pyrox.dev / nixpkgs
lol
fork atom

unbound: run in chroot

Emery Hemingway aedbfdff 686fa594

+16 -16
unified split
+16 -16
nixos/modules/services/networking/unbound.nix
··· 6 6 7 7 cfg = config.services.unbound; 8 8 9 - username = "unbound"; 10 - 11 9 stateDir = "/var/lib/unbound"; 12 10 13 11 access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess; ··· 21 19 confFile = pkgs.writeText "unbound.conf" '' 22 20 server: 23 21 directory: "${stateDir}" 24 - username: ${username} 25 - # make sure unbound can access entropy from inside the chroot. 26 - # e.g. on linux the use these commands (on BSD, devfs(8) is used): 27 - # mount --bind -n /dev/random /etc/unbound/dev/random 28 - # and mount --bind -n /dev/log /etc/unbound/dev/log 22 + username: unbound 29 23 chroot: "${stateDir}" 30 - # logfile: "${stateDir}/unbound.log" #uncomment to use logfile. 31 - pidfile: "${stateDir}/unbound.pid" 32 - verbosity: 1 # uncomment and increase to get more logging. 24 + pidfile: "" 33 25 ${interfaces} 34 26 ${access} 35 - 36 - ${forward} 37 - 38 27 ${cfg.extraConfig} 28 + ${forward} 39 29 ''; 40 30 41 31 in ··· 82 72 environment.systemPackages = [ pkgs.unbound ]; 83 73 84 74 users.extraUsers = singleton { 85 - name = username; 75 + name = "unbound"; 86 76 uid = config.ids.uids.unbound; 87 77 description = "unbound daemon user"; 88 78 home = stateDir; ··· 96 86 wants = [" nss-lookup.target" ]; 97 87 wantedBy = [ "multi-user.target" ]; 98 88 99 - path = [ pkgs.unbound ]; 100 - serviceConfig.ExecStart = "${pkgs.unbound}/sbin/unbound -d -c ${confFile}"; 89 + preStart = '' 90 + mkdir -m 0755 -p ${stateDir}/dev/ 91 + cp ${confFile} ${stateDir}/unbound.conf 92 + chown unbound ${stateDir} 93 + touch ${stateDir}/dev/random 94 + ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random 95 + ''; 96 + 97 + serviceConfig = { 98 + ExecStart = "${pkgs.unbound}/sbin/unbound -d -c ${stateDir}/unbound.conf"; 99 + ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; 100 + }; 101 101 }; 102 102 103 103 };