3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/modules/services/networking
Andreas Rammhold 5e602f88d1
nixos/modules/services/networking/unbound: update systemd unit
Previously we just applied a very minimal set of restrictions and
trusted unbound to properly drop root privs and capabilities.

With this change I am (for the most part) just using the upstream
example unit file for unbound. The main difference is that we start
unbound was `unbound` user with the required capabilities instead of
letting unbound do the chroot & uid/gid changes.

The upstream unit configuration this is based on is a lot stricter with
all kinds of permissions then our previous variant. It also came with
the default of having the `Type` set to `notify`, therefore we are also
using the `unbound-with-systemd` package here. Unbound will start up,
read the configuration files and start listening on the configured ports
before systemd will declare the unit "running". This will likely help
with startup order and the occasional race condition during system
activation where the DNS service is started but not yet ready to answer
queries.

Aditionally to the much stricter runtime environmet I removed the
`/dev/urandom` mount lines we previously had in the code (that would
randomly fail during `stop`-phase).

The `preStart` script is now only required if we enabled the trust
anchor updates (which are still enabled by default).

Another beneefit of the refactoring is that we can now issue reloads via
either `pkill -HUP unbound` or `systemctl reload unbound` to reload the
running configuration without taking the daemon offline. A prerequisite
of this was that unbound configuration is available on a well known path
on the file system. I went for /etc/unbound/unbound.conf as that is the
default in the CLI tooling which in turn enables us to use
`unbound-control` without passing a custom configuration location.
2020-11-03 19:21:24 +01:00
..
firefox nixos/syncserver: mild cleanup 2019-01-30 15:59:01 +01:00
hylafax treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
ircd-hybrid treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
keepalived nixos/keepalived: Implemented vrrp-instance tracking scripts and interfaces. 2018-05-08 11:25:53 +02:00
nghttpx nixos/modules: remove trailing whitespace 2020-08-07 14:45:39 +01:00
ntp chrony: Create state directory with correct owner. 2020-09-09 15:48:48 -04:00
ssh nixos/sshd: update kexAlgorithms, fix links 2020-10-21 07:39:50 +09:00
strongswan-swanctl Merge staging-next into staging 2019-08-31 10:04:20 +02:00
znc treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
3proxy.nix small treewide: his -> theirs/its 2020-06-23 16:49:50 +02:00
amuled.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
aria2.nix nixos: remove dependencies on local-fs.target 2019-09-01 19:06:38 +02:00
asterisk.nix nixos/asterisk: /var/run -> /run 2019-03-24 21:13:19 +01:00
atftpd.nix
autossh.nix nixos/modules: Remove all usages of types.string 2019-08-31 18:19:00 +02:00
avahi-daemon.nix nixos/avahi: Enable IPv6 by default 2020-10-26 04:06:26 +01:00
babeld.nix nixos/babeld: lock down service 2020-10-21 12:26:02 +02:00
biboumi.nix nixos/biboumi: init 2020-09-02 08:31:53 +02:00
bind.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
bird.nix nixos/bird: Fix reload 2019-05-31 01:21:18 +02:00
bitcoind.nix maintainers: 1000101 -> _1000101 2020-08-18 07:59:48 +10:00
bitlbee.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
blockbook-frontend.nix blockbook-frontend: fix&update extraConfig example 2020-10-29 11:41:41 +01:00
charybdis.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
cjdns.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
cntlm.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
connman.nix nixos/connman: add TODOs regarding connman + network-manager 2020-03-28 12:28:29 +03:00
consul.nix nixos/*: use $out instead of $bin with buildGoPackage 2020-04-28 20:30:29 +10:00
coredns.nix nixos/coredns: init (#54931) 2019-03-01 11:10:44 +02:00
corerad.nix nixos/corerad: use SIGHUP to restart the service 2020-08-09 16:15:49 -07:00
coturn.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
dante.nix dante service: default for logoutput 2018-04-26 13:57:11 +03:00
ddclient.nix nixos/treewide: Move rename.nix imports to their respective modules 2019-12-10 02:51:19 +01:00
