Received: (at 68757) by debbugs.gnu.org; 27 Feb 2024 10:20:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 27 05:20:23 2024 Received: from localhost ([127.0.0.1]:40869 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1reuZS-0008Eo-Ma for submit <at> debbugs.gnu.org; Tue, 27 Feb 2024 05:20:23 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38074) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1reuZP-0008E3-PW for 68757 <at> debbugs.gnu.org; Tue, 27 Feb 2024 05:20:20 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1reuUB-000216-07; Tue, 27 Feb 2024 05:14:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=QUmG8fBcK6BapkPkESbMG8VA09Rm4GB7JmoI/tztwcE=; b=NHviorbSYSPxfGDVksf0 mfGlBcXehZWsQbgsabobvm+QQj+R0rQ8MmpfoSE1fLZmqbf56Y/2Vu4aTuQ5RmRRCNT/iwK5BI7Z9 zxThStBcAJLFUyqdxni9fgEdcbKAUWl3cd+EBhDqKFdZdtLHFbr7gjDhN0p2L9rb7pOFa4c52l/OM a1190XsoUDknYwJLGb9PbjRtoifMOO60VcuWA1seCc5ahkXsMgjYL5xZt8RHCAn+O8Nr++0pH+sme a0yHFYLRU5oSz5NyswvP7WyFXqbTSiF+cJI/854t35yiTYyPSXloBG5PeuLzzTFmQDMmEVJFLVm8G azBV8ATIRGHeBw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: =?utf-8?Q?S=C3=B6ren?= Tempel <soeren@HIDDEN> Subject: Re: [bug#68757] [PATCH] services: dns: Add unbound service In-Reply-To: <2O0HFY6AW6QUG.320OU5YPLJHHZ@HIDDEN> (=?utf-8?Q?=22S=C3=B6r?= =?utf-8?Q?en?= Tempel"'s message of "Sat, 24 Feb 2024 19:45:44 +0100") References: <20240127121040.7156-2-soeren@HIDDEN> <87sf1pls1y.fsf@HIDDEN> <2O0HFY6AW6QUG.320OU5YPLJHHZ@HIDDEN> Date: Tue, 27 Feb 2024 11:14:51 +0100 Message-ID: <87frxei57o.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 68757 Cc: 68757 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, S=C3=B6ren Tempel <soeren@HIDDEN> skribis: > Prior to submitting this patch I was experimenting with both records and > alists for the Unbound configuration abstraction. Unbound has **a lot** > of configuration options and new options are constantly getting added by > upstream, see unbound.conf(5). Therefore, supporting them through a > record type with fields for each configuration option requires a lot of > code. Furthermore, it will require constant maintenance to keep up with > new upstream options. Right. > I looked at prior art and noticed that the Nix service configuration for > unbound just uses a plain hash with string keys [1]. This seemed like a > good way to deal with the complexity of unbound.conf, hence I opted for > a similar approach here. I don't think it's feasible to model the > configuration using a record type with several hundred fields and, as rde > uses an alist-based approach for services with similar complexity, I > don't think its unheard of in the Guix world either. While it is not as > =E2=80=9Ctype safe=E2=80=9D as a record-based approach (e.g. you can crea= te semantically > invalid unbound configurations), it offers good forwards compatibility > and requires less Scheme code. > > In theory, it would be possible to model sections with less options > (e.g. the =E2=80=98remote-control=E2=80=99 or =E2=80=98server=E2=80=99 op= tion) using records. However, > using alists for some sections and records for others seems inconsistent > to me. > > Please let me know what you think so I can revise this accordingly. The usual approach for services in Guix is to have a record for the most common options (or for all the options if that doing so can be automated, as was done with Dovecot) and an =E2=80=9Cescape hatch=E2=80=9D = that lets users insert raw config text. Key/value alists are not a common idiom. I would suggest sticking to this model as much as possible. Perhaps key/value alists would be preferable as an escape hatch than raw strings? Now, I don=E2=80=99t use Unbound, so I can only give general advice based on what=E2=80=99s usually done in Guix. Maybe =E2=80=98knot-service-type=E2= =80=99 is a useful source of inspiration. HTH! Ludo=E2=80=99.
guix-patches@HIDDEN:bug#68757; Package guix-patches.
