Merge #78628: knot-resolver: 4.3.0 -> 5.0.1
The service needed lots of changes. A few smaller changes are added into the PR, e.g. replacement for PR #72014. See the commit messages for details.
This commit is contained in:
commit
baeed035ea
@ -299,7 +299,7 @@ in
|
|||||||
couchpotato = 267;
|
couchpotato = 267;
|
||||||
gogs = 268;
|
gogs = 268;
|
||||||
pdns-recursor = 269;
|
pdns-recursor = 269;
|
||||||
kresd = 270;
|
#kresd = 270; # switched to "knot-resolver" with dynamic ID
|
||||||
rpc = 271;
|
rpc = 271;
|
||||||
geoip = 272;
|
geoip = 272;
|
||||||
fcron = 273;
|
fcron = 273;
|
||||||
@ -600,7 +600,7 @@ in
|
|||||||
headphones = 266;
|
headphones = 266;
|
||||||
couchpotato = 267;
|
couchpotato = 267;
|
||||||
gogs = 268;
|
gogs = 268;
|
||||||
kresd = 270;
|
#kresd = 270; # switched to "knot-resolver" with dynamic ID
|
||||||
#rpc = 271; # unused
|
#rpc = 271; # unused
|
||||||
#geoip = 272; # unused
|
#geoip = 272; # unused
|
||||||
fcron = 273;
|
fcron = 273;
|
||||||
|
@ -3,12 +3,34 @@
|
|||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
cfg = config.services.kresd;
|
cfg = config.services.kresd;
|
||||||
configFile = pkgs.writeText "kresd.conf" ''
|
|
||||||
${optionalString (cfg.listenDoH != []) "modules.load('http')"}
|
# Convert systemd-style address specification to kresd config line(s).
|
||||||
${cfg.extraConfig};
|
# On Nix level we don't attempt to precisely validate the address specifications.
|
||||||
'';
|
mkListen = kind: addr: let
|
||||||
|
al_v4 = builtins.match "([0-9.]\+):([0-9]\+)" addr;
|
||||||
|
al_v6 = builtins.match "\\[(.\+)]:([0-9]\+)" addr;
|
||||||
|
al_portOnly = builtins.match "()([0-9]\+)" addr;
|
||||||
|
al = findFirst (a: a != null)
|
||||||
|
(throw "services.kresd.*: incorrect address specification '${addr}'")
|
||||||
|
[ al_v4 al_v6 al_portOnly ];
|
||||||
|
port = last al;
|
||||||
|
addrSpec = if al_portOnly == null then "'${head al}'" else "{'::', '127.0.0.1'}";
|
||||||
|
in # freebind is set for compatibility with earlier kresd services;
|
||||||
|
# it could be configurable, for example.
|
||||||
|
''
|
||||||
|
net.listen(${addrSpec}, ${port}, { kind = '${kind}', freebind = true })
|
||||||
|
'';
|
||||||
|
|
||||||
|
configFile = pkgs.writeText "kresd.conf" (
|
||||||
|
optionalString (cfg.listenDoH != []) ''
|
||||||
|
modules.load('http')
|
||||||
|
''
|
||||||
|
+ concatMapStrings (mkListen "dns") cfg.listenPlain
|
||||||
|
+ concatMapStrings (mkListen "tls") cfg.listenTLS
|
||||||
|
+ concatMapStrings (mkListen "doh") cfg.listenDoH
|
||||||
|
+ cfg.extraConfig
|
||||||
|
);
|
||||||
|
|
||||||
package = pkgs.knot-resolver.override {
|
package = pkgs.knot-resolver.override {
|
||||||
extraFeatures = cfg.listenDoH != [];
|
extraFeatures = cfg.listenDoH != [];
|
||||||
@ -25,6 +47,7 @@ in {
|
|||||||
value
|
value
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
(mkRemovedOptionModule [ "services" "kresd" "cacheDir" ] "Please use (bind-)mounting instead.")
