commit aedbfdff8485044529953585bc7d042ece080b00 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

unbound: run in chroot

Emery Hemingway 11 years ago aedbfdff 686fa594

+16 -16

1 changed file

expand all

unified split

nixos

modules

services

networking

unbound.nix

+16 -16

nixos/modules/services/networking/unbound.nix

··· 6 7 cfg = config.services.unbound; 8 9 - username = "unbound"; 10 - 11 stateDir = "/var/lib/unbound"; 12 13 access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess; ··· 21 confFile = pkgs.writeText "unbound.conf" '' 22 server: 23 directory: "${stateDir}" 24 - username: ${username} 25 - # make sure unbound can access entropy from inside the chroot. 26 - # e.g. on linux the use these commands (on BSD, devfs(8) is used): 27 - # mount --bind -n /dev/random /etc/unbound/dev/random 28 - # and mount --bind -n /dev/log /etc/unbound/dev/log 29 chroot: "${stateDir}" 30 - # logfile: "${stateDir}/unbound.log" #uncomment to use logfile. 31 - pidfile: "${stateDir}/unbound.pid" 32 - verbosity: 1 # uncomment and increase to get more logging. 33 ${interfaces} 34 ${access} 35 - 36 - ${forward} 37 - 38 ${cfg.extraConfig} 39 ''; 40 41 in ··· 82 environment.systemPackages = [ pkgs.unbound ]; 83 84 users.extraUsers = singleton { 85 - name = username; 86 uid = config.ids.uids.unbound; 87 description = "unbound daemon user"; 88 home = stateDir; ··· 96 wants = [" nss-lookup.target" ]; 97 wantedBy = [ "multi-user.target" ]; 98 99 - path = [ pkgs.unbound ]; 100 - serviceConfig.ExecStart = "${pkgs.unbound}/sbin/unbound -d -c ${confFile}"; 101 }; 102 103 };

··· 6 7 cfg = config.services.unbound; 8 9 stateDir = "/var/lib/unbound"; 10 11 access = concatMapStrings (x: " access-control: ${x} allow\n") cfg.allowedAccess; ··· 19 confFile = pkgs.writeText "unbound.conf" '' 20 server: 21 directory: "${stateDir}" 22 + username: unbound 23 chroot: "${stateDir}" 24 + pidfile: "" 25 ${interfaces} 26 ${access} 27 ${cfg.extraConfig} 28 + ${forward} 29 ''; 30 31 in ··· 72 environment.systemPackages = [ pkgs.unbound ]; 73 74 users.extraUsers = singleton { 75 + name = "unbound"; 76 uid = config.ids.uids.unbound; 77 description = "unbound daemon user"; 78 home = stateDir; ··· 86 wants = [" nss-lookup.target" ]; 87 wantedBy = [ "multi-user.target" ]; 88 89 + preStart = '' 90 + mkdir -m 0755 -p ${stateDir}/dev/ 91 + cp ${confFile} ${stateDir}/unbound.conf 92 + chown unbound ${stateDir} 93 + touch ${stateDir}/dev/random 94 + ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random 95 + ''; 96 + 97 + serviceConfig = { 98 + ExecStart = "${pkgs.unbound}/sbin/unbound -d -c ${stateDir}/unbound.conf"; 99 + ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; 100 + }; 101 }; 102 103 };