Full text available.Received: (at 68757) by debbugs.gnu.org; 24 Feb 2024 18:55:21 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 24 13:55:21 2024 Received: from localhost ([127.0.0.1]:49410 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rdxBA-00063O-Gc for submit <at> debbugs.gnu.org; Sat, 24 Feb 2024 13:55:21 -0500 Received: from magnesium.8pit.net ([45.76.88.171]:29853) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <soeren@HIDDEN>) id 1rdx3k-0005b2-9s for 68757 <at> debbugs.gnu.org; Sat, 24 Feb 2024 13:47:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=opensmtpd; bh=dQTLg7AEcG IE+/5QD0SE0dLNR6G6HA+tLofetNuF/8s=; h=in-reply-to:references:from: subject:cc:to:date; d=soeren-tempel.net; b=V+R0CbJ4mOACpqyy+KBrpl0RHW/ CDJK+18tVB3ItD8jH18LrhcoqfJvYoEyL/s3eXP5Hhh1USq2UOH8S/7zO3pFxFTjYha3s9 HytUtJwrxe28H301AKyu+BEWnGJ1A+Abp4Oiav+WjB/hN8/gV1s411G6n2l1fNffBwkXsn JmEs= Received: from localhost (dynamic-2a02-3102-49da-001b-acdb-b735-16a2-ee83.310.pool.telefonica.de [2a02:3102:49da:1b:acdb:b735:16a2:ee83]) by magnesium.8pit.net (OpenSMTPD) with ESMTPSA id 430aaae5 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:YES); Sat, 24 Feb 2024 19:47:14 +0100 (CET) Date: Sat, 24 Feb 2024 19:45:44 +0100 To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: [bug#68757] [PATCH] services: dns: Add unbound service From: =?UTF-8?Q?S=C3=B6ren?= Tempel <soeren@HIDDEN> References: <20240127121040.7156-2-soeren@HIDDEN> <87sf1pls1y.fsf@HIDDEN> In-Reply-To: <87sf1pls1y.fsf@HIDDEN> Message-Id: <2O0HFY6AW6QUG.320OU5YPLJHHZ@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68757 Cc: 68757 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s <ludo@HIDDEN> wrote: > Hi S=C3=B6ren, Hi Ludovic, > For =E2=80=98remote-control=E2=80=99 and =E2=80=98server=E2=80=99, it= =E2=80=99s not clear to me why we resort to > alists instead of records (or fields within this record type); it looks > inconsistent. >=20 > Could you consider turning them into records or fields? Prior to submitting this patch I was experimenting with both records and alists for the Unbound configuration abstraction. Unbound has **a lot** of configuration options and new options are constantly getting added by upstream, see unbound.conf(5). Therefore, supporting them through a record type with fields for each configuration option requires a lot of code. Furthermore, it will require constant maintenance to keep up with new upstream options. I looked at prior art and noticed that the Nix service configuration for unbound just uses a plain hash with string keys [1]. This seemed like a good way to deal with the complexity of unbound.conf, hence I opted for a similar approach here. I don't think it's feasible to model the configuration using a record type with several hundred fields and, as rde uses an alist-based approach for services with similar complexity, I don't think its unheard of in the Guix world either. While it is not as =E2=80=9Ctype safe=E2=80=9D as a record-based approach (e.g. you can create= semantically invalid unbound configurations), it offers good forwards compatibility and requires less Scheme code. In theory, it would be possible to model sections with less options (e.g. the =E2=80=98remote-control=E2=80=99 or =E2=80=98server=E2=80=99 opti= on) using records. However, using alists for some sections and records for others seems inconsistent to me. Please let me know what you think so I can revise this accordingly. > I recommend adding an =E2=80=9Cescape hatch=E2=80=9D by which users may p= rovide raw > strings (or a file-like object) that gets inserted into the config file. I think at the moment, it should be possible to express all possible unbound configurations using the alist-based approach. If not, I would consider it this a bug in the Scheme abstraction. As such, I don't think there is a need for an =E2=80=9Cescape hatch=E2=80=9D right now (see also: = my comment on records and forwards compatibility above). However, if this is a common idiom then I can add such an escape hatch. The other things you mentioned seem obvious to me and I will just implement them as suggested in a v2 revision of the patch. Thanks for the feedback! Greetings, S=C3=B6ren [1]: https://github.com/NixOS/nixpkgs/blob/0a37316d6cfea44280f4470b6867a711= a24606bd/nixos/modules/services/networking/unbound.nix#L102-L126
guix-patches@HIDDEN:bug#68757; Package guix-patches.
Full text available.
