system/modules/darwin/stubby.nix (view raw)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 | { config, lib, pkgs, ...}:
with lib;
let
cfg = config.services.stubby;
package = pkgs.stubby;
fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols;
listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses;
# By default, the recursive resolvers maintained by the getdns
# project itself are enabled. More information about both getdns's servers,
# as well as third party options for upstream resolvers, can be found here:
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
#
# You can override these values by supplying a yaml-formatted array of your
# preferred upstream resolvers in the following format:
#
# 106 # - address_data: IPv4 or IPv6 address of the upstream
# port: Port for UDP/TCP (default is 53)
# tls_auth_name: Authentication domain name checked against the server
# certificate
# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
# certificate
# - digest: Only "sha256" is currently supported
# value: Base64 encoded value of the sha256 fingerprint of the public
# key
# tls_port: Port for TLS (default is 853)
defaultUpstream = ''
- address_data: 145.100.185.15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 145.100.185.16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 185.49.141.37
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
- address_data: 2001:610:1:40ba:145:100:185:15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 2001:610:1:40ba:145:100:185:16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 2a04:b900:0:100::38
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
'';
# Resolution type is not changeable here because it is required per the
# stubby documentation:
#
# "resolution_type: Work in stub mode only (not recursive mode) - required for Stubby
# operation."
#
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
confFile = pkgs.writeText "stubby.yml" ''
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
${fallbacks}
tls_authentication: ${cfg.authenticationMode}
tls_query_padding_blocksize: ${toString cfg.queryPaddingBlocksize}
edns_client_subnet_private: ${if cfg.subnetPrivate then "1" else "0"}
idle_timeout: ${toString cfg.idleTimeout}
listen_addresses:
${listeners}
round_robin_upstreams: ${if cfg.roundRobinUpstreams then "1" else "0"}
${cfg.extraConfig}
upstream_recursive_servers:
${cfg.upstreamServers}
'';
in
{
options = {
services.stubby = {
enable = mkEnableOption "Stubby DNS resolver";
fallbackProtocols = mkOption {
default = [ "GETDNS_TRANSPORT_TLS" ];
type = with types; listOf (enum [
"GETDNS_TRANSPORT_TLS"
"GETDNS_TRANSPORT_TCP"
"GETDNS_TRANSPORT_UDP"
]);
description = ''
Ordered list composed of one or more transport protocols.
Strict mode should only use <literal>GETDNS_TRANSPORT_TLS</literal>.
Other options are <literal>GETDNS_TRANSPORT_UDP</literal> and
<literal>GETDNS_TRANSPORT_TCP</literal>.
'';
};
authenticationMode = mkOption {
default = "GETDNS_AUTHENTICATION_REQUIRED";
type = types.enum [
"GETDNS_AUTHENTICATION_REQUIRED"
"GETDNS_AUTHENTICATION_NONE"
];
description = ''
Selects the Strict or Opportunistic usage profile.
For strict, set to <literal>GETDNS_AUTHENTICATION_REQUIRED</literal>.
for opportunistic, use <literal>GETDNS_AUTHENTICATION_NONE</literal>.
'';
};
queryPaddingBlocksize = mkOption {
default = 128;
type = types.int;
description = ''
EDNS0 option to pad the size of the DNS query to the given blocksize.
'';
};
subnetPrivate = mkOption {
default = true;
type = types.bool;
description = ''
EDNS0 option for ECS client privacy. Default is
<literal>true</literal>. If set, this option prevents the client
subnet from being sent to authoritative nameservers.
'';
};
idleTimeout = mkOption {
default = 10000;
type = types.int;
description = "EDNS0 option for keepalive idle timeout expressed in
milliseconds.";
};
listenAddresses = mkOption {
default = [ "127.0.0.1" "0::1" ];
type = with types; listOf str;
description = ''
Sets the listen address for the stubby daemon.
Uses port 53 by default.
Ise IP@port to specify a different port.
'';
};
roundRobinUpstreams = mkOption {
default = true;
type = types.bool;
description = ''
Instructs stubby to distribute queries across all available name
servers. Default is <literal>true</literal>. Set to
<literal>false</literal> in order to use the first available.
'';
};
upstreamServers = mkOption {
default = defaultUpstream;
type = types.lines;
description = ''
Replace default upstreams. See <citerefentry><refentrytitle>stubby
</refentrytitle><manvolnum>1</manvolnum></citerefentry> for an
example of the entry formatting. In Strict mode, at least one of the
following settings must be supplied for each nameserver:
<literal>tls_auth_name</literal> or
<literal>tls_pubkey_pinset</literal>.
'';
};
debugLogging = mkOption {
default = false;
type = types.bool;
description = "Enable or disable debug level logging.";
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
Add additional configuration options. see <citerefentry>
<refentrytitle>stubby</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>for more options.
'';
};
};
};
config = mkIf cfg.enable {
launchd.daemons.stubby = {
command = "${package}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
serviceConfig = {
ProcessType = "Interactive";
RunAtLoad = true;
KeepAlive = true;
StandardErrorPath = "/var/log/stubby.log";
# Sockets = {
# Listeners = {
# SockServiceName = "dns";
# SockFamily = "IPv4";
# };
# };
};
};
environment.systemPackages = [ package ];
};
}
|