GNU logs - #68757, boring messages

Message sent to guix-patches@HIDDEN:

Subject: [bug#68757] [PATCH] services: dns: Add unbound service
Resent-From: soeren@HIDDEN
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 27 Jan 2024 12:13:01 +0000
Resent-Message-ID: <handler.68757.B.170635752611188 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 68757 <at> debbugs.gnu.org
From: soeren@HIDDEN
Date: Sat, 27 Jan 2024 13:10:41 +0100
Message-ID: <20240127121040.7156-2-soeren@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=45.76.88.171;
 envelope-from=soeren@HIDDEN; helo=magnesium.8pit.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

From: Sören Tempel <soeren@HIDDEN>

This allows using Unbound as a local DNSSEC-enabled resolver. This
commit also allows configuration of the Unbound DNS resolver via a
Scheme API. Conceptually, the Unbound configuration consists of several
"sections" that contain key-value pairs (see unbound.conf(5)). The
configuration sections are modeled in Scheme using record-type fields,
where each field expects a list of pairs.

A sample configuration, which uses a DoT forwarder, looks as follows:

	(service unbound-service-type
	  (unbound-configuration
	    (forward-zone
	      '((name . ".")
	        (forward-addr . "149.112.112.112#dns.quad9.net")
	        (forward-addr . "2620:fe::9#dns.quad9.net")
	        (forward-tls-upstream . yes)))))

* gnu/service/dns.scm (serialize-list): New procedure.
* gnu/service/dns.scm (unbound-configuration): New record.
* gnu/service/dns.scm (unbound-config-file): New procedure.
* gnu/service/dns.scm (unbound-shepherd-service): New procedure.
* gnu/service/dns.scm (unbound-account-service): New constant.
* gnu/service/dns.scm (unbound-service-type): New services.

Signed-off-by: Sören Tempel <soeren@HIDDEN>
---
 gnu/services/dns.scm | 115 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 114 insertions(+), 1 deletion(-)

diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 6608046909..224a4d4c32 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2020 Pierre Langlois <pierre.langlois@HIDDEN>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@HIDDEN>
 ;;; Copyright © 2022 Remco van 't Veer <remco@HIDDEN>
+;;; Copyright © 2024 Sören Tempel <soeren@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -52,7 +53,19 @@ (define-module (gnu services dns)
             knot-resolver-configuration
 
             dnsmasq-service-type
-            dnsmasq-configuration))
+            dnsmasq-configuration
+
+            unbound-service-type
+            unbound-configuration
+            unbound-configuration?
+            unbound-configuration-server
+            unbound-configuration-remote-control
+            unbound-configuration-forward-zone
+            unbound-configuration-stub-zone
+            unbound-configuration-auth-zone
+            unbound-configuration-view
+            unbound-configuration-python
+            unbound-configuration-dynlib))
 
 ;;;
 ;;; Knot DNS.
@@ -897,3 +910,103 @@ (define dnsmasq-service-type
                              dnsmasq-activation)))
    (default-value (dnsmasq-configuration))
    (description "Run the dnsmasq DNS server.")))
+
+
+;;;
+;;; Unbound.
+;;;
+
+(define-maybe list)
+
+(define (serialize-list field-name lst)
+  ;; Ensure that strings within the unbound configuration
+  ;; are not enclosed in double quotes by the serialization.
+  (define (->string obj)
+    (if (string? obj)
+      obj
+      (object->string obj)))
+
+  #~(string-append
+      #$(string-append (symbol->string field-name) ":\n")
+      #$(apply string-append
+          (map
+            (lambda (pair)
+              (string-append "\t"
+                             (symbol->string (car pair))
+                             ": "
+                             (->string (cdr pair))
+                             "\n"))
+            lst))))
+
+(define-configuration unbound-configuration
+  (server
+    (maybe-list '((interface . "127.0.0.1")
+                  (interface . "::1")
+
+                  ;; TLS certificate bundle for DNS over TLS.
+                  (tls-cert-bundle . "/etc/ssl/certs/ca-certificates.crt")
+
+                  (hide-identity . yes)
+                  (hide-version . yes)))
+    "The server section of the configuration.")
+  (remote-control
+    (maybe-list '((control-enable . yes)
+                  (control-interface . "/run/unbound.sock")))
+    "Configuration of the remote control facility.")
+  (forward-zone
+    maybe-list
+    "Configuration of nameservers to forward queries to.")
+  (stub-zone
+    maybe-list
+    "Configuration of stub zones.")
+  (auth-zone
+    maybe-list
+    "Zones for which unbound should response as an authority server.")
+  (view
+    maybe-list
+    "Configuration of view clauses.")
+  (python
+    maybe-list
+    "Configuration of the Python module.")
+  (dynlib
+    maybe-list
+    "Dynamic library module configuration."))
+
+(define (unbound-config-file config)
+  (mixed-text-file "unbound.conf"
+    (serialize-configuration
+      config
+      unbound-configuration-fields)))
+
+(define (unbound-shepherd-service config)
+  (let ((config-file (unbound-config-file config)))
+    (list (shepherd-service
+            (documentation "Unbound daemon.")
+            (provision '(unbound dns))
+            (requirement '(networking))
+            (actions (list (shepherd-configuration-action config-file)))
+            (start #~(make-forkexec-constructor
+                       (list (string-append #$unbound "/sbin/unbound")
+                             "-d" "-p" "-c" #$config-file)))
+            (stop #~(make-kill-destructor))))))
+
+(define unbound-account-service
+  (list (user-group (name "unbound") (system? #t))
+        (user-account
+         (name "unbound")
+         (group "unbound")
+         (system? #t)
+         (comment "Unbound daemon user")
+         (home-directory "/var/empty")
+         (shell "/run/current-system/profile/sbin/nologin"))))
+
+(define unbound-service-type
+  (service-type (name 'unbound)
+                (description "Run the unbound DNS resolver.")
+                (extensions
+                  (list (service-extension account-service-type
+                                           (const unbound-account-service))
+                        (service-extension shepherd-root-service-type
+                                           unbound-shepherd-service)))
+                (compose concatenate)
+                (default-value (unbound-configuration))))

