
# key
|
|
||||||
# tls_port: Port for TLS (default is 853)
|
|
||||||
|
|
||||||
defaultUpstream = ''
|
|
||||||
- address_data: 145.100.185.15
|
|
||||||
tls_auth_name: "dnsovertls.sinodun.com"
|
|
||||||
tls_pubkey_pinset:
|
|
||||||
- digest: "sha256"
|
|
||||||
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
|
|
||||||
- address_data: 145.100.185.16
|
|
||||||
tls_auth_name: "dnsovertls1.sinodun.com"
|
|
||||||
tls_pubkey_pinset:
|
|
||||||
- digest: "sha256"
|
|
||||||
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
|
|
||||||
- address_data: 185.49.141.37
|
|
||||||
tls_auth_name: "getdnsapi.net"
|
|
||||||
tls_pubkey_pinset:
|
|
||||||
- digest: "sha256"
|
|
||||||
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
|
|
||||||
- address_data: 2001:610:1:40ba:145:100:185:15
|
|
||||||
tls_auth_name: "dnsovertls.sinodun.com"
|
|
||||||
tls_pubkey_pinset:
|
|
||||||
- digest: "sha256"
|
|
||||||
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
|
|
||||||
- address_data: 2001:610:1:40ba:145:100:185:16
|
|
||||||
tls_auth_name: "dnsovertls1.sinodun.com"
|
|
||||||
tls_pubkey_pinset:
|
|
||||||
- digest: "sha256"
|
|
||||||
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
|
|
||||||
- address_data: 2a04:b900:0:100::38
|
|
||||||
tls_auth_name: "getdnsapi.net"
|
|
||||||
tls_pubkey_pinset:
|
|
||||||
- digest: "sha256"
|
|
||||||
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Resolution type is not changeable here because it is required per the
|
|
||||||
# stubby documentation:
|
|
||||||
#
|
|
||||||
# "resolution_type: Work in stub mode only (not recursive mode) - required for Stubby
|
|
||||||
# operation."
|
|
||||||
#
|
|
||||||
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
|
|
||||||
|
|
||||||
confFile = pkgs.writeText "stubby.yml" ''
|
|
||||||
resolution_type: GETDNS_RESOLUTION_STUB
|
|
||||||
dns_transport_list:
|
|
||||||
${fallbacks}
|
|
||||||
appdata_dir: "/var/cache/stubby"
|
|
||||||
tls_authentication: ${cfg.authenticationMode}
|
|
||||||
tls_query_padding_blocksize: ${toString cfg.queryPaddingBlocksize}
|
|
||||||
edns_client_subnet_private: ${if cfg.subnetPrivate then "1" else "0"}
|
|
||||||
idle_timeout: ${toString cfg.idleTimeout}
|
|
||||||
listen_addresses:
|
|
||||||
${listeners}
|
|
||||||
round_robin_upstreams: ${if cfg.roundRobinUpstreams then "1" else "0"}
|
|
||||||
${cfg.extraConfig}
|
|
||||||
upstream_recursive_servers:
|
|
||||||
${cfg.upstreamServers}
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
options = {
|
options = {
|
||||||
services.stubby = {
|
services.stubby = {
|
||||||
|
|
||||||
enable = mkEnableOption "Stubby DNS resolver";
|
enable = mkEnableOption "Stubby DNS resolver";
|
||||||
|
|
||||||
fallbackProtocols = mkOption {
|
settings = mkOption {
|
||||||
default = [ "GETDNS_TRANSPORT_TLS" ];
|
type = types.attrsOf settingsFormat.type;
|
||||||
type = with types; listOf (enum [
|
example = lib.literalExpression ''
|
||||||
"GETDNS_TRANSPORT_TLS"
|
pkgs.stubby.passthru.settingsExample // {
|
||||||
"GETDNS_TRANSPORT_TCP"
|
upstream_recursive_servers = [{
|
||||||
"GETDNS_TRANSPORT_UDP"
|
address_data = "158.64.1.29";
|
||||||
]);
|
tls_auth_name = "kaitain.restena.lu";
|
||||||
description = ''
|
tls_pubkey_pinset = [{
|
||||||
Ordered list composed of one or more transport protocols.
|
digest = "sha256";
|
||||||
Strict mode should only use <literal>GETDNS_TRANSPORT_TLS</literal>.
|
value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
|
||||||
Other options are <literal>GETDNS_TRANSPORT_UDP</literal> and
|
}];
|
||||||
<literal>GETDNS_TRANSPORT_TCP</literal>.