|
||||||
];
|
];
|
||||||
|
|
||||||
###### interface
|
###### interface
|
||||||
@ -35,8 +58,8 @@ in {
|
|||||||
description = ''
|
description = ''
|
||||||
Whether to enable knot-resolver domain name server.
|
Whether to enable knot-resolver domain name server.
|
||||||
DNSSEC validation is turned on by default.
|
DNSSEC validation is turned on by default.
|
||||||
You can run <literal>sudo nc -U /run/kresd/control</literal>
|
You can run <literal>sudo nc -U /run/knot-resolver/control/1</literal>
|
||||||
and give commands interactively to kresd.
|
and give commands interactively to kresd@1.service.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
@ -46,16 +69,10 @@ in {
|
|||||||
Extra lines to be added verbatim to the generated configuration file.
|
Extra lines to be added verbatim to the generated configuration file.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
cacheDir = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
default = "/var/cache/kresd";
|
|
||||||
description = ''
|
|
||||||
Directory for caches. They are intended to survive reboots.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
listenPlain = mkOption {
|
listenPlain = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = [ "[::1]:53" "127.0.0.1:53" ];
|
default = [ "[::1]:53" "127.0.0.1:53" ];
|
||||||
|
example = [ "53" ];
|
||||||
description = ''
|
description = ''
|
||||||
What addresses and ports the server should listen on.
|
What addresses and ports the server should listen on.
|
||||||
For detailed syntax see ListenStream in man systemd.socket.
|
For detailed syntax see ListenStream in man systemd.socket.
|
||||||
@ -75,91 +92,54 @@ in {
|
|||||||
default = [];
|
default = [];
|
||||||
example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ];
|
example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ];
|
||||||
description = ''
|
description = ''
|
||||||
Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 7858).
|
Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 8484).
|
||||||
For detailed syntax see ListenStream in man systemd.socket.
|
For detailed syntax see ListenStream in man systemd.socket.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
instances = mkOption {
|
||||||
|
type = types.ints.unsigned;
|
||||||
|
default = 1;
|
||||||
|
description = ''
|
||||||
|
The number of instances to start. They will be called kresd@{1,2,...}.service.
|
||||||
|
Knot Resolver uses no threads, so this is the way to scale.
|
||||||
|
You can dynamically start/stop them at will, so this is just system default.
|
||||||
|
'';
|
||||||
|
};
|
||||||
# TODO: perhaps options for more common stuff like cache size or forwarding
|
# TODO: perhaps options for more common stuff like cache size or forwarding
|
||||||
};
|
};
|
||||||
|
|
||||||
###### implementation
|
###### implementation
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
environment.etc."kresd.conf".source = configFile; # not required
|
environment.etc."knot-resolver/kresd.conf".source = configFile; # not required
|
||||||
|
|
||||||
users.users.kresd =
|
users.users.knot-resolver =
|
||||||
{ uid = config.ids.uids.kresd;
|
{ isSystemUser = true;
|
||||||
group = "kresd";
|
group = "knot-resolver";
|
||||||
description = "Knot-resolver daemon user";
|
description = "Knot-resolver daemon user";
|
||||||
};
|
};
|
||||||
users.groups.kresd.gid = config.ids.gids.kresd;
|
users.groups.knot-resolver.gid = null;
|
||||||
|
|
||||||
systemd.sockets.kresd = rec {
|
systemd.packages = [ package ]; # the units are patched inside the package a bit
|
||||||
wantedBy = [ "sockets.target" ];
|
|
||||||
before = wantedBy;
|
systemd.targets.kresd = { # configure units started by default
|
||||||
listenStreams = cfg.listenPlain;
|
wantedBy = [ "multi-user.target" ];
|
||||||
socketConfig = {
|
wants = [ "kres-cache-gc.service" ]
|
||||||
ListenDatagram = listenStreams;
|
++ map (i: "kresd@${toString i}.service") (range 1 cfg.instances);
|
||||||
FreeBind = true;
|
};
|
||||||
FileDescriptorName = "dns";
|
systemd.services."kresd@".serviceConfig = {
|
||||||
};
|
ExecStart = "${package}/bin/kresd --noninteractive "
|
||||||
|
+ "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}";