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: soeren@HIDDEN
Subject: bug#68757: Acknowledgement ([PATCH] services: dns: Add unbound
 service)
Message-ID: <handler.68757.B.170635752611188.ack <at> debbugs.gnu.org>
References: <20240127121040.7156-2-soeren@HIDDEN>
X-Gnu-PR-Message: ack 68757
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 68757 <at> debbugs.gnu.org
Date: Sat, 27 Jan 2024 12:13:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 68757 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
68757: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D68757
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#68757] [PATCH] services: dns: Add unbound service
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 18 Feb 2024 15:19:02 +0000
Resent-Message-ID: <handler.68757.B68757.17082695288227 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: soeren@HIDDEN
Cc: 68757 <at> debbugs.gnu.org
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <20240127121040.7156-2-soeren@HIDDEN>
 (soeren@HIDDEN's message of "Sat, 27 Jan 2024 13:10:41
 +0100")
References: <20240127121040.7156-2-soeren@HIDDEN>
Date: Sun, 18 Feb 2024 16:18:17 +0100
Message-ID: <87sf1pls1y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hi S=C3=B6ren,

soeren@HIDDEN skribis:

> From: S=C3=B6ren Tempel <soeren@HIDDEN>
>
> This allows using Unbound as a local DNSSEC-enabled resolver. This
> commit also allows configuration of the Unbound DNS resolver via a
> Scheme API. Conceptually, the Unbound configuration consists of several
> "sections" that contain key-value pairs (see unbound.conf(5)). The
> configuration sections are modeled in Scheme using record-type fields,
> where each field expects a list of pairs.
>
> A sample configuration, which uses a DoT forwarder, looks as follows:
>
> 	(service unbound-service-type
> 	  (unbound-configuration
> 	    (forward-zone
> 	      '((name . ".")
> 	        (forward-addr . "149.112.112.112#dns.quad9.net")
> 	        (forward-addr . "2620:fe::9#dns.quad9.net")
> 	        (forward-tls-upstream . yes)))))
>
> * gnu/service/dns.scm (serialize-list): New procedure.
> * gnu/service/dns.scm (unbound-configuration): New record.
> * gnu/service/dns.scm (unbound-config-file): New procedure.
> * gnu/service/dns.scm (unbound-shepherd-service): New procedure.
> * gnu/service/dns.scm (unbound-account-service): New constant.
> * gnu/service/dns.scm (unbound-service-type): New services.
>
> Signed-off-by: S=C3=B6ren Tempel <soeren@HIDDEN>

Nice!

Some comments:

  =E2=80=A2 Please document the service in doc/guix.texi.  Make sure to inc=
lude
    an example like the one above in the introduction, with
    explanations (you take remove the example from the commit log
    though).

  =E2=80=A2 Unless it=E2=80=99s too hard, please provide a system test (the=
 service for
    knot lacks one for some reason, so there=E2=80=99s a precedent, but the
    general rule is that system services should always have associated
    tests.)

> +(define-configuration unbound-configuration

I recommend adding an =E2=80=9Cescape hatch=E2=80=9D by which users may pro=
vide raw
strings (or a file-like object) that gets inserted into the config file.