dhcpcd.nix nixos/dhcpcd: always run systemctl of the currently running systemd 2020-05-21 10:30:21 +02:00
dhcpd.nix nixos/dhcpd: make authoritative mode optional 2020-07-25 16:33:04 +02:00
dnscache.nix nixos/treewide: Fix incorrectly rendered examples 2020-04-02 07:49:25 +02:00
dnscrypt-proxy2.nix Merge pull request #99039 from worldofpeace/dnscrypt-proxy2-harden 2020-10-02 11:48:58 -04:00
dnscrypt-wrapper.nix nixos/dnscrypt-wrapper: fix key rotation script 2020-10-26 13:07:49 +01:00
dnsdist.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
dnsmasq.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
ejabberd.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
epmd.nix epmd: Introduce erlang port mapper daemon service 2018-07-19 17:32:29 +02:00
ergo.nix nixos/ergo: init 2020-05-26 21:47:31 +02:00
eternal-terminal.nix nixos/eternal-terminal: add firewall information 2019-11-18 16:12:12 +01:00
fakeroute.nix nixos: add myself to maintainers 2019-12-04 17:09:53 +01:00
ferm.nix
fireqos.nix nixos/fireqos: add service 2017-09-09 00:29:46 +02:00
firewall.nix nixos/firewall: fix types in reverse path assertion 2020-03-18 10:54:55 +09:00
flannel.nix nixos/*: use $out instead of $bin with buildGoPackage 2020-04-28 20:30:29 +10:00
flashpolicyd.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
freenet.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
freeradius.nix nixos/freeradius: depend on network.target, not online 2020-03-10 15:54:29 +01:00
gale.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
gateone.nix nixos/modules: remove trailing whitespace 2020-08-07 14:45:39 +01:00
gdomap.nix [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
git-daemon.nix nixos/git-daemon: only create git user if it will be used 2020-02-26 15:04:36 +01:00
gnunet.nix nixos/gnunet: Add types to the options 2020-01-05 00:07:50 +01:00
go-neb.nix nixos/go-neb: init 2020-06-02 15:25:05 +02:00
go-shadowsocks2.nix nixos/go-shadowsocks2: init 2019-10-06 11:18:20 +02:00
gogoclient.nix treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
gvpe.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
hans.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
haproxy.nix nixos/haproxy: add reloading support, use upstream service hardening 2020-05-31 22:35:27 +02:00
helpers.nix nixos: fix ip46tables invocation in nat 2019-12-14 20:13:12 -08:00
hostapd.nix Merge pull request #86712 from rardiol/hostapd 2020-05-05 19:51:09 +02:00
htpdate.nix nixos/htpdate: /var/run -> /run 2019-03-24 21:15:26 +01:00
i2p.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
i2pd.nix nixos/i2pd: address #63103 2020-02-19 13:15:28 +01:00
iodine.nix nixos/iodine: protect passwordFiles with toString 2020-02-13 21:30:14 +01:00
iperf3.nix nixos/iperf: add openFirewall setting 2019-07-04 16:58:56 +02:00
iwd.nix iwd: drop tmpfiles snippet, services use StateDirectory already 2020-02-12 19:29:28 -06:00
jicofo.nix treewide: add Jitsi maintainers 2020-08-04 13:07:36 -07:00
jitsi-videobridge.nix treewide: add Jitsi maintainers 2020-08-04 13:07:36 -07:00
keybase.nix nixos/keybase, nixos/kbfs: update service configs; add redirector 2019-12-23 22:55:06 -08:00
kippo.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
knot.nix knot: add keyFiles option 2020-02-12 16:36:42 +00:00
kresd.nix nixos/kresd: ensure /run/knot-resolver exists 2020-08-16 12:20:10 -04:00
lambdabot.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
libreswan.nix nixos/libreswan: add missing runtime dependencies 2017-10-22 15:36:26 +02:00
lldpd.nix nixos/lldpd: /var/run -> /run 2019-03-24 21:15:27 +01:00
logmein-hamachi.nix nixos: remove dependencies on local-fs.target 2019-09-01 19:06:38 +02:00
magic-wormhole-mailbox-server.nix nixos/magic-wormhole-mailbox-server: moving from mail to networking 2020-03-31 16:29:39 +02:00
mailpile.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
matterbridge.nix nixos/matterbridge: fix package access 2020-01-21 13:17:18 +01:00
minidlna.nix minidlna: provide configuration option for announce interval 2020-01-19 14:06:27 +01:00
miniupnpd.nix nixos/miniupnpd: /var/run -> /run 2019-03-24 21:15:28 +01:00
miredo.nix cleanup redundant text in modules utilizing mkEnableOption 2019-04-20 14:44:02 +02:00
mjpg-streamer.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
