nixos/modules/services/networking/stubby.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / stubby.nix
at 24.11-pre 3.2 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.stubby;
  7  settingsFormat = pkgs.formats.yaml { };
  8  confFile = settingsFormat.generate "stubby.yml" cfg.settings;
  9in {
 10  imports = [
 11    (mkRemovedOptionModule [ "stubby" "debugLogging" ] "Use services.stubby.logLevel = \"debug\"; instead.")
 12  ] ++ map (x:
 13    (mkRemovedOptionModule [ "services" "stubby" x ]
 14      "Stubby configuration moved to services.stubby.settings.")) [
 15        "authenticationMode"
 16        "fallbackProtocols"
 17        "idleTimeout"
 18        "listenAddresses"
 19        "queryPaddingBlocksize"
 20        "roundRobinUpstreams"
 21        "subnetPrivate"
 22        "upstreamServers"
 23      ];
 24
 25  options = {
 26    services.stubby = {
 27
 28      enable = mkEnableOption "Stubby DNS resolver";
 29
 30      settings = mkOption {
 31        type = types.attrsOf settingsFormat.type;
 32        example = lib.literalExpression ''
 33          pkgs.stubby.passthru.settingsExample // {
 34            upstream_recursive_servers = [{
 35              address_data = "158.64.1.29";
 36              tls_auth_name = "kaitain.restena.lu";
 37              tls_pubkey_pinset = [{
 38                digest = "sha256";
 39                value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
 40              }];
 41            }];
 42          };
 43        '';
 44        description = ''
 45          Content of the Stubby configuration file. All Stubby settings may be set or queried
 46          here. The default settings are available at
 47          `pkgs.stubby.passthru.settingsExample`. See
 48          <https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby>.
 49          A list of the public recursive servers can be found here:
 50          <https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers>.
 51        '';
 52      };
 53
 54      logLevel = let
 55        logLevels = {
 56          emerg = 0;
 57          alert = 1;
 58          crit = 2;
 59          error = 3;
 60          warning = 4;
 61          notice = 5;
 62          info = 6;
 63          debug = 7;
 64        };
 65      in mkOption {
 66        default = null;
 67        type = types.nullOr (types.enum (attrNames logLevels ++ attrValues logLevels));
 68        apply = v: if isString v then logLevels.${v} else v;
 69        description = "Log verbosity (syslog keyword or level).";
 70      };
 71
 72    };
 73  };
 74
 75  config = mkIf cfg.enable {
 76    assertions = [{
 77      assertion =
 78        (cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB";
 79      message = ''
 80        services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB".
 81        Is services.stubby.settings unset?
 82      '';
 83    }];
 84
 85    services.stubby.settings.appdata_dir = "/var/cache/stubby";
 86
 87    systemd.services.stubby = {
 88      description = "Stubby local DNS resolver";
 89      after = [ "network.target" ];
 90      before = [ "nss-lookup.target" ];
 91      wantedBy = [ "multi-user.target" ];
 92
 93      serviceConfig = {
 94        Type = "notify";
 95        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
 96        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
 97        ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString (cfg.logLevel != null) "-v ${toString cfg.logLevel}"}";
 98        DynamicUser = true;
 99        CacheDirectory = "stubby";
100      };
101    };
102  };
103}