> +  (server
> +    (maybe-list '((interface . "127.0.0.1")
> +                  (interface . "::1")
> +
> +                  ;; TLS certificate bundle for DNS over TLS.
> +                  (tls-cert-bundle . "/etc/ssl/certs/ca-certificates.crt=
")
> +
> +                  (hide-identity . yes)
> +                  (hide-version . yes)))

Please use Scheme booleans #t and #f instead of 'yes and 'no.

> +    "The server section of the configuration.")
> +  (remote-control
> +    (maybe-list '((control-enable . yes)
> +                  (control-interface . "/run/unbound.sock")))
> +    "Configuration of the remote control facility.")

For =E2=80=98remote-control=E2=80=99 and =E2=80=98server=E2=80=99, it=E2=80=
=99s not clear to me why we resort to
alists instead of records (or fields within this record type); it looks
inconsistent.

Could you consider turning them into records or fields?

> +            (documentation "Unbound daemon.")

=E2=80=9CRun the Unbound DNS resolver=E2=80=9D maybe?

> +            (provision '(unbound dns))
> +            (requirement '(networking))

Add 'user-processes.  However, does it really need =E2=80=98networking=E2=
=80=99?  (See
<https://issues.guix.gnu.org/66306>.)

> +         (shell "/run/current-system/profile/sbin/nologin"))))

Rather (file-append =E2=80=A6) as is done in other services.

> +(define unbound-service-type
> +  (service-type (name 'unbound)
> +                (description "Run the unbound DNS resolver.")

s/unbound/Unbound/

TIA,
Ludo=E2=80=99.

Message sent to guix-patches@HIDDEN:

Subject: [bug#68757] [PATCH] services: dns: Add unbound service
Resent-From: =?UTF-8?Q?S=C3=B6ren?= Tempel <soeren@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 24 Feb 2024 18:56:01 +0000
Resent-Message-ID: <handler.68757.B68757.170880092123284 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Cc: 68757 <at> debbugs.gnu.org
Date: Sat, 24 Feb 2024 19:45:44 +0100
From: =?UTF-8?Q?S=C3=B6ren?= Tempel <soeren@HIDDEN>
References: <20240127121040.7156-2-soeren@HIDDEN>
 <87sf1pls1y.fsf@HIDDEN>
In-Reply-To: <87sf1pls1y.fsf@HIDDEN>
Message-Id: <2O0HFY6AW6QUG.320OU5YPLJHHZ@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:
> Hi S=C3=B6ren,

Hi Ludovic,

> For =E2=80=98remote-control=E2=80=99 and =E2=80=98server=E2=80=99, it=
=E2=80=99s not clear to me why we resort to
> alists instead of records (or fields within this record type); it looks
> inconsistent.
>=20
> Could you consider turning them into records or fields?

Prior to submitting this patch I was experimenting with both records and
alists for the Unbound configuration abstraction. Unbound has **a lot**
of configuration options and new options are constantly getting added by
upstream, see unbound.conf(5). Therefore, supporting them through a
record type with fields for each configuration option requires a lot of
code. Furthermore, it will require constant maintenance to keep up with
new upstream options.

I looked at prior art and noticed that the Nix service configuration for
unbound just uses a plain hash with string keys [1]. This seemed like a
good way to deal with the complexity of unbound.conf, hence I opted for
a similar approach here. I don't think it's feasible to model the
configuration using a record type with several hundred fields and, as rde
uses an alist-based approach for services with similar complexity, I
don't think its unheard of in the Guix world either. While it is not as
=E2=80=9Ctype safe=E2=80=9D as a record-based approach (e.g. you can create=
 semantically
invalid unbound configurations), it offers good forwards compatibility
and requires less Scheme code.

In theory, it would be possible to model sections with less options
(e.g. the =E2=80=98remote-control=E2=80=99 or =E2=80=98server=E2=80=99 opti=
on) using records. However,
using alists for some sections and records for others seems inconsistent
to me.

Please let me know what you think so I can revise this accordingly.

> I recommend adding an =E2=80=9Cescape hatch=E2=80=9D by which users may p=
rovide raw
> strings (or a file-like object) that gets inserted into the config file.

I think at the moment, it should be possible to express all possible
unbound configurations using the alist-based approach. If not, I would
consider it this a bug in the Scheme abstraction. As such, I don't think
there is a need for an =E2=80=9Cescape hatch=E2=80=9D right now (see also: =
my comment on
records and forwards compatibility above). However, if this is a common
idiom then I can add such an escape hatch.

The other things you mentioned seem obvious to me and I will just
implement them as suggested in a v2 revision of the patch. Thanks for
the feedback!