|
||||||
|
# Ensure correct ownership in case UID or GID changes.
|
||||||
|
CacheDirectory = "knot-resolver";
|
||||||
|
CacheDirectoryMode = "0750";
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.sockets.kresd-tls = mkIf (cfg.listenTLS != []) rec {
|
environment.etc."tmpfiles.d/knot-resolver.conf".source =
|
||||||
wantedBy = [ "sockets.target" ];
|
"${package}/lib/tmpfiles.d/knot-resolver.conf";
|
||||||
before = wantedBy;
|
|
||||||
partOf = [ "kresd.socket" ];
|
|
||||||
listenStreams = cfg.listenTLS;
|
|
||||||
socketConfig = {
|
|
||||||
FileDescriptorName = "tls";
|
|
||||||
FreeBind = true;
|
|
||||||
Service = "kresd.service";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.sockets.kresd-doh = mkIf (cfg.listenDoH != []) rec {
|
# Try cleaning up the previously default location of cache file.
|
||||||
wantedBy = [ "sockets.target" ];
|
# Note that /var/cache/* should always be safe to remove.
|
||||||
before = wantedBy;
|
# TODO: remove later, probably between 20.09 and 21.03
|
||||||
partOf = [ "kresd.socket" ];
|
systemd.tmpfiles.rules = [ "R /var/cache/kresd" ];
|
||||||
listenStreams = cfg.listenDoH;
|
|
||||||
socketConfig = {
|
|
||||||
FileDescriptorName = "doh";
|
|
||||||
FreeBind = true;
|
|
||||||
Service = "kresd.service";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.sockets.kresd-control = rec {
|
|
||||||
wantedBy = [ "sockets.target" ];
|
|
||||||
before = wantedBy;
|
|
||||||
partOf = [ "kresd.socket" ];
|
|
||||||
listenStreams = [ "/run/kresd/control" ];
|
|
||||||
socketConfig = {
|
|
||||||
FileDescriptorName = "control";
|
|
||||||
Service = "kresd.service";
|
|
||||||
SocketMode = "0660"; # only root user/group may connect and control kresd
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [ "d '${cfg.cacheDir}' 0770 kresd kresd - -" ];
|
|
||||||
|
|
||||||
systemd.services.kresd = {
|
|
||||||
description = "Knot-resolver daemon";
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
User = "kresd";
|
|
||||||
Type = "notify";
|
|
||||||
WorkingDirectory = cfg.cacheDir;
|
|
||||||
Restart = "on-failure";
|
|
||||||
Sockets = [ "kresd.socket" "kresd-control.socket" ]
|
|
||||||
++ optional (cfg.listenTLS != []) "kresd-tls.socket";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Trust anchor goes from dns-root-data by default.
|
|
||||||
script = ''
|
|
||||||
exec '${package}/bin/kresd' --config '${configFile}' --forks=1
|
|
||||||
'';
|
|
||||||
|
|
||||||
requires = [ "kresd.socket" ];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ stdenv, fetchurl