monero.nix Merge pull request #86236 from ThibautMarty/fix-nullOr-types 2020-08-26 18:21:29 +02:00
morty.nix treewide: Switch to system users 2019-10-12 22:25:28 +02:00
mosquitto.nix nixos/mosquitto: add passwordFile and hashedPasswordFile options 2020-10-25 10:53:38 +01:00
mstpd.nix nixos/modules: remove trailing whitespace 2020-08-07 14:45:39 +01:00
mtprotoproxy.nix treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
mullvad-vpn.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
murmur.nix nixos/murmur: add murmur group, don't run as nogroup 2020-10-29 10:32:04 +01:00
mxisd.nix nixos/mxisd: fix empty user name 2020-01-08 23:18:26 +01:00
namecoind.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
nat.nix nixos/nat: fix multiple destination ports with loopback 2020-03-04 18:11:31 +09:00
ncdns.nix nixos/ncdns: init module 2020-06-14 01:09:33 +02:00
ndppd.nix nixos/treewide: Fix incorrectly rendered examples 2020-04-02 07:49:25 +02:00
networkmanager.nix networkmanager-sstp: init at unstable-2020-04-20 2020-10-21 00:02:18 +02:00
nextdns.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
nftables.nix nftables: Warn about correct firewall setting 2020-10-02 00:25:57 +02:00
ngircd.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
nix-serve.nix nixos/modules: Remove all usages of types.string 2019-08-31 18:19:00 +02:00
nix-store-gcs-proxy.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
nixops-dns.nix nixos/nixops-dns: init (#34511) 2018-02-20 10:14:55 +00:00
nntp-proxy.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
nsd.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
ntopng.nix
nullidentdmod.nix cleanup redundant text in modules utilizing mkEnableOption 2019-04-20 14:44:02 +02:00
nylon.nix treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
ocserv.nix nixos/ocserv: /var/run -> /run 2019-03-24 21:15:28 +01:00
ofono.nix nixos/ofono: allow adding 3rd party plug-ins 2019-08-23 19:50:53 +02:00
oidentd.nix oidentd: 2.2.2 -> 2.3.1 2018-11-07 14:51:45 +02:00
onedrive.nix nixos/onedrive: Remove verbose flag 2020-09-19 11:32:42 +05:30
onedrive.xml nixos/onedrive: init 2020-06-29 19:56:41 +05:30
openfire.nix treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
openvpn.nix nixos/openvpn: path now requires conversion to a string 2020-09-08 11:09:04 +01:00
ostinato.nix nixos/modules: Remove all usages of types.string 2019-08-31 18:19:00 +02:00
owamp.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
pdns-recursor.nix nixos/pdns-recursor: declare module user as system user 2020-10-18 08:15:29 -04:00
pdnsd.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
pixiecore.nix nixos/pixiecore: fix escaping of cmdline 2020-05-12 15:14:49 +02:00
polipo.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
powerdns.nix nixos/powerdns: use upstream systemd unit 2020-10-24 16:40:20 -04:00
pppd.nix nixos/pppd: fix build error 2020-02-14 12:51:50 +08:00
pptpd.nix nixos/modules: Remove all usages of types.string 2019-08-31 18:19:00 +02:00
prayer.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
privoxy.nix nixos: add myself to maintainers 2019-12-04 17:09:53 +01:00
prosody.nix treewide: De-inline uses of lib.boolToString 2020-10-14 01:46:17 +02:00
prosody.xml Merge pull request #91121 from m1cr0man/master 2020-09-06 18:26:22 +02:00
quagga.nix quagga module: Use a deep merge via imports instead of the shallow merge 2018-07-05 22:11:29 -04:00
quassel.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
quicktun.nix treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
quorum.nix nixos/quorum: init 2020-03-27 19:31:01 +01:00
racoon.nix nixos/raccoon: /var/run -> /run 2019-03-24 21:15:28 +01:00
radicale.nix nixos/radicale: use radicale3 2020-06-23 12:02:27 +02:00
radvd.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
rdnssd.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
redsocks.nix redsocks module: add self as maintainer 2018-10-31 01:06:14 +09:00
resilio.nix nixos/resilio: fix directoryRoot configuration 2020-07-20 11:24:33 +02:00
robustirc-bridge.nix nixos/modules/robustirc-bridge: init 2020-08-30 18:34:22 +02:00
rpcbind.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
rxe.nix nixos/rxe: fix option description 2020-04-05 15:30:08 +02:00
sabnzbd.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
searx.nix nixos: add myself to maintainers 2019-12-04 17:09:53 +01:00
