mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-23 05:35:50 +02:00
bd52618c9d
When the user specifies the networking.nameservers setting in the configuration file, it must take precedence over automatically derived settings. The culprit was services.bind that made the resolver set to 127.0.0.1 and ignore the nameserver setting. This patch adds a flag to services.bind to override the nameserver to localhost. It defaults to true. Setting this to false prevents the service.bind and dnsmasq.resolveLocalQueries settings from overriding the users' settings. Also, when the user specifies a domain to search, it must be set in the resolver configuration, even if the user does not specify any nameservers. (cherry picked from commit 670b4e29adc16e0a29aa5b4c126703dcca56aeb6) This commit was accidentally merged to 17.09 but was intended for master. This is the cherry-pick to master.
203 lines
5.1 KiB
Nix
203 lines
5.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.services.bind;
|
|
|
|
bindUser = "named";
|
|
|
|
confFile = pkgs.writeText "named.conf"
|
|
''
|
|
include "/etc/bind/rndc.key";
|
|
controls {
|
|
inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
|
|
};
|
|
|
|
acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
|
|
acl badnetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };
|
|
|
|
options {
|
|
listen-on { ${concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
|
|
listen-on-v6 { ${concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
|
|
allow-query { cachenetworks; };
|
|
blackhole { badnetworks; };
|
|
forward first;
|
|
forwarders { ${concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };
|
|
directory "/var/run/named";
|
|
pid-file "/var/run/named/named.pid";
|
|
};
|
|
|
|
${cfg.extraConfig}
|
|
|
|
${ concatMapStrings
|
|
({ name, file, master ? true, slaves ? [], masters ? [] }:
|
|
''
|
|
zone "${name}" {
|
|
type ${if master then "master" else "slave"};
|
|
file "${file}";
|
|
${ if master then
|
|
''
|
|
allow-transfer {
|
|
${concatMapStrings (ip: "${ip};\n") slaves}
|
|
};
|
|
''
|
|
else
|
|
''
|
|
masters {
|
|
${concatMapStrings (ip: "${ip};\n") masters}
|
|
};
|
|
''
|
|
}
|
|
allow-query { any; };
|
|
};
|
|
'')
|
|
cfg.zones }
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.bind = {
|
|
|
|
enable = mkOption {
|
|
default = false;
|
|
description = "
|
|
Whether to enable BIND domain name server.
|
|
";
|
|
};
|
|
|
|
cacheNetworks = mkOption {
|
|
default = ["127.0.0.0/24"];
|
|
description = "
|
|
What networks are allowed to use us as a resolver.
|
|
";
|
|
};
|
|
|
|
blockedNetworks = mkOption {
|
|
default = [];
|
|
description = "
|
|
What networks are just blocked.
|
|
";
|
|
};
|
|
|
|
ipv4Only = mkOption {
|
|
default = false;
|
|
description = "
|
|
Only use ipv4, even if the host supports ipv6.
|
|
";
|
|
};
|
|
|
|
forwarders = mkOption {
|
|
default = config.networking.nameservers;
|
|
description = "
|
|
List of servers we should forward requests to.
|
|
";
|
|
};
|
|
|
|
listenOn = mkOption {
|
|
default = ["any"];
|
|
type = types.listOf types.str;
|
|
description = "
|
|
Interfaces to listen on.
|
|
";
|
|
};
|
|
|
|
listenOnIpv6 = mkOption {
|
|
default = ["any"];
|
|
type = types.listOf types.str;
|
|
description = "
|
|
Ipv6 interfaces to listen on.
|
|
";
|
|
};
|
|
|
|
zones = mkOption {
|
|
default = [];
|
|
description = "
|
|
List of zones we claim authority over.
|
|
master=false means slave server; slaves means addresses
|
|
who may request zone transfer.
|
|
";
|
|
example = [{
|
|
name = "example.com";
|
|
master = false;
|
|
file = "/var/dns/example.com";
|
|
masters = ["192.168.0.1"];
|
|
slaves = [];
|
|
}];
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
description = "
|
|
Extra lines to be added verbatim to the generated named configuration file.
|
|
";
|
|
};
|
|
|
|
configFile = mkOption {
|
|
type = types.path;
|
|
default = confFile;
|
|
defaultText = "confFile";
|
|
description = "
|
|
Overridable config file to use for named. By default, that
|
|
generated by nixos.
|
|
";
|
|
};
|
|
|
|
resolveLocalQueries = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether bind should resolve local queries (i.e. add 127.0.0.1 to
|
|
/etc/resolv.conf, overriding networking.nameserver).
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf config.services.bind.enable {
|
|
|
|
users.extraUsers = singleton
|
|
{ name = bindUser;
|
|
uid = config.ids.uids.bind;
|
|
description = "BIND daemon user";
|
|
};
|
|
|
|
systemd.services.bind = {
|
|
description = "BIND Domain Name Server";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
preStart = ''
|
|
mkdir -m 0755 -p /etc/bind
|
|
if ! [ -f "/etc/bind/rndc.key" ]; then
|
|
${pkgs.bind.out}/sbin/rndc-confgen -r /dev/urandom -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null
|
|
fi
|
|
|
|
${pkgs.coreutils}/bin/mkdir -p /var/run/named
|
|
chown ${bindUser} /var/run/named
|
|
'';
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
|
|
ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload";
|
|
ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop";
|
|
};
|
|
|
|
unitConfig.Documentation = "man:named(8)";
|
|
};
|
|
};
|
|
}
|