Received: (at 68757) by debbugs.gnu.org; 18 Feb 2024 15:18:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 18 10:18:48 2024
Received: from localhost ([127.0.0.1]:36360 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rbiwJ-00028d-Ir
for submit <at> debbugs.gnu.org; Sun, 18 Feb 2024 10:18:47 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48346)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1rbiwH-00028Q-Ii
for 68757 <at> debbugs.gnu.org; Sun, 18 Feb 2024 10:18:46 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1rbivr-0005gs-JW; Sun, 18 Feb 2024 10:18:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=gAULCc+gN+gKNtugM8g01yYmdYqcBbPVLt7h6mavyeE=; b=Xr4ajFcbm+Il1ZHTwc9k
vI+a7wk8Da7rXbgLOYQvU/IdZhndeB791k7p6o2S+xn3dO61IQrkIyI8uNo/lnZYzpK8ew/McHT8O
Ugnl8W24NkwwDBbqq3DgxGZ0LIx/UakjItRi3U/S1Tzy3jlKPYK3xtkb7NHCwOyMnTWwm4Ijo+VE3
CNbJj2wa5Fht7rlS4TLRQ5s9fwuKHypxm1osuy4osQDuGpNQH4QB3H4NQ1IUUS+WzSnkxpfqpFDsv
bd7BjLRX3kZXm9itovqE3E6AMTYOK3xkJD0ocQze//S+Y1ZtT1u8rrNIMlw/XOY8cnOnYdZCxOtPK
HhRuNcxkSVYPhw==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: soeren@HIDDEN
Subject: Re: [bug#68757] [PATCH] services: dns: Add unbound service
In-Reply-To: <20240127121040.7156-2-soeren@HIDDEN>
(soeren@HIDDEN's message of "Sat, 27 Jan 2024 13:10:41
+0100")
References: <20240127121040.7156-2-soeren@HIDDEN>
Date: Sun, 18 Feb 2024 16:18:17 +0100
Message-ID: <87sf1pls1y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -4.2 (----)
X-Debbugs-Envelope-To: 68757
Cc: 68757 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.2 (-----)
Hi S=C3=B6ren,
soeren@HIDDEN skribis:
> From: S=C3=B6ren Tempel <soeren@HIDDEN>
>
> This allows using Unbound as a local DNSSEC-enabled resolver. This
> commit also allows configuration of the Unbound DNS resolver via a
> Scheme API. Conceptually, the Unbound configuration consists of several
> "sections" that contain key-value pairs (see unbound.conf(5)). The
> configuration sections are modeled in Scheme using record-type fields,
> where each field expects a list of pairs.
>
> A sample configuration, which uses a DoT forwarder, looks as follows:
>
> (service unbound-service-type
> (unbound-configuration
> (forward-zone
> '((name . ".")
> (forward-addr . "149.112.112.112#dns.quad9.net")
> (forward-addr . "2620:fe::9#dns.quad9.net")
> (forward-tls-upstream . yes)))))
>
> * gnu/service/dns.scm (serialize-list): New procedure.
> * gnu/service/dns.scm (unbound-configuration): New record.
> * gnu/service/dns.scm (unbound-config-file): New procedure.
> * gnu/service/dns.scm (unbound-shepherd-service): New procedure.
> * gnu/service/dns.scm (unbound-account-service): New constant.
> * gnu/service/dns.scm (unbound-service-type): New services.
>
> Signed-off-by: S=C3=B6ren Tempel <soeren@HIDDEN>
Nice!
Some comments:
=E2=80=A2 Please document the service in doc/guix.texi. Make sure to inc=
lude
an example like the one above in the introduction, with
explanations (you take remove the example from the commit log
though).
=E2=80=A2 Unless it=E2=80=99s too hard, please provide a system test (the=
service for
knot lacks one for some reason, so there=E2=80=99s a precedent, but the
general rule is that system services should always have associated
tests.)
> +(define-configuration unbound-configuration
I recommend adding an =E2=80=9Cescape hatch=E2=80=9D by which users may pro=
vide raw
strings (or a file-like object) that gets inserted into the config file.
> + (server
> + (maybe-list '((interface . "127.0.0.1")
> + (interface . "::1")
> +
> + ;; TLS certificate bundle for DNS over TLS.
> + (tls-cert-bundle . "/etc/ssl/certs/ca-certificates.crt=
")
> +
> + (hide-identity . yes)
> + (hide-version . yes)))
Please use Scheme booleans #t and #f instead of 'yes and 'no.
> + "The server section of the configuration.")
