Skip to content

Instantly share code, notes, and snippets.

@baroncharlus

baroncharlus/stubby.nix

Created April 7, 2018 23:13
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save baroncharlus/bebefb378479695bd610d16eb46b7461 to your computer and use it in GitHub Desktop.
Save baroncharlus/bebefb378479695bd610d16eb46b7461 to your computer and use it in GitHub Desktop.
Download ZIP
stubby service wrapper
Raw
stubby.nix
{ config, lib, pkgs, ...}:
with lib;
let
cfg = config.services.stubby;
fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols;
listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses;
extraConfig = optionalString (cfg.extraConfig != "") ''
${cfg.extraConfig}
'';
defaultUpstream = ''
- address_data: 145.100.185.15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 145.100.185.16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 185.49.141.37
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
- address_data: 2001:610:1:40ba:145:100:185:15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 2001:610:1:40ba:145:100:185:16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 2a04:b900:0:100::38
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
'';
confFile = pkgs.writeText "stubby.yml" ''
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
${fallbacks}
tls_authentication: ${cfg.authenticationMode}
tls_query_padding_blocksize: ${cfg.queryPaddingBlocksize}
edns_client_subnet_private: 1
idle_timeout: ${cfg.idleTimeout}
listen_addresses:
${listeners}
round_robin_upstreams: ${cfg.roundRobinUpstreams}
${cfg.extraConfig}
upstream_recursive_servers:
${cfg.upstreamServers}
'';
in
{
options = {
services.stubby = {
enable = mkEnableOption "Stubby DNS resolver";
fallbackProtocols = mkOption {
default = [ "GETDNS_TRANSPORT_TLS" ];
type = types.listOf types.str;
description = "stubby";
};
authenticationMode = mkOption {
default = "GETDNS_AUTHENTICATION_REQUIRED";
type = types.str;
description = "put docs here";
};
queryPaddingBlocksize = mkOption {
default = "128";
type = types.str;
description = "put docs here";
};
idleTimeout = mkOption {
default = "10000";
type = types.str;
description = "put docs here";
};
listenAddresses = mkOption {
default = [ "127.0.0.1" "0::1" ];
type = types.listOf types.str;
description = "put docs here (remember you can spec @)";
};
roundRobinUpstreams = mkOption {
default = "1";
type = types.str;
description = "put docs here";
};
upstreamServers = mkOption {
default = "${defaultUpstream}";
type = types.lines;
description = "put docs here";
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = "put docs here";
};
stateDir = mkOption {
default = "/var/lib/stubby";
type = types.path;
description = "put docs here";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.stubby ];
users.extraUsers.stubby = {
description = "stubby daemon user";
isSystemUser = true;
home = cfg.stateDir;
createHome = true;
};
systemd.services.stubby = {
description = "Stubby local DNS resolver";
wantedBy = [ "multi-user.target" ];
preStart = ''
cp ${confFile} ${cfg.stateDir}/stubby.yml
'';
serviceConfig = {
ExecStart = "${pkgs.stubby}/bin/stubby -C ${cfg.stateDir}/stubby.yml";
WorkingDirectory = "${cfg.stateDir}";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilitiesBoundingSet = "CAP_NET_BIND_SERVICE";
User = "stubby";
};
};
systemd.tmpfiles.rules = [ "d ${pkgs.stubby} 0750 stubby root - -" ];
};
}
@baroncharlus
Copy link
Author 

● stubby.service - Stubby local DNS resolver
   Loaded: loaded (/nix/store/2yr8s07q82qkx4rni301x47x82daas8f-unit-stubby.service/stubby.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2018-04-07 18:17:17 CDT; 31s ago
  Process: 30893 ExecStartPre=/nix/store/1cnlipzr59j6lv523s61kmjhqc6s9pkc-unit-script/bin/stubby-pre-start (code=exited, status=1/FAILURE)
 Main PID: 10423 (code=killed, signal=TERM)

Apr 07 18:17:17 nixos systemd[1]: Starting Stubby local DNS resolver...
Apr 07 18:17:17 nixos stubby-pre-start[30893]: cp: cannot create regular file '/var/lib/stubby/stubby.yml': Permission denied
Apr 07 18:17:17 nixos systemd[1]: stubby.service: Control process exited, code=exited status=1
Apr 07 18:17:17 nixos systemd[1]: stubby.service: Failed with result 'exit-code'.
Apr 07 18:17:17 nixos systemd[1]: Failed to start Stubby local DNS resolver.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment