nixos/modules/services/networking/stubby.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / stubby.nix
at 23.05-pre 2.8 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.stubby;
 7  settingsFormat = pkgs.formats.yaml { };
 8  confFile = settingsFormat.generate "stubby.yml" cfg.settings;
 9in {
10  imports = map (x:
11    (mkRemovedOptionModule [ "services" "stubby" x ]
12      "Stubby configuration moved to services.stubby.settings.")) [
13        "authenticationMode"
14        "fallbackProtocols"
15        "idleTimeout"
16        "listenAddresses"
17        "queryPaddingBlocksize"
18        "roundRobinUpstreams"
19        "subnetPrivate"
20        "upstreamServers"
21      ];
22
23  options = {
24    services.stubby = {
25
26      enable = mkEnableOption (lib.mdDoc "Stubby DNS resolver");
27
28      settings = mkOption {
29        type = types.attrsOf settingsFormat.type;
30        example = lib.literalExpression ''
31          pkgs.stubby.passthru.settingsExample // {
32            upstream_recursive_servers = [{
33              address_data = "158.64.1.29";
34              tls_auth_name = "kaitain.restena.lu";
35              tls_pubkey_pinset = [{
36                digest = "sha256";
37                value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
38              }];
39            }];
40          };
41        '';
42        description = lib.mdDoc ''
43          Content of the Stubby configuration file. All Stubby settings may be set or queried
44          here. The default settings are available at
45          `pkgs.stubby.passthru.settingsExample`. See
46          <https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby>.
47          A list of the public recursive servers can be found here:
48          <https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers>.
49        '';
50      };
51
52      debugLogging = mkOption {
53        default = false;
54        type = types.bool;
55        description = lib.mdDoc "Enable or disable debug level logging.";
56      };
57
58    };
59  };
60
61  config = mkIf cfg.enable {
62    assertions = [{
63      assertion =
64        (cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB";
65      message = ''
66        services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB".
67        Is services.stubby.settings unset?
68      '';
69    }];
70
71    services.stubby.settings.appdata_dir = "/var/cache/stubby";
72
73    systemd.services.stubby = {
74      description = "Stubby local DNS resolver";
75      after = [ "network.target" ];
76      before = [ "nss-lookup.target" ];
77      wantedBy = [ "multi-user.target" ];
78
79      serviceConfig = {
80        Type = "notify";
81        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
82        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
83        ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
84        DynamicUser = true;
85        CacheDirectory = "stubby";
86      };
87    };
88  };
89}