diff options
| author | Emery Hemingway <ehmry@posteo.net> | 2021-05-28 22:01:25 +0200 |
|---|---|---|
| committer | ehmry <ehmry@posteo.net> | 2021-12-25 12:07:06 +0100 |
| commit | 02cb654a4dad3b6fb1924cc5d46bad1e1b5218ef (patch) | |
| tree | b4cb3b3b58f718249183c1e05a23e7f19801f58f /nixos | |
| parent | b679d2d97d63ea4d0dfe6646153f85eedf26454b (diff) | |
nixos/stubby: reduce to a settings-style configuration
Extract the example configuration from the package to provide a
working example.
Remove pkgs.stubby from `environment.systemPackages`.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/stubby.nix | 220 |
3 files changed, 56 insertions, 174 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index ae6ff9d434ae..d5e3190bf288 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -190,6 +190,14 @@ usage in non-X11 environments, e.g. Wayland. </para> </listitem> + <listitem> + <para> + The <literal>services.stubby</literal> module was converted to + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link> + configuration. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 3e7f8d451b26..98709455ae74 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -78,3 +78,5 @@ In addition to numerous new and upgraded packages, this release has the followin added, decoupling the setting of `SSH_ASKPASS` from `services.xserver.enable`. This allows easy usage in non-X11 environments, e.g. Wayland. + +- The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. diff --git a/nixos/modules/services/networking/stubby.nix b/nixos/modules/services/networking/stubby.nix index c5e0f929a126..78c13798dde2 100644 --- a/nixos/modules/services/networking/stubby.nix +++ b/nixos/modules/services/networking/stubby.nix @@ -1,180 +1,51 @@ -{ config, lib, pkgs, ...}: +{ config, lib, pkgs, ... }: with lib; let cfg = config.services.stubby; + settingsFormat = pkgs.formats.yaml { }; + confFile = settingsFormat.generate "stubby.yml" cfg.settings; +in { + imports = map (x: + (mkRemovedOptionModule [ "services" "stubby" x ] + "Stubby configuration moved to services.stubby.settings.")) [ + "authenticationMode" + "fallbackProtocols" + "idleTimeout" + "listenAddresses" + "queryPaddingBlocksize" + "roundRobinUpstreams" + "subnetPrivate" + "upstreamServers" + ]; - fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols; - listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses; - - # By default, the recursive resolvers maintained by the getdns - # project itself are enabled. More information about both getdns's servers, - # as well as third party options for upstream resolvers, can be found here: - # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers - # - # You can override these values by supplying a yaml-formatted array of your - # preferred upstream resolvers in the following format: - # - # 106 # - address_data: IPv4 or IPv6 address of the upstream - # port: Port for UDP/TCP (default is 53) - # tls_auth_name: Authentication domain name checked against the server - # certificate - # tls_pubkey_pinset: An SPKI pinset verified against the keys in the server - # certificate - # - digest: Only "sha256" is currently supported - # value: Base64 encoded value of the sha256 fingerprint of the public - # key - # tls_port: Port for TLS (default is 853) - - defaultUpstream = '' - - address_data: 145.100.185.15 - tls_auth_name: "dnsovertls.sinodun.com" - tls_pubkey_pinset: - - digest: "sha256" - value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - - address_data: 145.100.185.16 - tls_auth_name: "dnsovertls1.sinodun.com" - tls_pubkey_pinset: - - digest: "sha256" - value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - - address_data: 185.49.141.37 - tls_auth_name: "getdnsapi.net" - tls_pubkey_pinset: - - digest: "sha256" - value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - - address_data: 2001:610:1:40ba:145:100:185:15 - tls_auth_name: "dnsovertls.sinodun.com" - tls_pubkey_pinset: - - digest: "sha256" - value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - - address_data: 2001:610:1:40ba:145:100:185:16 - tls_auth_name: "dnsovertls1.sinodun.com" - tls_pubkey_pinset: - - digest: "sha256" - value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - - address_data: 2a04:b900:0:100::38 - tls_auth_name: "getdnsapi.net" - tls_pubkey_pinset: - - digest: "sha256" - value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - ''; - - # Resolution type is not changeable here because it is required per the - # stubby documentation: - # - # "resolution_type: Work in stub mode only (not recursive mode) - required for Stubby - # operation." - # - # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby - - confFile = pkgs.writeText "stubby.yml" '' - resolution_type: GETDNS_RESOLUTION_STUB - dns_transport_list: - ${fallbacks} - appdata_dir: "/var/cache/stubby" - tls_authentication: ${cfg.authenticationMode} - tls_query_padding_blocksize: ${toString cfg.queryPaddingBlocksize} - edns_client_subnet_private: ${if cfg.subnetPrivate then "1" else "0"} - idle_timeout: ${toString cfg.idleTimeout} - listen_addresses: - ${listeners} - round_robin_upstreams: ${if cfg.roundRobinUpstreams then "1" else "0"} - ${cfg.extraConfig} - upstream_recursive_servers: - ${cfg.upstreamServers} - ''; -in - -{ options = { services.stubby = { enable = mkEnableOption "Stubby DNS resolver"; - fallbackProtocols = mkOption { - default = [ "GETDNS_TRANSPORT_TLS" ]; - type = with types; listOf (enum [ - "GETDNS_TRANSPORT_TLS" - "GETDNS_TRANSPORT_TCP" - "GETDNS_TRANSPORT_UDP" - ]); - description = '' - Ordered list composed of one or more transport protocols. - Strict mode should only use <literal>GETDNS_TRANSPORT_TLS</literal>. - Other options are <literal>GETDNS_TRANSPORT_UDP</literal> and - <literal>GETDNS_TRANSPORT_TCP</literal>. + settings = mkOption { + type = types.attrsOf settingsFormat.type; + example = lib.literalExpression '' + pkgs.stubby.passthru.settingsExample // { + upstream_recursive_servers = [{ + address_data = "158.64.1.29"; + tls_auth_name = "kaitain.restena.lu"; + tls_pubkey_pinset = [{ + digest = "sha256"; + value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4="; + }]; + }]; + }; ''; - }; - - authenticationMode = mkOption { - default = "GETDNS_AUTHENTICATION_REQUIRED"; - type = types.enum [ - "GETDNS_AUTHENTICATION_REQUIRED" - "GETDNS_AUTHENTICATION_NONE" - ]; description = '' - Selects the Strict or Opportunistic usage profile. - For strict, set to <literal>GETDNS_AUTHENTICATION_REQUIRED</literal>. - for opportunistic, use <literal>GETDNS_AUTHENTICATION_NONE</literal>. - ''; - }; - - queryPaddingBlocksize = mkOption { - default = 128; - type = types.int; - description = '' - EDNS0 option to pad the size of the DNS query to the given blocksize. - ''; - }; - - subnetPrivate = mkOption { - default = true; - type = types.bool; - description = '' - EDNS0 option for ECS client privacy. Default is - <literal>true</literal>. If set, this option prevents the client - subnet from being sent to authoritative nameservers. - ''; - }; - - idleTimeout = mkOption { - default = 10000; - type = types.int; - description = "EDNS0 option for keepalive idle timeout expressed in - milliseconds."; - }; - - listenAddresses = mkOption { - default = [ "127.0.0.1" "0::1" ]; - type = with types; listOf str; - description = '' - Sets the listen address for the stubby daemon. - Uses port 53 by default. - Ise IP@port to specify a different port. - ''; - }; - - roundRobinUpstreams = mkOption { - default = true; - type = types.bool; - description = '' - Instructs stubby to distribute queries across all available name - servers. Default is <literal>true</literal>. Set to - <literal>false</literal> in order to use the first available. - ''; - }; - - upstreamServers = mkOption { - default = defaultUpstream; - type = types.lines; - description = '' - Replace default upstreams. See <citerefentry><refentrytitle>stubby - </refentrytitle><manvolnum>1</manvolnum></citerefentry> for an - example of the entry formatting. In Strict mode, at least one of the - following settings must be supplied for each nameserver: - <literal>tls_auth_name</literal> or - <literal>tls_pubkey_pinset</literal>. + Content of the Stubby configuration file. All Stubby settings may be set or queried + here. The default settings are available at + <literal>pkgs.stubby.passthru.settingsExample</literal>. See + <link xlink:href="https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby"/>. + A list of the public recursive servers can be found here: + <link xlink:href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers"/>. ''; }; @@ -184,20 +55,21 @@ in description = "Enable or disable debug level logging."; }; - extraConfig = mkOption { - default = ""; - type = types.lines; - description = '' - Add additional configuration options. see <citerefentry> - <refentrytitle>stubby</refentrytitle><manvolnum>1</manvolnum> - </citerefentry>for more options. - ''; - }; }; }; config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.stubby ]; + assertions = [{ + assertion = + (cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB"; + message = '' + services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB". + Is services.stubby.settings unset? + ''; + }]; + + services.stubby.settings.appdata_dir = "/var/cache/stubby"; + systemd.services.stubby = { description = "Stubby local DNS resolver"; after = [ "network.target" ]; |