Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/unbound: add enableRemoteAccess option #79559

Closed
wants to merge 1 commit into from
Closed

nixos/unbound: add enableRemoteAccess option #79559

wants to merge 1 commit into from

Conversation

kraem
Copy link
Member

@kraem kraem commented Feb 8, 2020
edited

Motivation for this change

unbound-control which is installed with package unbound when activating the module wasn't able to access the server because it was looking for the config file in /etc so I thought I'd make options to enable this more easily.

Things done
  • Implemented an option enableRemoteAccess, an option that sets remote-control setting to true in unbound.conf
  • The option also generates key + certificate and listens to 127.0.0.1 and ::1 by default. The interface + port can be altered with the other options remoteAccessInterfaces and remoteAccessPort for remote access.
  • Wrapped unbound-control and unbound-checkconf so it points to the config file in stateDir instead of the packages default configuration dir in /etc
    • I don't know if that's what these lines are supposed to do. Somehow unbound-anchor say the default dir for root key fil is under /nix/store
Thoughts

I added the wrapping to systemPackages because I added unbound-checkconf to the wrapping.
I could change this to

    environment.systemPackages = [ cfg.package ] 
      ++ optionals cfg.enableRemoteAccess [ (hiPrio unboundWrapped) ];

if that's better.

I am happy for pointers and tips of course :)

Checkboxes
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@kraem kraem requested a review from volth February 8, 2020 19:49
@kraem kraem closed this Mar 21, 2020
@kraem kraem deleted the nixos/unbound branch March 21, 2020 20:46
@kraem kraem restored the nixos/unbound branch April 28, 2020 16:20
@kraem kraem reopened this Apr 28, 2020
lovesegfault
lovesegfault reviewed Apr 28, 2020
View reviewed changes
nixos/modules/services/networking/unbound.nix
Comment on lines +51 to +57
installPhase = ''
mkdir -p "$out/bin"
makeWrapper ${pkgs.unbound}/bin/unbound-control $out/bin/unbound-control \
--add-flags "-c ${stateDir}/unbound.conf"
makeWrapper ${pkgs.unbound}/bin/unbound-checkconf $out/bin/unbound-checkconf \
--add-flags "${stateDir}/unbound.conf"
'';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, I was supremely annoyed with the previous behavior.

nixos/modules/services/networking/unbound.nix
Comment on lines +21 to +24
server-key-file: ${stateDir}/unbound_server.key
server-cert-file: ${stateDir}/unbound_server.pem
control-key-file: ${stateDir}/unbound_control.key
control-cert-file: ${stateDir}/unbound_control.pem
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these going to be correctly auto-gen'd when the cfg is enabled?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They should be with this 👍 https://github.com/NixOS/nixpkgs/compare/master...kraem:nixos/unbound?expand=1#diff-af0e676aa026493eac8384bd688abbdfR191

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just verified this since it was a long time since I wrote this and it works for me 👍

@kraem
nixos/unbound: add enableRemoteAccess option
30b1271 
Option that sets remote-control setting to true in unbound.conf which
in turn enables the new wrapping of unbound-control to access the server locally.
Also includes options 'remoteAccessInterfaces' and 'remoteAccessPort'
for remote access.
@kraem kraem requested a review from lovesegfault April 29, 2020 14:22
kraem
kraem commented Apr 29, 2020
View reviewed changes
nixos/modules/services/networking/unbound.nix
};

remoteAccessInterfaces = mkOption {
default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1";
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added check for enableIPv6

@kraem kraem requested review from ehmry and globin April 29, 2020 15:51
@rissson
Copy link
Member

rissson commented Jun 5, 2020

I'd rather we went with a design as described in RFC 42 for this module. I guess we can keep the existing options and build on top of that. I'll try something and mention it here.

rissson
rissson reviewed Jun 5, 2020
View reviewed changes
nixos/modules/services/networking/unbound.nix
@@ -126,11 +188,12 @@ in
''}
touch ${stateDir}/dev/random
${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random
${optionalString cfg.enableRemoteAccess "${pkgs.unbound}/bin/unbound-control-setup -d ${stateDir}"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be cfg.package?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly don't know. Saw your new PR, gj 👍. Keeping this one open til your is merged.

@rissson rissson mentioned this pull request Jun 5, 2020
Merged
10 tasks
@stale
Copy link

stale bot commented Dec 9, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 9, 2020
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 18, 2021
@kraem
Copy link
Member Author

kraem commented May 4, 2021

Closing as #89572 is merged 🎉

@kraem kraem closed this May 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pasqui23 pasqui23 pasqui23 left review comments

@rissson rissson rissson left review comments

@ehmry ehmry ehmry approved these changes

@lovesegfault lovesegfault Awaiting requested review from lovesegfault

@globin globin Awaiting requested review from globin

Assignees
No one assigned
Labels
2.status: merge conflict 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@kraem @rissson @ehmry @pasqui23 @lovesegfault @SuperSandro2000