> + (remote-control
> + (maybe-list '((control-enable . yes)
> + (control-interface . "/run/unbound.sock")))
> + "Configuration of the remote control facility.")
For =E2=80=98remote-control=E2=80=99 and =E2=80=98server=E2=80=99, it=E2=80=
=99s not clear to me why we resort to
alists instead of records (or fields within this record type); it looks
inconsistent.
Could you consider turning them into records or fields?
> + (documentation "Unbound daemon.")
=E2=80=9CRun the Unbound DNS resolver=E2=80=9D maybe?
> + (provision '(unbound dns))
> + (requirement '(networking))
Add 'user-processes. However, does it really need =E2=80=98networking=E2=
=80=99? (See
<https://issues.guix.gnu.org/66306>.)
> + (shell "/run/current-system/profile/sbin/nologin"))))
Rather (file-append =E2=80=A6) as is done in other services.
> +(define unbound-service-type
> + (service-type (name 'unbound)
> + (description "Run the unbound DNS resolver.")
s/unbound/Unbound/
TIA,
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#68757; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 27 Jan 2024 12:12:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 27 07:12:06 2024
Received: from localhost ([127.0.0.1]:53592 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rThXZ-0002uN-Md
for submit <at> debbugs.gnu.org; Sat, 27 Jan 2024 07:12:06 -0500
Received: from lists.gnu.org ([2001:470:142::17]:59416)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <soeren@HIDDEN>) id 1rThXW-0002tk-5O
for submit <at> debbugs.gnu.org; Sat, 27 Jan 2024 07:12:05 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <soeren@HIDDEN>)
id 1rThXJ-0004tE-2b
for guix-patches@HIDDEN; Sat, 27 Jan 2024 07:11:49 -0500
Received: from magnesium.8pit.net ([45.76.88.171])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <soeren@HIDDEN>)
id 1rThXD-0007Wh-Jg; Sat, 27 Jan 2024 07:11:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=opensmtpd; bh=bTZJRnalDt
WWJSD9rIdKlZZ85mZ+7U9Fkn3soXPBmrE=; h=date:subject:to:from;
d=soeren-tempel.net; b=OV1aSZDDpwKsjmfVmyEPYrDDAgbhebycDjCFrWZzS/kPG57
QrKmIS+hEHW2NhNrK8qF5WgW7LlJ6cBP0SjZIAKxlxgCsf3A0l4ffRDZ56UU+rON6bvF5P
R7mb4HespRO06k0QyhdjVtsevUmks8H3rLii7OwPstq54exKV4cUWc=
Received: from localhost
(dynamic-2a02-3102-49da-001b-ba57-b46b-a3ed-689f.310.pool.telefonica.de
[2a02:3102:49da:1b:ba57:b46b:a3ed:689f])
by magnesium.8pit.net (OpenSMTPD) with ESMTPSA id b4d280ed
(TLSv1.3:TLS_AES_256_GCM_SHA384:256:YES);
Sat, 27 Jan 2024 13:11:38 +0100 (CET)
From: soeren@HIDDEN
To: guix-patches@HIDDEN
Subject: [PATCH] services: dns: Add unbound service
Date: Sat, 27 Jan 2024 13:10:41 +0100
Message-ID: <20240127121040.7156-2-soeren@HIDDEN>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=45.76.88.171;
envelope-from=soeren@HIDDEN; helo=magnesium.8pit.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)
From: Sören Tempel <soeren@HIDDEN>
This allows using Unbound as a local DNSSEC-enabled resolver. This
commit also allows configuration of the Unbound DNS resolver via a
Scheme API. Conceptually, the Unbound configuration consists of several
"sections" that contain key-value pairs (see unbound.conf(5)). The
configuration sections are modeled in Scheme using record-type fields,
where each field expects a list of pairs.
A sample configuration, which uses a DoT forwarder, looks as follows:
(service unbound-service-type
(unbound-configuration
(forward-zone
'((name . ".")
(forward-addr . "149.112.112.112#dns.quad9.net")
(forward-addr . "2620:fe::9#dns.quad9.net")
(forward-tls-upstream . yes)))))
* gnu/service/dns.scm (serialize-list): New procedure.
* gnu/service/dns.scm (unbound-configuration): New record.
* gnu/service/dns.scm (unbound-config-file): New procedure.
* gnu/service/dns.scm (unbound-shepherd-service): New procedure.
* gnu/service/dns.scm (unbound-account-service): New constant.
