New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add stubby resolver daemon service module #38667
Conversation
This change implements stubby, the DNS-over-TLS stub resolver daemon. The motivation for this change was the desire to use stubby's DNS-over-TLS funcitonality in tandem with unbound, which requires passing certain configuration parameters. This module implements those config parameters by exposing them for use in configuration.nix.
re-merging the module list to remove unecessary changes.
''; | ||
}; | ||
|
||
enableNetBindService = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of trying to parse the listenAddresses
, which required the very inefficient splitString
, I have simply provided the option to disable this capability if the user knows they are going to bind to ports > 1024.
|
||
serviceConfig = { | ||
AmbientCapabilities = "${optionalString cfg.enableNetBindService "CAP_NET_BIND_SERVICE"}"; | ||
CapabilitiesBoundingSet = "${optionalString cfg.enableNetBindService "CAP_NET_BIND_SERVICE"}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this part I'm not 100% sure about and would welcome input. obviously, having AmbientCapabilities=
set to nothing (instead of just being altogether absent in the false
case) isn't the prettiest. however, it does seem to achieve the desired effect (for now, anyway).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eh, I think providing an option for this is a bit too much. Should be fine to just set the values by default, if the user wants to override it he can still do it with something like systemd.services.stubby.serviceConfig.AmbientCapabilities = mkForce "";
. I mean it's a DNS module after all, it should be expected to be able to bind to privileged ports.
This change removes the unecessary flag for toggling the capabilities which allows the daemon to bind to low ports.
Adding the option to turn on debug logging.
Shouldn't this service be ordered before |
Also, it would be useful to mention that the BTW, thanks for contributing this service, I am already using it successfully (with |
@wizeman both good points. very pleased to hear someone found it useful! |
Improving docs to note that idleTimeout is expressed in ms. Adding the nss-lookup `before' target to the systemd service definition.
fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols; | ||
listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses; | ||
# By default, the recursive resolvers maintained by the getdns | ||
# project itself are enabled. More information about both getdns's servers, # as well as third party options for upstream resolvers, can be found here: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed a line break here
|
||
fallbackProtocols = mkOption { | ||
default = [ "GETDNS_TRANSPORT_TLS" ]; | ||
type = types.listOf types.str; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could use types.enum [ "GETDNS_TRANSPORT_TLS" "GETDNS_TRANSPORT_TCP" "GETDNS_TRANSPORT_UDP" ]
here
}; | ||
|
||
authenticationMode = mkOption { | ||
default = "GETDNS_AUTHENTICATION_REQUIRED"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could change this to a boolean option authenticationRequired
when there's only the values required/none. But only if you're sure that other options won't be added in the future (i suspect that won't be the case).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And if you don't want to make it a boolean, it can be an enum like above instead.
BTW, I forgot to mention that I'm getting the following message in the systemd journal:
|
@wizeman whups! You're right. that should be |
This change restricts fallbackProtocol and authenticationMode to accept only valid options instead of any list or str types (respectively). This change also fixes typo in the CapabilityBoundingSet systemd setting.
Cleaning up docs, adding literal tags to settings, and removing whitespace.
listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses; | ||
|
||
# By default, the recursive resolvers maintained by the getdns | ||
# project itself are enabled. More information about both getdns's servers, # as well as third party options for upstream resolvers, can be found here: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant a line break in this comment line, there's a #
in the middle of it.
|
||
# By default, the recursive resolvers maintained by the getdns | ||
# project itself are enabled. More information about both getdns's servers, | ||
# # as well as third party options for upstream resolvers, can be found here: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now there's two #
here :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh dear... what are we going to do with me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks perfect to me now, well done! I have also tested this locally and it worked without problems.
🎉🎉! thanks for your help, @infinisil and @wizeman. |
I've been running this since a few days together with systemd-resolved and it works fine. I guess you'll just have to squash the commits to have this PR merged. @baroncharlus, have you had a look at the upstream systemd service? I wonder if we should set the working directory as well. This seems to be of interest for zero configuration DNSSEC. (See also |
This change implements stubby, the DNS-over-TLS stub resolver daemon.
The package itself is maintained by @leenaars.
The motivation for this change was the desire to use
stubby
'sDNS-over-TLS functionality in tandem with unbound, which requires
passing certain configuration parameters. This module implements those
config parameters by exposing them for use in
configuration.nix.
This is a reopening of PR #38586, which was based on the incorrect branch.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)