Merge pull request #13000 from mayflower/feat/unbound-dnssec
unbound: 1.5.3 -> 1.5.7, hardening, DNSSEC support & cleanup
This commit is contained in:
commit
932d2cbd2c
@ -16,6 +16,11 @@ let
|
||||
"forward-zone:\n name: .\n" +
|
||||
concatMapStrings (x: " forward-addr: ${x}\n") cfg.forwardAddresses;
|
||||
|
||||
rootTrustAnchorFile = "${stateDir}/root.key";
|
||||
|
||||
trustAnchor = optionalString cfg.enableRootTrustAnchor
|
||||
"auto-trust-anchor-file: ${rootTrustAnchorFile}";
|
||||
|
||||
confFile = pkgs.writeText "unbound.conf" ''
|
||||
server:
|
||||
directory: "${stateDir}"
|
||||
@ -24,6 +29,7 @@ let
|
||||
pidfile: ""
|
||||
${interfaces}
|
||||
${access}
|
||||
${trustAnchor}
|
||||
${cfg.extraConfig}
|
||||
${forward}
|
||||
'';
|
||||
@ -38,28 +44,39 @@ in
|
||||
services.unbound = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = "Whether to enable the Unbound domain name server.";
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = "Whether to enable the Unbound domain name server.";
|
||||
};
|
||||
|
||||
allowedAccess = mkOption {
|
||||
default = ["127.0.0.0/24"];
|
||||
description = "What networks are allowed to use unbound as a resolver.";
|
||||
default = ["127.0.0.0/24"];
|
||||
type = types.listOf types.str;
|
||||
description = "What networks are allowed to use unbound as a resolver.";
|
||||
};
|
||||
|
||||
interfaces = mkOption {
|
||||
default = [ "127.0.0.1" "::1" ];
|
||||
description = "What addresses the server should listen on.";
|
||||
default = [ "127.0.0.1" "::1" ];
|
||||
type = types.listOf types.str;
|
||||
description = "What addresses the server should listen on.";
|
||||
};
|
||||
|
||||
forwardAddresses = mkOption {
|
||||
default = [ ];
|
||||
description = "What servers to forward queries to.";
|
||||
default = [ ];
|
||||
type = types.listOf types.str;
|
||||
description = "What servers to forward queries to.";
|
||||
};
|
||||
|
||||
enableRootTrustAnchor = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = "Use and update root trust anchor for DNSSEC validation.";
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
default = "";
|
||||
description = "Extra lines of unbound config.";
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = "Extra lines of unbound config.";
|
||||
};
|
||||
|
||||
};
|
||||
@ -88,9 +105,10 @@ in
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p ${stateDir}/dev/
|
||||
cp ${confFile} ${stateDir}/unbound.conf
|
||||
chown unbound ${stateDir}
|
||||
touch ${stateDir}/dev/random
|
||||
cp ${confFile} ${stateDir}/unbound.conf
|
||||
${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile}
|
||||
chown unbound ${stateDir} ${rootTrustAnchorFile}
|
||||
touch ${stateDir}/dev/random
|
||||
${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
|
||||
'';
|
||||
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "unbound-${version}";
|
||||
version = "1.5.3";
|
||||
version = "1.5.7";
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://unbound.net/downloads/${name}.tar.gz";
|
||||
sha256 = "1jly2apag4yg649w3flaq73wdrcfyxnhx5py9j73y7adxmswigbn";
|
||||
sha256 = "1a0wfgp6wqpf7cxlcbprqhnjx6z9ywf0rhrpcf7x98l1mbjqh82b";
|
||||
};
|
||||
|
||||
buildInputs = [ openssl expat libevent ];
|
||||
@ -17,15 +17,17 @@ stdenv.mkDerivation rec {
|
||||
"--with-libevent=${libevent}"
|
||||
"--localstatedir=/var"
|
||||
"--sysconfdir=/etc"
|
||||
"--enable-pie"
|
||||
"--enable-relro-now"
|
||||
];
|
||||
|
||||
installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
|
||||
|
||||
meta = {
|
||||
meta = with stdenv.lib; {
|
||||
description = "Validating, recursive, and caching DNS resolver";
|
||||
license = stdenv.lib.licenses.bsd3;
|
||||
license = licenses.bsd3;
|
||||
homepage = http://www.unbound.net;
|
||||
maintainers = [ stdenv.lib.maintainers.ehmry ];
|
||||
maintainers = with maintainers; [ ehmry fpletz ];
|
||||
platforms = stdenv.lib.platforms.unix;
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user