New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nsd: Don't override bind via nixpkgs.config #53365
Conversation
When generating values for the services.nsd.zones attribute using values from pkgs, we'll run into an infinite recursion because the nsd module has a condition on the top-level definition of nixpkgs.config. While it would work to push the definition a few levels down, it will still only work if we don't use bind tools for generating zones. As far as I could see, Python support for BIND seems to be only needed for the dnssec-* tools, so instead of using nixpkgs.config, we now directly override pkgs.bind instead of globally in nixpkgs. To illustrate the problem with a small test case, instantiating the following Nix expression from the nixpkgs source root will cause the mentioned infinite recursion: (import ./nixos { configuration = { lib, pkgs, ... }: { services.nsd.enable = true; services.nsd.zones = import (pkgs.writeText "foo.nix" '' { "foo.".data = "xyz"; "foo.".dnssec = true; } ''); }; }).vm With this change, generating zones via import-from-derivation is now possible again. Signed-off-by: aszlig <aszlig@nix.build> Cc: @pngwjpgh
While at it (see previous commit), using attrNames in combination with length is a bit verbose for checking whether the filtered attribute set is empty, so let's just compare it against an empty attribute set. Signed-off-by: aszlig <aszlig@nix.build>
@aszlig Thanks for the patch. I wasn't even aware of these DNSSEC changes :/ This should have never be done that way and your patch corrects it. Therefore I am happy with merging. I don't think that this change will break anything. However my hoster does not support DNSSEC so lets wait for @pngwjpgh testing it. |
@pngwjpgh If you need some more time for testing please drop a short line. If not I will merge this in a few days. It is a simple change and I don't want to have it sit around for too long. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel certain about merging this. Magically overriding nixpkgs-wide bind was ugly.
I'm not even sure why enablePython
is there, as the dnssec-* tools used here seem present even without it, but I can't say I know the bind dnssec-* toolset that well. Anyway, the whole override could be removed later; it seems of little consequence.
I even feel like picking this to 18.09, but I'll wait for a few days at least. |
When generating values for the
services.nsd.zones
attribute using values frompkgs
, we'll run into an infinite recursion because thensd
module has a condition on the top-level definition ofnixpkgs.config
.While it would work to push the definition a few levels down, it will still only work if we don't use bind tools for generating zones.
As far as I could see, Python support for BIND seems to be only needed for the
dnssec-*
tools, so instead of usingnixpkgs.config
, we now directly overridepkgs.bind
instead of globally innixpkgs
.To illustrate the problem with a small test case, instantiating the following Nix expression from the
nixpkgs
source root will cause the mentioned infinite recursion:With this change, generating zones via import-from-derivation is now possible again.
@pngwjpgh: Can you please check whether DNSSEC still works after this?
Cc: @hrdinka