|
{ stdenv, fetchurl, fetchpatch
|
||||||
# native deps.
|
# native deps.
|
||||||
, runCommand, pkgconfig, meson, ninja, makeWrapper
|
, runCommand, pkgconfig, meson, ninja, makeWrapper
|
||||||
# build+runtime deps.
|
# build+runtime deps.
|
||||||
@ -11,31 +11,38 @@ let # un-indented, over the whole file
|
|||||||
|
|
||||||
result = if extraFeatures then wrapped-full else unwrapped;
|
result = if extraFeatures then wrapped-full else unwrapped;
|
||||||
|
|
||||||
inherit (stdenv.lib) optional optionals concatStringsSep;
|
inherit (stdenv.lib) optional optionals;
|
||||||
lua = luajitPackages;
|
lua = luajitPackages;
|
||||||
|
|
||||||
# FIXME: remove these usages once resolving
|
|
||||||
# https://github.com/NixOS/nixpkgs/pull/63108#issuecomment-508670438
|
|
||||||
exportLuaPathsFor = luaPkgs: ''
|
|
||||||
export LUA_PATH='${ concatStringsSep ";" (map lua.getLuaPath luaPkgs)}'
|
|
||||||
export LUA_CPATH='${concatStringsSep ";" (map lua.getLuaCPath luaPkgs)}'
|
|
||||||
'';
|
|
||||||
|
|
||||||
unwrapped = stdenv.mkDerivation rec {
|
unwrapped = stdenv.mkDerivation rec {
|
||||||
pname = "knot-resolver";
|
pname = "knot-resolver";
|
||||||
version = "4.3.0";
|
version = "5.0.1";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "https://secure.nic.cz/files/knot-resolver/${pname}-${version}.tar.xz";
|
url = "https://secure.nic.cz/files/knot-resolver/${pname}-${version}.tar.xz";
|
||||||
sha256 = "0ca0f171ae2b2d76830967a5150eb0fa496b48b2a48f41b2be65d3743aaece25";
|
sha256 = "4a93264ad0cda7ea2252d1ba057e474722f77848165f2893e0c76e21ae406415";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = [ "out" "dev" ];
|
outputs = [ "out" "dev" ];
|
||||||
|
|
||||||
|
# Path fixups for the NixOS service.
|
||||||
|
postPatch = ''
|
||||||
|
patch meson.build <<EOF
|
||||||
|
@@ -50,2 +50,2 @@
|
||||||
|
-systemd_work_dir = join_paths(prefix, get_option('localstatedir'), 'lib', 'knot-resolver')
|
||||||
|
-systemd_cache_dir = join_paths(prefix, get_option('localstatedir'), 'cache', 'knot-resolver')
|
||||||
|
+systemd_work_dir = '/var/lib/knot-resolver'
|
||||||
|
+systemd_cache_dir = '/var/cache/knot-resolver'
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# ExecStart can't be overwritten in overrides.
|
||||||
|
# We need that to use wrapped executable and correct config file.
|
||||||
|
sed '/^ExecStart=/d' -i systemd/kresd@.service.in
|
||||||
|
'';
|
||||||
|
|
||||||
preConfigure = ''
|
preConfigure = ''
|
||||||
patchShebangs scripts/
|
patchShebangs scripts/
|
||||||
''
|
'';
|
||||||
+ stdenv.lib.optionalString doInstallCheck (exportLuaPathsFor [ lua.cqueues lua.basexx ]);
|
|
||||||
|
|
||||||
nativeBuildInputs = [ pkgconfig meson ninja ];
|
nativeBuildInputs = [ pkgconfig meson ninja ];
|
||||||
|
|
||||||
@ -53,16 +60,17 @@ unwrapped = stdenv.mkDerivation rec {
|
|||||||
]
|
]
|
||||||
++ optional doInstallCheck "-Dunit_tests=enabled"
|
++ optional doInstallCheck "-Dunit_tests=enabled"
|
||||||
++ optional (doInstallCheck && !stdenv.isDarwin) "-Dconfig_tests=enabled"
|
++ optional (doInstallCheck && !stdenv.isDarwin) "-Dconfig_tests=enabled"
|
||||||
|
++ optional stdenv.isLinux "-Dsystemd_files=enabled" # used by NixOS service
|
||||||
#"-Dextra_tests=enabled" # not suitable as in-distro tests; many deps, too.
|
#"-Dextra_tests=enabled" # not suitable as in-distro tests; many deps, too.
