nixos/modules/services/networking/stubby.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4
   5 let
   6   cfg = config.services.stubby;
   7   settingsFormat = pkgs.formats.yaml { };
   8   confFile = settingsFormat.generate "stubby.yml" cfg.settings;
   9 in {
  10   imports = map (x:
  11     (mkRemovedOptionModule [ "services" "stubby" x ]
  12       "Stubby configuration moved to services.stubby.settings.")) [
  13         "authenticationMode"
  14         "fallbackProtocols"
  15         "idleTimeout"
  16         "listenAddresses"
  17         "queryPaddingBlocksize"
  18         "roundRobinUpstreams"
  19         "subnetPrivate"
  20         "upstreamServers"
  21       ];
  22
  23   options = {
  24     services.stubby = {
  25
  26       enable = mkEnableOption (lib.mdDoc "Stubby DNS resolver");
  27
  28       settings = mkOption {
  29         type = types.attrsOf settingsFormat.type;
  30         example = lib.literalExpression ''
  31           pkgs.stubby.passthru.settingsExample // {
  32             upstream_recursive_servers = [{
  33               address_data = "158.64.1.29";
  34               tls_auth_name = "kaitain.restena.lu";
  35               tls_pubkey_pinset = [{
  36                 digest = "sha256";
  37                 value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
  38               }];
  39             }];
  40           };
  41         '';
  42         description = lib.mdDoc ''
  43           Content of the Stubby configuration file. All Stubby settings may be set or queried
  44           here. The default settings are available at
  45           `pkgs.stubby.passthru.settingsExample`. See
  46           <https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby>.
  47           A list of the public recursive servers can be found here:
  48           <https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers>.
  49         '';
  50       };
  51
  52       debugLogging = mkOption {
  53         default = false;
  54         type = types.bool;
  55         description = lib.mdDoc "Enable or disable debug level logging.";
  56       };
  57
  58     };
  59   };
  60
  61   config = mkIf cfg.enable {
  62     assertions = [{
  63       assertion =
  64         (cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB";
  65       message = ''
  66         services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB".
  67         Is services.stubby.settings unset?
  68       '';
  69     }];
  70
  71     services.stubby.settings.appdata_dir = "/var/cache/stubby";
  72
  73     systemd.services.stubby = {
  74       description = "Stubby local DNS resolver";
  75       after = [ "network.target" ];
  76       before = [ "nss-lookup.target" ];
  77       wantedBy = [ "multi-user.target" ];
  78
  79       serviceConfig = {
  80         Type = "notify";
  81         AmbientCapabilities = "CAP_NET_BIND_SERVICE";
  82         CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
  83         ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
  84         DynamicUser = true;
  85         CacheDirectory = "stubby";
  86       };
  87     };
  88   };
  89 }