|
}];
|
||||||
|
};
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
|
|
||||||
authenticationMode = mkOption {
|
|
||||||
default = "GETDNS_AUTHENTICATION_REQUIRED";
|
|
||||||
type = types.enum [
|
|
||||||
"GETDNS_AUTHENTICATION_REQUIRED"
|
|
||||||
"GETDNS_AUTHENTICATION_NONE"
|
|
||||||
];
|
|
||||||
description = ''
|
description = ''
|
||||||
Selects the Strict or Opportunistic usage profile.
|
Content of the Stubby configuration file. All Stubby settings may be set or queried
|
||||||
For strict, set to <literal>GETDNS_AUTHENTICATION_REQUIRED</literal>.
|
here. The default settings are available at
|
||||||
for opportunistic, use <literal>GETDNS_AUTHENTICATION_NONE</literal>.
|
<literal>pkgs.stubby.passthru.settingsExample</literal>. See
|
||||||
'';
|
<link xlink:href="https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby"/>.
|
||||||
};
|
A list of the public recursive servers can be found here:
|
||||||
|
<link xlink:href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers"/>.
|
||||||
queryPaddingBlocksize = mkOption {
|
|
||||||
default = 128;
|
|
||||||
type = types.int;
|
|
||||||
description = ''
|
|
||||||
EDNS0 option to pad the size of the DNS query to the given blocksize.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
subnetPrivate = mkOption {
|
|
||||||
default = true;
|
|
||||||
type = types.bool;
|
|
||||||
description = ''
|
|
||||||
EDNS0 option for ECS client privacy. Default is
|
|
||||||
<literal>true</literal>. If set, this option prevents the client
|
|
||||||
subnet from being sent to authoritative nameservers.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
idleTimeout = mkOption {
|
|
||||||
default = 10000;
|
|
||||||
type = types.int;
|
|
||||||
description = "EDNS0 option for keepalive idle timeout expressed in
|
|
||||||
milliseconds.";
|
|
||||||
};
|
|
||||||
|
|
||||||
listenAddresses = mkOption {
|
|
||||||
default = [ "127.0.0.1" "0::1" ];
|
|
||||||
type = with types; listOf str;
|
|
||||||
description = ''
|
|
||||||
Sets the listen address for the stubby daemon.
|
|
||||||
Uses port 53 by default.
|
|
||||||
Ise IP@port to specify a different port.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
roundRobinUpstreams = mkOption {
|
|
||||||
default = true;
|
|
||||||
type = types.bool;
|
|
||||||
description = ''
|
|
||||||
Instructs stubby to distribute queries across all available name
|
|
||||||
servers. Default is <literal>true</literal>. Set to
|
|
||||||
<literal>false</literal> in order to use the first available.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
upstreamServers = mkOption {
|
|
||||||
default = defaultUpstream;
|
|
||||||
type = types.lines;
|
|
||||||
description = ''
|
|
||||||
Replace default upstreams. See <citerefentry><refentrytitle>stubby
|
|
||||||
</refentrytitle><manvolnum>1</manvolnum></citerefentry> for an
|
|
||||||
example of the entry formatting. In Strict mode, at least one of the
|
|
||||||
following settings must be supplied for each nameserver:
|
|
||||||
<literal>tls_auth_name</literal> or
|
|
||||||
<literal>tls_pubkey_pinset</literal>.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -184,20 +55,21 @@ in
|
||||||
description = "Enable or disable debug level logging.";
|
description = "Enable or disable debug level logging.";
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = mkOption {
|
|
||||||
default = "";
|
|
||||||
type = types.lines;
|
|
||||||
description = ''
|
|
||||||
Add additional configuration options. see <citerefentry>
|
|
||||||
<refentrytitle>stubby</refentrytitle><manvolnum>1</manvolnum>
|
|
||||||
</citerefentry>for more options.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
environment.systemPackages = [ pkgs.stubby ];
|
assertions = [{
|
||||||
|
assertion =
|
||||||
|
(cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB";
|
||||||
|
message = ''
|
||||||
|
services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB".
|
||||||
|
Is services.stubby.settings unset?
|
||||||
|
'';
|
||||||
|
}];
|
||||||
|
|
||||||
|
services.stubby.settings.appdata_dir = "/var/cache/stubby";
|
||||||
|
|
||||||
systemd.services.stubby = {
|
systemd.services.stubby = {
|
||||||
description = "Stubby local DNS resolver";
|
description = "Stubby local DNS resolver";
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
|
|
Loading…
Reference in a new issue