|
||||||
;
|
;
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
rm "$out"/lib/libkres.a
|
rm "$out"/lib/libkres.a
|
||||||
|
rm "$out"/lib/knot-resolver/upgrade-4-to-5.lua # not meaningful on NixOS
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# aarch64: see https://github.com/wahern/cqueues/issues/223
|
doInstallCheck = with stdenv; hostPlatform == buildPlatform;
|
||||||
doInstallCheck = with stdenv; hostPlatform == buildPlatform && !hostPlatform.isAarch64;
|
installCheckInputs = [ cmocka which cacert lua.cqueues lua.basexx ];
|
||||||
installCheckInputs = [ cmocka which cacert ];
|
|
||||||
installCheckPhase = ''
|
installCheckPhase = ''
|
||||||
meson test --print-errorlogs
|
meson test --print-errorlogs
|
||||||
'';
|
'';
|
||||||
@ -76,37 +84,31 @@ unwrapped = stdenv.mkDerivation rec {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# FIXME: revert this back after resolving
|
wrapped-full = runCommand unwrapped.name
|
||||||
# https://github.com/NixOS/nixpkgs/pull/63108#issuecomment-508670438
|
|
||||||
wrapped-full =
|
|
||||||
with stdenv.lib;
|
|
||||||
with luajitPackages;
|
|
||||||
let
|
|
||||||
luaPkgs = [
|
|
||||||
luasec luasocket # trust anchor bootstrap, prefill module
|
|
||||||
luafilesystem # prefill module
|
|
||||||
http # for http module; brings lots of deps; some are useful elsewhere
|
|
||||||
cqueues fifo lpeg lpeg_patterns luaossl compat53 basexx binaryheap
|
|
||||||
];
|
|
||||||
in runCommand unwrapped.name
|
|
||||||
{
|
{
|
||||||
nativeBuildInputs = [ makeWrapper ];
|
nativeBuildInputs = [ makeWrapper ];
|
||||||
|
buildInputs = with luajitPackages; [
|
||||||
|
# For http module, prefill module, trust anchor bootstrap.
|
||||||
|
# It brings lots of deps; some are useful elsewhere (e.g. cqueues).
|
||||||
|
http
|
||||||
|
# psl isn't in nixpkgs yet, but policy.slice_randomize_psl() seems not important.
|
||||||
|
];
|
||||||
preferLocalBuild = true;
|
preferLocalBuild = true;
|
||||||
allowSubstitutes = false;
|
allowSubstitutes = false;
|
||||||
}
|
}
|
||||||
(exportLuaPathsFor luaPkgs
|
''
|
||||||
+ ''
|
mkdir -p "$out"/bin
|
||||||
mkdir -p "$out"/{bin,share}
|
|
||||||
makeWrapper '${unwrapped}/bin/kresd' "$out"/bin/kresd \
|
makeWrapper '${unwrapped}/bin/kresd' "$out"/bin/kresd \
|
||||||
--set LUA_PATH "$LUA_PATH" \
|
--set LUA_PATH "$LUA_PATH" \
|
||||||
--set LUA_CPATH "$LUA_CPATH"
|
--set LUA_CPATH "$LUA_CPATH"
|
||||||
|
|
||||||
ln -sr '${unwrapped}/share/man' "$out"/share/
|
ln -sr '${unwrapped}/share' "$out"/
|
||||||
|
ln -sr '${unwrapped}/lib' "$out"/ # useful in NixOS service
|
||||||
ln -sr "$out"/{bin,sbin}
|
ln -sr "$out"/{bin,sbin}
|
||||||
|
|
||||||
echo "Checking that 'http' module loads, i.e. lua search paths work:"
|
echo "Checking that 'http' module loads, i.e. lua search paths work:"
|
||||||
echo "modules.load('http')" > test-http.lua
|
echo "modules.load('http')" > test-http.lua
|
||||||
echo -e 'quit()' | env -i "$out"/bin/kresd -a 127.0.0.1#53535 -c test-http.lua
|
echo -e 'quit()' | env -i "$out"/bin/kresd -a 127.0.0.1#53535 -c test-http.lua
|
||||||
'');
|
'';
|
||||||
|
|
||||||
in result
|
in result
|
||||||
|
Loading…
Reference in New Issue
Block a user