* gnu/service/dns.scm (unbound-service-type): New services.
Signed-off-by: Sören Tempel <soeren@HIDDEN>
---
gnu/services/dns.scm | 115 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 114 insertions(+), 1 deletion(-)
diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 6608046909..224a4d4c32 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2020 Pierre Langlois <pierre.langlois@HIDDEN>
;;; Copyright © 2021 Maxime Devos <maximedevos@HIDDEN>
;;; Copyright © 2022 Remco van 't Veer <remco@HIDDEN>
+;;; Copyright © 2024 Sören Tempel <soeren@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -52,7 +53,19 @@ (define-module (gnu services dns)
knot-resolver-configuration
dnsmasq-service-type
- dnsmasq-configuration))
+ dnsmasq-configuration
+
+ unbound-service-type
+ unbound-configuration
+ unbound-configuration?
+ unbound-configuration-server
+ unbound-configuration-remote-control
+ unbound-configuration-forward-zone
+ unbound-configuration-stub-zone
+ unbound-configuration-auth-zone
+ unbound-configuration-view
+ unbound-configuration-python
+ unbound-configuration-dynlib))
;;;
;;; Knot DNS.
@@ -897,3 +910,103 @@ (define dnsmasq-service-type
dnsmasq-activation)))
(default-value (dnsmasq-configuration))
(description "Run the dnsmasq DNS server.")))
+
+
+;;;
+;;; Unbound.
+;;;
+
+(define-maybe list)
+
+(define (serialize-list field-name lst)
+ ;; Ensure that strings within the unbound configuration
+ ;; are not enclosed in double quotes by the serialization.
+ (define (->string obj)
+ (if (string? obj)
+ obj
+ (object->string obj)))
+
+ #~(string-append
+ #$(string-append (symbol->string field-name) ":\n")
+ #$(apply string-append
+ (map
+ (lambda (pair)
+ (string-append "\t"
+ (symbol->string (car pair))
+ ": "
+ (->string (cdr pair))
+ "\n"))
+ lst))))
+
+(define-configuration unbound-configuration
+ (server
+ (maybe-list '((interface . "127.0.0.1")
+ (interface . "::1")
+
+ ;; TLS certificate bundle for DNS over TLS.
+ (tls-cert-bundle . "/etc/ssl/certs/ca-certificates.crt")
+
+ (hide-identity . yes)
+ (hide-version . yes)))
+ "The server section of the configuration.")
+ (remote-control
+ (maybe-list '((control-enable . yes)
+ (control-interface . "/run/unbound.sock")))
+ "Configuration of the remote control facility.")
+ (forward-zone
+ maybe-list
+ "Configuration of nameservers to forward queries to.")
+ (stub-zone
+ maybe-list
+ "Configuration of stub zones.")
+ (auth-zone
+ maybe-list
+ "Zones for which unbound should response as an authority server.")
+ (view
+ maybe-list
+ "Configuration of view clauses.")
+ (python
+ maybe-list
+ "Configuration of the Python module.")
+ (dynlib
+ maybe-list
+ "Dynamic library module configuration."))
+
+(define (unbound-config-file config)
+ (mixed-text-file "unbound.conf"
+ (serialize-configuration
+ config
+ unbound-configuration-fields)))
+
+(define (unbound-shepherd-service config)
+ (let ((config-file (unbound-config-file config)))
+ (list (shepherd-service
+ (documentation "Unbound daemon.")
+ (provision '(unbound dns))
+ (requirement '(networking))
+ (actions (list (shepherd-configuration-action config-file)))
+ (start #~(make-forkexec-constructor
+ (list (string-append #$unbound "/sbin/unbound")
+ "-d" "-p" "-c" #$config-file)))
+ (stop #~(make-kill-destructor))))))
+
+(define unbound-account-service
+ (list (user-group (name "unbound") (system? #t))
+ (user-account
+ (name "unbound")
+ (group "unbound")
+ (system? #t)
+ (comment "Unbound daemon user")
+ (home-directory "/var/empty")
+ (shell "/run/current-system/profile/sbin/nologin"))))
+
+(define unbound-service-type
+ (service-type (name 'unbound)
+ (description "Run the unbound DNS resolver.")
+ (extensions
+ (list (service-extension account-service-type
+ (const unbound-account-service))
+ (service-extension shepherd-root-service-type
+ unbound-shepherd-service)))
+ (compose concatenate)
+ (default-value (unbound-configuration))))
soeren@HIDDEN:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#68757; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.