Greetings,
S=C3=B6ren

[1]: https://github.com/NixOS/nixpkgs/blob/0a37316d6cfea44280f4470b6867a711=
a24606bd/nixos/modules/services/networking/unbound.nix#L102-L126

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#68757] [PATCH] services: dns: Add unbound service
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 27 Feb 2024 10:21:02 +0000
Resent-Message-ID: <handler.68757.B68757.170902922331679 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 68757
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: =?UTF-8?Q?S=C3=B6ren?= Tempel <soeren@HIDDEN>
Cc: 68757 <at> debbugs.gnu.org
Received: via spool by 68757-submit <at> debbugs.gnu.org id=B68757.170902922331679
          (code B ref 68757); Tue, 27 Feb 2024 10:21:02 +0000
Received: (at 68757) by debbugs.gnu.org; 27 Feb 2024 10:20:23 +0000
Received: from localhost ([127.0.0.1]:40869 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1reuZS-0008Eo-Ma
	for submit <at> debbugs.gnu.org; Tue, 27 Feb 2024 05:20:23 -0500
Received: from eggs.gnu.org ([209.51.188.92]:38074)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1reuZP-0008E3-PW
 for 68757 <at> debbugs.gnu.org; Tue, 27 Feb 2024 05:20:20 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1reuUB-000216-07; Tue, 27 Feb 2024 05:14:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=QUmG8fBcK6BapkPkESbMG8VA09Rm4GB7JmoI/tztwcE=; b=NHviorbSYSPxfGDVksf0
 mfGlBcXehZWsQbgsabobvm+QQj+R0rQ8MmpfoSE1fLZmqbf56Y/2Vu4aTuQ5RmRRCNT/iwK5BI7Z9
 zxThStBcAJLFUyqdxni9fgEdcbKAUWl3cd+EBhDqKFdZdtLHFbr7gjDhN0p2L9rb7pOFa4c52l/OM
 a1190XsoUDknYwJLGb9PbjRtoifMOO60VcuWA1seCc5ahkXsMgjYL5xZt8RHCAn+O8Nr++0pH+sme
 a0yHFYLRU5oSz5NyswvP7WyFXqbTSiF+cJI/854t35yiTYyPSXloBG5PeuLzzTFmQDMmEVJFLVm8G
 azBV8ATIRGHeBw==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <2O0HFY6AW6QUG.320OU5YPLJHHZ@HIDDEN> ("=?UTF-8?Q?S=C3=B6ren?= Tempel"'s message
 of "Sat, 24 Feb 2024 19:45:44 +0100")
References: <20240127121040.7156-2-soeren@HIDDEN>
 <87sf1pls1y.fsf@HIDDEN> <2O0HFY6AW6QUG.320OU5YPLJHHZ@HIDDEN>
Date: Tue, 27 Feb 2024 11:14:51 +0100
Message-ID: <87frxei57o.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

S=C3=B6ren Tempel <soeren@HIDDEN> skribis:

> Prior to submitting this patch I was experimenting with both records and
> alists for the Unbound configuration abstraction. Unbound has **a lot**
> of configuration options and new options are constantly getting added by
> upstream, see unbound.conf(5). Therefore, supporting them through a
> record type with fields for each configuration option requires a lot of
> code. Furthermore, it will require constant maintenance to keep up with
> new upstream options.

Right.

> I looked at prior art and noticed that the Nix service configuration for
> unbound just uses a plain hash with string keys [1]. This seemed like a
> good way to deal with the complexity of unbound.conf, hence I opted for
> a similar approach here. I don't think it's feasible to model the
> configuration using a record type with several hundred fields and, as rde
> uses an alist-based approach for services with similar complexity, I
> don't think its unheard of in the Guix world either. While it is not as
> =E2=80=9Ctype safe=E2=80=9D as a record-based approach (e.g. you can crea=
te semantically
> invalid unbound configurations), it offers good forwards compatibility
> and requires less Scheme code.
>
> In theory, it would be possible to model sections with less options
> (e.g. the =E2=80=98remote-control=E2=80=99 or =E2=80=98server=E2=80=99 op=
tion) using records. However,
> using alists for some sections and records for others seems inconsistent
> to me.
>
> Please let me know what you think so I can revise this accordingly.

The usual approach for services in Guix is to have a record for the most
common options (or for all the options if that doing so can be
automated, as was done with Dovecot) and an =E2=80=9Cescape hatch=E2=80=9D =
that lets
users insert raw config text.  Key/value alists are not a common idiom.

I would suggest sticking to this model as much as possible.  Perhaps
key/value alists would be preferable as an escape hatch than raw
strings?

Now, I don=E2=80=99t use Unbound, so I can only give general advice based on
what=E2=80=99s usually done in Guix.  Maybe =E2=80=98knot-service-type=E2=
=80=99 is a useful
source of inspiration.

HTH!

Ludo=E2=80=99.

Last modified: Tue, 27 Feb 2024 10:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.