unbound service: convenient handling of local forward addresses

do-not-query-localhost defaults to yes; with this patch, unbound is configured to query localhost if any of the forward addresses are local.
2016-08-30 19:20:08 +02:00 · 2016-08-30 19:20:08 +02:00 · 7980523e00
commit 7980523e00
parent fa787da36f
1 changed files with 11 additions and 3 deletions
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@ -12,9 +12,17 @@ let

  interfaces = concatMapStrings (x: "  interface: ${x}\n") cfg.interfaces;

-  forward = optionalString (length cfg.forwardAddresses != 0)
-    "forward-zone:\n  name: .\n" +
-    concatMapStrings (x: "  forward-addr: ${x}\n") cfg.forwardAddresses;
+  isLocalAddress = x: substring 0 9 x == "127.0.0.1";
+
+  forward =
+    optionalString (any isLocalAddress cfg.forwardAddresses) ''
+      do-not-query-localhost: no
+    '' +
+    optionalString (cfg.forwardAddresses != []) ''
+      forward-zone:
+        name: .
+    '' +
+    concatMapStringsSep "\n" (x: "    forward-addr: ${x}") cfg.forwardAddresses;

  rootTrustAnchorFile = "${stateDir}/root.key";