+1

nixos/modules/misc/ids.nix

reviewed

··· 284 284 glance = 266; 285 285 couchpotato = 267; 286 286 gogs = 268; 287 287 + pdns-recursor = 269; 287 288 288 289 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 289 290

+1

nixos/modules/module-list.nix

reviewed

··· 426 426 ./services/networking/pdnsd.nix 427 427 ./services/networking/polipo.nix 428 428 ./services/networking/powerdns.nix 429 429 + ./services/networking/pdns-recursor.nix 429 430 ./services/networking/pptpd.nix 430 431 ./services/networking/prayer.nix 431 432 ./services/networking/privoxy.nix

+168

nixos/modules/services/networking/pdns-recursor.nix

reviewed

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + dataDir = "/var/lib/pdns-recursor"; 7 7 + username = "pdns-recursor"; 8 8 + 9 9 + cfg = config.services.pdns-recursor; 10 10 + zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; 11 11 + 12 12 + configFile = pkgs.writeText "recursor.conf" '' 13 13 + local-address=${cfg.dns.address} 14 14 + local-port=${toString cfg.dns.port} 15 15 + allow-from=${concatStringsSep "," cfg.dns.allowFrom} 16 16 + 17 17 + webserver-address=${cfg.api.address} 18 18 + webserver-port=${toString cfg.api.port} 19 19 + webserver-allow-from=${concatStringsSep "," cfg.api.allowFrom} 20 20 + 21 21 + forward-zones=${concatStringsSep "," zones} 22 22 + export-etc-hosts=${if cfg.exportHosts then "yes" else "no"} 23 23 + dnssec=${cfg.dnssecValidation} 24 24 + serve-rfc1918=${if cfg.serveRFC1918 then "yes" else "no"} 25 25 + 26 26 + ${cfg.extraConfig} 27 27 + ''; 28 28 + 29 29 + in { 30 30 + options.services.pdns-recursor = { 31 31 + enable = mkEnableOption "PowerDNS Recursor, a recursive DNS server"; 32 32 + 33 33 + dns.address = mkOption { 34 34 + type = types.str; 35 35 + default = "0.0.0.0"; 36 36 + description = '' 37 37 + IP address Recursor DNS server will bind to. 38 38 + ''; 39 39 + }; 40 40 + 41 41 + dns.port = mkOption { 42 42 + type = types.int; 43 43 + default = 53; 44 44 + description = '' 45 45 + Port number Recursor DNS server will bind to. 46 46 + ''; 47 47 + }; 48 48 + 49 49 + dns.allowFrom = mkOption { 50 50 + type = types.listOf types.str; 51 51 + default = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; 52 52 + example = [ "0.0.0.0/0" ]; 53 53 + description = '' 54 54 + IP address ranges of clients allowed to make DNS queries. 55 55 + ''; 56 56 + }; 57 57 + 58 58 + api.address = mkOption { 59 59 + type = types.str; 60 60 + default = "0.0.0.0"; 61 61 + description = '' 62 62 + IP address Recursor REST API server will bind to. 63 63 + ''; 64 64 + }; 65 65 + 66 66 + api.port = mkOption { 67 67 + type = types.int; 68 68 + default = 8082; 69 69 + description = '' 70 70 + Port number Recursor REST API server will bind to. 71 71 + ''; 72 72 + }; 73 73 + 74 74 + api.allowFrom = mkOption { 75 75 + type = types.listOf types.str; 76 76 + default = [ "0.0.0.0/0" ]; 77 77 + description = '' 78 78 + IP address ranges of clients allowed to make API requests. 79 79 + ''; 80 80 + }; 81 81 + 82 82 + exportHosts = mkOption { 83 83 + type = types.bool; 84 84 + default = false; 85 85 + description = '' 86 86 + Whether to export names and IP addresses defined in /etc/hosts. 87 87 + ''; 88 88 + }; 89 89 + 90 90 + forwardZones = mkOption { 91 91 + type = types.attrs; 92 92 + example = { eth = "127.0.0.1:5353"; }; 93 93 + default = {}; 94 94 + description = '' 95 95 + DNS zones to be forwarded to other servers. 96 96 + ''; 97 97 + }; 98 98 + 99 99 + dnssecValidation = mkOption { 100 100 + type = types.enum ["off" "process-no-validate" "process" "log-fail" "validate"]; 101 101 + default = "validate"; 102 102 + description = '' 103 103 + Controls the level of DNSSEC processing done by the PowerDNS Recursor. 104 104 + See https://doc.powerdns.com/md/recursor/dnssec/ for a detailed explanation. 105 105 + ''; 106 106 + }; 107 107 + 108 108 + serveRFC1918 = mkOption { 109 109 + type = types.bool; 110 110 + default = true; 111 111 + description = '' 112 112 + Whether to directly resolve the RFC1918 reverse-mapping domains: 113 113 + <literal>10.in-addr.arpa</literal>, 114 114 + <literal>168.192.in-addr.arpa</literal>, 115 115 + <literal>16-31.172.in-addr.arpa</literal> 116 116 + This saves load on the AS112 servers. 117 117 + ''; 118 118 + }; 119 119 + 120 120 + extraConfig = mkOption { 121 121 + type = types.lines; 122 122 + default = ""; 123 123 + description = '' 124 124 + Extra options to be appended to the configuration file. 125 125 + ''; 126 126 + }; 127 127 + }; 128 128 + 129 129 + config = mkIf cfg.enable { 130 130 + 131 131 + users.extraUsers."${username}" = { 132 132 + home = dataDir; 133 133 + createHome = true; 134 134 + uid = config.ids.uids.pdns-recursor; 135 135 + description = "PowerDNS Recursor daemon user"; 136 136 + }; 137 137 + 138 138 + systemd.services.pdns-recursor = { 139 139 + unitConfig.Documentation = "man:pdns_recursor(1) man:rec_control(1)"; 140 140 + description = "PowerDNS recursive server"; 141 141 + wantedBy = [ "multi-user.target" ]; 142 142 + after = [ "network.target" ]; 143 143 + 144 144 + serviceConfig = { 145 145 + User = username; 146 146 + Restart ="on-failure"; 147 147 + RestartSec = "5"; 148 148 + PrivateTmp = true; 149 149 + PrivateDevices = true; 150 150 + AmbientCapabilities = "cap_net_bind_service"; 151 151 + ExecStart = ''${pkgs.pdns-recursor}/bin/pdns_recursor \ 152 152 + --config-dir=${dataDir} \ 153 153 + --socket-dir=${dataDir} \ 154 154 + --disable-syslog 155 155 + ''; 156 156 + }; 157 157 + 158 158 + preStart = '' 159 159 + # Link configuration file into recursor home directory 160 160 + configPath=${dataDir}/recursor.conf 161 161 + if [ "$(realpath $configPath)" != "${configFile}" ]; then 162 162 + rm -f $configPath 163 163 + ln -s ${configFile} $configPath 164 164 + fi 165 165 + ''; 166 166 + }; 167 167 + }; 168 168 + }