Skip to content

nixos/unbound: add enableRemoteAccess option#79559

Closed
kraem wants to merge 1 commit intoNixOS:masterfrom
kraem:nixos/unbound
Closed

nixos/unbound: add enableRemoteAccess option#79559
kraem wants to merge 1 commit intoNixOS:masterfrom
kraem:nixos/unbound

Conversation

@kraem
Copy link
Member

@kraem kraem commented Feb 8, 2020
edited
Loading

Motivation for this change

unbound-control which is installed with package unbound when activating the module wasn't able to access the server because it was looking for the config file in /etc so I thought I'd make options to enable this more easily.

Things done
  • Implemented an option enableRemoteAccess, an option that sets remote-control setting to true in unbound.conf
  • The option also generates key + certificate and listens to 127.0.0.1 and ::1 by default. The interface + port can be altered with the other options remoteAccessInterfaces and remoteAccessPort for remote access.
  • Wrapped unbound-control and unbound-checkconf so it points to the config file in stateDir instead of the packages default configuration dir in /etc
    • I don't know if that's what these lines are supposed to do. Somehow unbound-anchor say the default dir for root key fil is under /nix/store
Thoughts

I added the wrapping to systemPackages because I added unbound-checkconf to the wrapping.
I could change this to

    environment.systemPackages = [ cfg.package ] 
      ++ optionals cfg.enableRemoteAccess [ (hiPrio unboundWrapped) ];

if that's better.

I am happy for pointers and tips of course :)

Checkboxes
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@kraem kraem requested a review from volth February 8, 2020 19:49
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Feb 8, 2020
pasqui23
pasqui23 reviewed Feb 13, 2020
View reviewed changes
@kraem kraem closed this Mar 21, 2020
@kraem kraem deleted the nixos/unbound branch March 21, 2020 20:46
@kraem kraem restored the nixos/unbound branch April 28, 2020 16:20
@kraem kraem reopened this Apr 28, 2020
lovesegfault
lovesegfault reviewed Apr 28, 2020
View reviewed changes
nixos/modules/services/networking/unbound.nix Outdated
Comment on lines +51 to +57
Copy link
Member

@lovesegfault lovesegfault Apr 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, I was supremely annoyed with the previous behavior.

nixos/modules/services/networking/unbound.nix Outdated
Comment on lines +21 to +24
Copy link
Member

@lovesegfault lovesegfault Apr 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these going to be correctly auto-gen'd when the cfg is enabled?

Copy link
Member Author

@kraem kraem Apr 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They should be with this 👍 https://github.com/NixOS/nixpkgs/compare/master...kraem:nixos/unbound?expand=1#diff-af0e676aa026493eac8384bd688abbdfR191

Copy link
Member Author

@kraem kraem Apr 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just verified this since it was a long time since I wrote this and it works for me 👍

@ofborg ofborg bot added the 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. label Apr 28, 2020
@kraem
nixos/unbound: add enableRemoteAccess option
30b1271 
Option that sets remote-control setting to true in unbound.conf which
in turn enables the new wrapping of unbound-control to access the server locally.
Also includes options 'remoteAccessInterfaces' and 'remoteAccessPort'
for remote access.
@kraem kraem requested a review from lovesegfault April 29, 2020 14:22
kraem
kraem commented Apr 29, 2020
View reviewed changes
nixos/modules/services/networking/unbound.nix
};

remoteAccessInterfaces = mkOption {
default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1";
Copy link
Member Author

@kraem kraem Apr 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added check for enableIPv6

@kraem kraem requested review from a user and globin April 29, 2020 15:51
@rissson
Copy link
Member

rissson commented Jun 5, 2020

I'd rather we went with a design as described in RFC 42 for this module. I guess we can keep the existing options and build on top of that. I'll try something and mention it here.

rissson
rissson reviewed Jun 5, 2020
View reviewed changes
nixos/modules/services/networking/unbound.nix
''}
touch ${stateDir}/dev/random
${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random
${optionalString cfg.enableRemoteAccess "${pkgs.unbound}/bin/unbound-control-setup -d ${stateDir}"}
Copy link
Member

@rissson rissson Jun 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be cfg.package?

Copy link
Member Author

@kraem kraem Jun 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly don't know. Saw your new PR, gj 👍. Keeping this one open til your is merged.

@rissson rissson mentioned this pull request Jun 5, 2020
Merged
10 tasks
@stale
Copy link

stale bot commented Dec 9, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 9, 2020
@SuperSandro2000 SuperSandro2000 added the 2.status: merge conflict This PR has merge conflicts with the target branch label Jan 18, 2021
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 18, 2021
@kraem
Copy link
Member Author

kraem commented May 4, 2021

Closing as #89572 is merged 🎉

@kraem kraem closed this May 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lovesegfault lovesegfault Awaiting requested review from lovesegfault

@globin globin Awaiting requested review from globin

3 more reviewers

@pasqui23 pasqui23 pasqui23 left review comments

@rissson rissson rissson left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kraem @rissson @pasqui23 @lovesegfault @SuperSandro2000