shadowsocks.nix nixos/shadowsocks: add test without plugin 2020-09-14 22:35:05 +02:00
shairport-sync.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
shorewall.nix shorewall: fix RestartTriggers 2020-03-05 00:01:44 +01:00
shorewall6.nix shorewall: fix RestartTriggers 2020-03-05 00:01:44 +01:00
shout.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
skydns.nix treewide: fix typo on word environment 2020-07-28 08:00:38 +02:00
smartdns.nix nixos/smartdns: init first generation config 2020-03-15 08:53:20 +08:00
smokeping.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
sniproxy.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
softether.nix Merge branch 'master' into staging 2019-09-02 23:25:24 +02:00
spacecookie.nix nixos/spacecookie: add service module and test 2019-12-17 14:17:03 +01:00
spiped.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
squid.nix nixos/squid: replace deprecated usage of PermissionsStartOnly 2019-05-26 07:20:55 -04:00
sslh.nix nixos/sslh: fix usage of the now removed ssl probe (#101087) 2020-10-21 21:34:35 +02:00
strongswan.nix nixos/treewide: Fix incorrectly rendered examples 2020-04-02 07:49:25 +02:00
stubby.nix nixos/stubby: set Type=notify on the systemd service 2020-03-16 10:10:45 +05:30
stunnel.nix nixos/stunnel: Add maintainers 2019-10-25 16:19:57 +02:00
supplicant.nix nixos/modules: remove trailing whitespace 2020-08-07 14:45:39 +01:00
supybot.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
syncplay.nix syncplay module: init 2019-09-03 00:30:12 +02:00
syncthing-relay.nix syncthing-relay module: init 2018-11-19 01:09:54 +01:00
syncthing.nix nixos/syncthing: add ignoreDelete folder option 2020-08-30 10:55:03 +03:00
tailscale.nix nixos/modules: fix systemd start rate-limits 2020-10-31 01:35:56 -07:00
tcpcrypt.nix treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
teamspeak3.nix nixos/teamspeak3: replace deprecated usage of PermissionsStartOnly 2019-05-26 07:20:54 -04:00
tedicross.nix nixos/tedicross: add module 2019-04-23 22:52:23 +02:00
tftpd.nix
thelounge.nix thelounge: write out default path for thelounge 2020-05-01 14:46:46 +01:00
tinc.nix nixos/tinc: allow configuration of RSA key file 2020-07-20 21:39:22 +02:00
tinydns.nix nixos/tinydns: order service after network.target 2019-11-08 17:26:34 +01:00
tox-bootstrapd.nix treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
tox-node.nix nixos/tox-node: Add descriptions to module options. 2019-04-15 17:11:10 +01:00
toxvpn.nix nixos/toxvpn: Fix typo in option description 2019-09-09 19:31:48 +02:00
trickster.nix maintainers: 1000101 -> _1000101 2020-08-18 07:59:48 +10:00
tvheadend.nix [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
unbound.nix nixos/modules/services/networking/unbound: update systemd unit 2020-11-03 19:21:24 +01:00
unifi.nix nixos/unifi: restart service on package update 2020-07-03 22:34:29 +02:00
v2ray.nix nixos/v2ray: check v2ray config during the build time 2020-03-25 01:51:56 +08:00
vsftpd.nix vsftpd: listen on both address families 2020-05-25 20:14:20 +02:00
wakeonlan.nix
wasabibackend.nix nixos/wasabibackend: fixing description 2020-06-19 20:07:55 +02:00
websockify.nix nixos/modules: remove trailing whitespace 2020-08-07 14:45:39 +01:00
wg-quick.nix nixos/wireguard: Fix mismatched XML tag 2020-07-20 00:14:44 +02:00
wicd.nix treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
wireguard.nix nixos/wireguard: fix typos and unify formatting 2020-07-19 14:57:39 +02:00
wpa_supplicant.nix nixos: wpa_supplicant: warn on unused config 2020-08-25 12:29:58 +02:00
xandikos.nix maintainers: 0x4A6F -> _0x4A6F 2020-08-18 07:59:44 +10:00
xinetd.nix treewide: add bool type to enable options, or make use of mkEnableOption 2020-04-21 08:55:36 +02:00
xl2tpd.nix nixos/modules: Remove all usages of types.string 2019-08-31 18:19:00 +02:00
xrdp.nix nixos/xrdp: /var/run -> /run 2019-03-24 21:15:29 +01:00
yggdrasil.nix nixos/yggdrasil: add manual section 2020-07-25 16:34:20 +02:00
yggdrasil.xml fixup! nixos/yggdrasil: add manual section 2020-07-25 16:34:20 +02:00
zerobin.nix treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
zeronet.nix nixos/zeronet: improved config, dynamic user 2019-10-03 17:03:32 -05:00
zerotierone.nix nixos/zerotierone: switch from manually generating the .link file to use the module 2020-03-19 14:16:26 +01:00