Package: guix-patches;
Reported by: soeren <at> soeren-tempel.net
Date: Sat, 27 Jan 2024 12:13:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Ludovic Courtès <ludo <at> gnu.org> Cc: tracker <at> debbugs.gnu.org Subject: bug#68757: closed ([PATCH] services: dns: Add unbound service) Date: Sat, 11 Jan 2025 22:10:01 +0000
[Message part 1 (text/plain, inline)]
Your message dated Sat, 11 Jan 2025 23:09:36 +0100 with message-id <87wmf1m28v.fsf <at> gnu.org> and subject line Re: [bug#68757] [PATCH v3 1/1] services: dns: Add unbound service has caused the debbugs.gnu.org bug report #68757, regarding [PATCH] services: dns: Add unbound service to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 68757: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=68757 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: soeren <at> soeren-tempel.net To: guix-patches <at> gnu.org Subject: [PATCH] services: dns: Add unbound service Date: Sat, 27 Jan 2024 13:10:41 +0100From: Sören Tempel <soeren <at> soeren-tempel.net> This allows using Unbound as a local DNSSEC-enabled resolver. This commit also allows configuration of the Unbound DNS resolver via a Scheme API. Conceptually, the Unbound configuration consists of several "sections" that contain key-value pairs (see unbound.conf(5)). The configuration sections are modeled in Scheme using record-type fields, where each field expects a list of pairs. A sample configuration, which uses a DoT forwarder, looks as follows: (service unbound-service-type (unbound-configuration (forward-zone '((name . ".") (forward-addr . "149.112.112.112#dns.quad9.net") (forward-addr . "2620:fe::9#dns.quad9.net") (forward-tls-upstream . yes))))) * gnu/service/dns.scm (serialize-list): New procedure. * gnu/service/dns.scm (unbound-configuration): New record. * gnu/service/dns.scm (unbound-config-file): New procedure. * gnu/service/dns.scm (unbound-shepherd-service): New procedure. * gnu/service/dns.scm (unbound-account-service): New constant. * gnu/service/dns.scm (unbound-service-type): New services. Signed-off-by: Sören Tempel <soeren <at> soeren-tempel.net> --- gnu/services/dns.scm | 115 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 114 insertions(+), 1 deletion(-) diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm index 6608046909..224a4d4c32 100644 --- a/gnu/services/dns.scm +++ b/gnu/services/dns.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2020 Pierre Langlois <pierre.langlois <at> gmx.com> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be> ;;; Copyright © 2022 Remco van 't Veer <remco <at> remworks.net> +;;; Copyright © 2024 Sören Tempel <soeren <at> soeren-tempel.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -52,7 +53,19 @@ (define-module (gnu services dns) knot-resolver-configuration dnsmasq-service-type - dnsmasq-configuration)) + dnsmasq-configuration + + unbound-service-type + unbound-configuration + unbound-configuration? + unbound-configuration-server + unbound-configuration-remote-control + unbound-configuration-forward-zone + unbound-configuration-stub-zone + unbound-configuration-auth-zone + unbound-configuration-view + unbound-configuration-python + unbound-configuration-dynlib)) ;;; ;;; Knot DNS. @@ -897,3 +910,103 @@ (define dnsmasq-service-type dnsmasq-activation))) (default-value (dnsmasq-configuration)) (description "Run the dnsmasq DNS server."))) + + +;;; +;;; Unbound. +;;; + +(define-maybe list) + +(define (serialize-list field-name lst) + ;; Ensure that strings within the unbound configuration + ;; are not enclosed in double quotes by the serialization. + (define (->string obj) + (if (string? obj) + obj + (object->string obj))) + + #~(string-append + #$(string-append (symbol->string field-name) ":\n") + #$(apply string-append + (map + (lambda (pair) + (string-append "\t" + (symbol->string (car pair)) + ": " + (->string (cdr pair)) + "\n")) + lst)))) + +(define-configuration unbound-configuration + (server + (maybe-list '((interface . "127.0.0.1") + (interface . "::1") + + ;; TLS certificate bundle for DNS over TLS. + (tls-cert-bundle . "/etc/ssl/certs/ca-certificates.crt") + + (hide-identity . yes) + (hide-version . yes))) + "The server section of the configuration.") + (remote-control + (maybe-list '((control-enable . yes) + (control-interface . "/run/unbound.sock"))) + "Configuration of the remote control facility.") + (forward-zone + maybe-list + "Configuration of nameservers to forward queries to.") + (stub-zone + maybe-list + "Configuration of stub zones.") + (auth-zone + maybe-list + "Zones for which unbound should response as an authority server.") + (view + maybe-list + "Configuration of view clauses.") + (python + maybe-list + "Configuration of the Python module.") + (dynlib + maybe-list + "Dynamic library module configuration.")) + +(define (unbound-config-file config) + (mixed-text-file "unbound.conf" + (serialize-configuration + config + unbound-configuration-fields))) + +(define (unbound-shepherd-service config) + (let ((config-file (unbound-config-file config))) + (list (shepherd-service + (documentation "Unbound daemon.") + (provision '(unbound dns)) + (requirement '(networking)) + (actions (list (shepherd-configuration-action config-file))) + (start #~(make-forkexec-constructor + (list (string-append #$unbound "/sbin/unbound") + "-d" "-p" "-c" #$config-file))) + (stop #~(make-kill-destructor)))))) + +(define unbound-account-service + (list (user-group (name "unbound") (system? #t)) + (user-account + (name "unbound") + (group "unbound") + (system? #t) + (comment "Unbound daemon user") + (home-directory "/var/empty") + (shell "/run/current-system/profile/sbin/nologin")))) + +(define unbound-service-type + (service-type (name 'unbound) + (description "Run the unbound DNS resolver.") + (extensions + (list (service-extension account-service-type + (const unbound-account-service)) + (service-extension shepherd-root-service-type + unbound-shepherd-service))) + (compose concatenate) + (default-value (unbound-configuration))))
[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org> To: soeren <at> soeren-tempel.net Cc: 68757-done <at> debbugs.gnu.org Subject: Re: [bug#68757] [PATCH v3 1/1] services: dns: Add unbound service Date: Sat, 11 Jan 2025 23:09:36 +0100[Message part 4 (text/plain, inline)]Hello, soeren <at> soeren-tempel.net skribis: > From: Sören Tempel <soeren <at> soeren-tempel.net> > > This allows using Unbound as a local DNSSEC-enabled resolver. This > commit also allows configuration of the Unbound DNS resolver via a > Scheme API. The API currently provides very common options and > includes an escape hatch to enable less common configurations. > > * gnu/service/dns.scm (unbound-serialize-field): New procedure. > * gnu/service/dns.scm (unbound-serialize-alist): New procedure. > * gnu/service/dns.scm (unbound-serialize-section): New procedure. > * gnu/service/dns.scm (unbound-serialize-string): New procedure. > * gnu/service/dns.scm (unbound-serialize-boolean): New procedure. > * gnu/service/dns.scm (unbound-serialize-list-of-strings): New procedure. > * gnu/service/dns.scm (unbound-zone): New record. > * gnu/service/dns.scm (unbound-serialize-unbound-zone): New procedure. > * gnu/service/dns.scm (unbound-serialize-list-of-unbound-zone): New procedure. > * gnu/service/dns.scm (unbound-remote): New record. > * gnu/service/dns.scm (unbound-serialize-unbound-remote): New procedure. > * gnu/service/dns.scm (unbound-server): New record. > * gnu/service/dns.scm (unbound-serialize-unbound-server): New procedure. > * gnu/service/dns.scm (unbound-configuration): New record. > * gnu/service/dns.scm (unbound-config-file): New procedure. > * gnu/service/dns.scm (unbound-shepherd-service): New procedure. > * gnu/service/dns.scm (unbound-account-service): New constant. > * gnu/service/dns.scm (unbound-service-type): New services. > * gnu/tests/dns.scm: New file. > * gnu/local.mk: Add new files. > * doc/guix.texi: Add documentation. > > Signed-off-by: Sören Tempel <soeren <at> soeren-tempel.net> Applied with the cosmetic changes below and tweaks to the commit log, such as remove repetitions of the file name. Thanks! Ludo’.[Message part 5 (text/x-patch, inline)]diff --git a/doc/guix.texi b/doc/guix.texi index a9b548cd45..3a64fede2d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -135,6 +135,7 @@ Copyright @copyright{} 2024 Troy Figiel@* Copyright @copyright{} 2024 Sharlatan Hellseher@* Copyright @copyright{} 2024 45mg@* +Copyright @copyright{} 2025 Sören Tempel@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -34303,8 +34304,9 @@ DNS Services @subsubheading Unbound Service @defvar unbound-service-type -This is the type of the unbound service, whose value should be a -@code{unbound-configuration} object as in this example: +This is the type of the service to run @uref{https://www.unbound.net, +Unbound}, a validating, recursive, and caching DNS resolver. Its value +must be a @code{unbound-configuration} object as in this example: @lisp (service unbound-service-type
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.