pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #168764 from rnhmjoj/pr-pdns-ncdns

nixos/ncdns: listen on IPv6 by default

Michele Guerini Rocco 68a102a2 5ff41873

options
unified split
Changed files
+17 -11
nixos
doc
manual
from_md
release-notes
rl-2205.section.xml
release-notes
rl-2205.section.md
modules
services
networking
ncdns.nix
tests
ncdns.nix
+7
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml 
···

       
506

       
506

       
 

       
      </listitem>


     

       
507

       
507

       
 

       
      <listitem>


     

       
508

       
508

       
 

       
        <para>


     

       

       
509

       
+

       
          In the ncdns module, the default value of


     

       

       
510

       
+

       
          <literal>services.ncdns.address</literal> has been changed to


     

       

       
511

       
+

       
          the IPv6 loopback address (<literal>::1</literal>).


     

       

       
512

       
+

       
        </para>


     

       

       
513

       
+

       
      </listitem>


     

       

       
514

       
+

       
      <listitem>


     

       

       
515

       
+

       
        <para>


     

       
509

       
516

       
 

       
          <literal>openssh</literal> has been update to 8.9p1, changing


     

       
510

       
517

       
 

       
          the FIDO security key middleware interface.


     

       
511

       
518

       
 

       
        </para>
+2
nixos/doc/manual/release-notes/rl-2205.section.md 
···

       
160

       
160

       
 

       
      (`services.pdns-recursor.dns.address`, `services.pdns-recursor.dns.allowFrom`);


     

       
161

       
161

       
 

       
    - allow only local connections to the REST API server (`services.pdns-recursor.api.allowFrom`).


     

       
162

       
162

       
 

       



     

       

       
163

       
+

       
- In the ncdns module, the default value of `services.ncdns.address` has been changed to the IPv6 loopback address (`::1`).


     

       

       
164

       
+

       



     

       
163

       
165

       
 

       
- `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface.


     

       
164

       
166

       
 

       



     

       
165

       
167

       
 

       
- `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`.
+2 -2
nixos/modules/services/networking/ncdns.nix 
···

       
58

       
58

       
 

       



     

       
59

       
59

       
 

       
      address = mkOption {


     

       
60

       
60

       
 

       
        type = types.str;


     

       
61

       

       
-

       
        default = "127.0.0.1";


     

       

       
61

       
+

       
        default = "[::1]";


     

       
62

       
62

       
 

       
        description = ''


     

       
63

       
63

       
 

       
          The IP address the ncdns resolver will bind to.  Leave this unchanged


     

       
64

       
64

       
 

       
          if you do not wish to directly expose the resolver.


     
···

       
202

       
202

       
 

       
  config = mkIf cfg.enable {


     

       
203

       
203

       
 

       



     

       
204

       
204

       
 

       
    services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveNamecoin {


     

       
205

       

       
-

       
      forwardZonesRecurse.bit = "127.0.0.1:${toString cfg.port}";


     

       

       
205

       
+

       
      forwardZonesRecurse.bit = "${cfg.address}:${toString cfg.port}";


     

       
206

       
206

       
 

       
      luaConfig =


     

       
207

       
207

       
 

       
        if cfg.dnssec.enable


     

       
208

       
208

       
 

       
          then ''readTrustAnchorsFromFile("${cfg.dnssec.keys.public}")''
+6 -9
nixos/tests/ncdns.nix 
···

       
29

       
29

       
 

       
  };


     

       
30

       
30

       
 

       



     

       
31

       
31

       
 

       
  nodes.server = { ... }: {


     

       
32

       

       
-

       
    networking.nameservers = [ "127.0.0.1" ];


     

       

       
32

       
+

       
    networking.nameservers = [ "::1" ];


     

       
33

       
33

       
 

       



     

       
34

       
34

       
 

       
    services.namecoind.rpc = {


     

       
35

       

       
-

       
      address = "127.0.0.1";


     

       

       
35

       
+

       
      address = "::1";


     

       
36

       
36

       
 

       
      user = "namecoin";


     

       
37

       
37

       
 

       
      password = "secret";


     

       
38

       
38

       
 

       
      port = 8332;


     
···

       
45

       
45

       
 

       
      script = ''


     

       
46

       
46

       
 

       
        while true; do


     

       
47

       
47

       
 

       
          echo -e "HTTP/1.1 200 OK\n\n $(<${fakeReply})\n" \


     

       
48

       

       
-

       
            | ${pkgs.netcat}/bin/nc -N -l 127.0.0.1 8332


     

       

       
48

       
+

       
            | ${pkgs.netcat}/bin/nc -N -l ::1 8332


     

       
49

       
49

       
 

       
        done


     

       
50

       
50

       
 

       
      '';


     

       
51

       
51

       
 

       
    };


     
···

       
58

       
58

       
 

       
      identity.address    = "1.0.0.1";


     

       
59

       
59

       
 

       
    };


     

       
60

       
60

       
 

       



     

       
61

       

       
-

       
    services.pdns-recursor = {


     

       
62

       

       
-

       
      enable = true;


     

       
63

       

       
-

       
      dns.allowFrom = [ "127.0.0.0/8" ];


     

       
64

       

       
-

       
      resolveNamecoin = true;


     

       
65

       

       
-

       
    };


     

       

       
61

       
+

       
    services.pdns-recursor.enable = true;


     

       

       
62

       
+

       
    services.pdns-recursor.resolveNamecoin = true;


     

       
66

       
63

       
 

       



     

       
67

       
64

       
 

       
    environment.systemPackages = [ pkgs.dnsutils ];


     

       
68

       

       
-

       



     

       
69

       
65

       
 

       
  };


     

       
70

       
66

       
 

       



     

       
71

       
67

       
 

       
  testScript =


     
···

       
91

       
87

       
 

       
          assert "example.com" in server.succeed("dig SOA @localhost -p 5333 bit")


     

       
92

       
88

       
 

       



     

       
93

       
89

       
 

       
      with subtest("bit. zone forwarding works"):


     

       

       
90

       
+

       
          server.wait_for_unit("pdns-recursor")


     

       
94

       
91

       
 

       
          assert "1.2.3.4" in server.succeed("host test.bit")


     

       
95

       
92

       
 

       
    '';


     

       
96

       
93

       
 

       
})