nixpkgs/nixos/modules/services/networking/pdns-recursor.nix

{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cfg = config.services.pdns-recursor;

  oneOrMore = type: with types; either type (listOf type);
  valueType =
    with types;
    oneOf [
      int
      str
      bool
      path
    ];
  configType = with types; attrsOf (nullOr (oneOrMore valueType));

  toBool = val: if val then "yes" else "no";
  serialize =
    val:
    with types;
    if str.check val then
      val
    else if int.check val then
      toString val
    else if path.check val then
      toString val
    else if bool.check val then
      toBool val
    else if builtins.isList val then
      (concatMapStringsSep "," serialize val)
    else
      "";

  configDir = pkgs.writeTextDir "recursor.conf" (
    concatStringsSep "\n" (flip mapAttrsToList cfg.settings (name: val: "${name}=${serialize val}"))
  );

  mkDefaultAttrs = mapAttrs (n: v: mkDefault v);

in
{
  options.services.pdns-recursor = {
    enable = mkEnableOption "PowerDNS Recursor, a recursive DNS server";

    dns.address = mkOption {
      type = oneOrMore types.str;
      default = [
        "::"
        "0.0.0.0"
      ];
      description = ''
        IP addresses Recursor DNS server will bind to.
      '';
    };

    dns.port = mkOption {
      type = types.port;
      default = 53;
      description = ''
        Port number Recursor DNS server will bind to.
      '';
    };

    dns.allowFrom = mkOption {
      type = types.listOf types.str;
      default = [
        "127.0.0.0/8"
        "10.0.0.0/8"
        "100.64.0.0/10"
        "169.254.0.0/16"
        "192.168.0.0/16"
        "172.16.0.0/12"
        "::1/128"
        "fc00::/7"
        "fe80::/10"
      ];
      example = [
        "0.0.0.0/0"
        "::/0"
      ];
      description = ''
        IP address ranges of clients allowed to make DNS queries.
      '';
    };

    api.address = mkOption {
      type = types.str;
      default = "0.0.0.0";
      description = ''
        IP address Recursor REST API server will bind to.
      '';
    };

    api.port = mkOption {
      type = types.port;
      default = 8082;
      description = ''
        Port number Recursor REST API server will bind to.
      '';
    };

    api.allowFrom = mkOption {
      type = types.listOf types.str;
      default = [
        "127.0.0.1"
        "::1"
      ];
      example = [
        "0.0.0.0/0"
        "::/0"
      ];
      description = ''
        IP address ranges of clients allowed to make API requests.
      '';
    };

    exportHosts = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to export names and IP addresses defined in /etc/hosts.
      '';
    };

    forwardZones = mkOption {
      type = types.attrs;
      default = { };
      description = ''
        DNS zones to be forwarded to other authoritative servers.
      '';
    };

    forwardZonesRecurse = mkOption {
      type = types.attrs;
      example = {
        eth = "[::1]:5353";
      };
      default = { };
      description = ''
        DNS zones to be forwarded to other recursive servers.
      '';
    };

    dnssecValidation = mkOption {
      type = types.enum [
        "off"
        "process-no-validate"
        "process"
        "log-fail"
        "validate"
      ];
      default = "validate";
      description = ''
        Controls the level of DNSSEC processing done by the PowerDNS Recursor.
        See https://doc.powerdns.com/md/recursor/dnssec/ for a detailed explanation.
      '';
    };

    serveRFC1918 = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to directly resolve the RFC1918 reverse-mapping domains:
        `10.in-addr.arpa`,
        `168.192.in-addr.arpa`,
        `16-31.172.in-addr.arpa`
        This saves load on the AS112 servers.
      '';
    };

    settings = mkOption {
      type = configType;
      default = { };
      example = literalExpression ''
        {
          loglevel = 8;
          log-common-errors = true;
        }
      '';
      description = ''
        PowerDNS Recursor settings. Use this option to configure Recursor
        settings not exposed in a NixOS option or to bypass one.
        See the full documentation at
        <https://doc.powerdns.com/recursor/settings.html>
        for the available options.
      '';
    };

    luaConfig = mkOption {
      type = types.lines;
      default = "";
      description = ''
        The content Lua configuration file for PowerDNS Recursor. See
        <https://doc.powerdns.com/recursor/lua-config/index.html>.
      '';
    };
  };

  config = mkIf cfg.enable {

    environment.etc."pdns-recursor".source = configDir;

    services.pdns-recursor.settings = mkDefaultAttrs {
      local-address = cfg.dns.address;
      local-port = cfg.dns.port;
      allow-from = cfg.dns.allowFrom;

      webserver-address = cfg.api.address;
      webserver-port = cfg.api.port;
      webserver-allow-from = cfg.api.allowFrom;

      forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;
      forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse;
      export-etc-hosts = cfg.exportHosts;
      dnssec = cfg.dnssecValidation;
      serve-rfc1918 = cfg.serveRFC1918;
      lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig;

      daemon = false;
      write-pid = false;
      log-timestamp = false;
      disable-syslog = true;
    };

    systemd.packages = [ pkgs.pdns-recursor ];

    systemd.services.pdns-recursor = {
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        ExecStart = [
          ""
          "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=${configDir}"
        ];
      };
    };

    users.users.pdns-recursor = {
      isSystemUser = true;
      group = "pdns-recursor";
      description = "PowerDNS Recursor daemon user";
    };

    users.groups.pdns-recursor = { };

  };

  imports = [
    (mkRemovedOptionModule [
      "services"
      "pdns-recursor"
      "extraConfig"
    ] "To change extra Recursor settings use services.pdns-recursor.settings instead.")
  ];

  meta.maintainers = with lib.maintainers; [ rnhmjoj ];

}
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`

			`with lib;`

			`let`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`cfg = config.services.pdns-recursor;`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`oneOrMore = type: with types; either type (listOf type);`
			`valueType =`
			`with types;`
			`oneOf [`
			`int`
			`str`
			`bool`
			`path`
			`];`
			`configType = with types; attrsOf (nullOr (oneOrMore valueType));`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`toBool = val: if val then "yes" else "no";`
			`serialize =`
			`val:`
			`with types;`
			`if str.check val then`
			`val`
			`else if int.check val then`
			`toString val`
			`else if path.check val then`
			`toString val`
			`else if bool.check val then`
			`toBool val`
			`else if builtins.isList val then`
			`(concatMapStringsSep "," serialize val)`
			`else`
			`"";`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00
nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00			`configDir = pkgs.writeTextDir "recursor.conf" (`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`concatStringsSep "\n" (flip mapAttrsToList cfg.settings (name: val: "${name}=${serialize val}"))`
			`);`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`mkDefaultAttrs = mapAttrs (n: v: mkDefault v);`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00
			`in`
			`{`
			`options.services.pdns-recursor = {`
			`enable = mkEnableOption "PowerDNS Recursor, a recursive DNS server";`

			`dns.address = mkOption {`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`type = oneOrMore types.str;`
			`default = [`
			`"::"`
			`"0.0.0.0"`
			`];`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`description = ''`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`IP addresses Recursor DNS server will bind to.`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`'';`
			`};`

			`dns.port = mkOption {`
treewide: switch to port type for nixos modules 2022-11-30 17:15:00 +01:00			`type = types.port;`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`default = 53;`
			`description = ''`
			`Port number Recursor DNS server will bind to.`
			`'';`
			`};`

			`dns.allowFrom = mkOption {`
			`type = types.listOf types.str;`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`default = [`
			`"127.0.0.0/8"`
			`"10.0.0.0/8"`
			`"100.64.0.0/10"`
			`"169.254.0.0/16"`
			`"192.168.0.0/16"`
			`"172.16.0.0/12"`
			`"::1/128"`
			`"fc00::/7"`
			`"fe80::/10"`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`];`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`example = [`
			`"0.0.0.0/0"`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`"::/0"`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`];`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`description = ''`
			`IP address ranges of clients allowed to make DNS queries.`
			`'';`
			`};`

			`api.address = mkOption {`
			`type = types.str;`
			`default = "0.0.0.0";`
			`description = ''`
			`IP address Recursor REST API server will bind to.`
			`'';`
			`};`

			`api.port = mkOption {`
treewide: switch to port type for nixos modules 2022-11-30 17:15:00 +01:00			`type = types.port;`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`default = 8082;`
			`description = ''`
			`Port number Recursor REST API server will bind to.`
			`'';`
			`};`

			`api.allowFrom = mkOption {`
			`type = types.listOf types.str;`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`default = [`
			`"127.0.0.1"`
			`"::1"`
			`];`
			`example = [`
			`"0.0.0.0/0"`
			`"::/0"`
			`];`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`description = ''`
			`IP address ranges of clients allowed to make API requests.`
			`'';`
			`};`

			`exportHosts = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Whether to export names and IP addresses defined in /etc/hosts.`
			`'';`
			`};`

			`forwardZones = mkOption {`
nixos/pdns-recursor: add option for recursive forward zones 2019-11-07 17:08:09 +01:00			`type = types.attrs;`
			`default = { };`
			`description = ''`
			`DNS zones to be forwarded to other authoritative servers.`
			`'';`
			`};`

			`forwardZonesRecurse = mkOption {`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`type = types.attrs;`
nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. 2022-04-13 17:40:11 +02:00			`example = {`
			`eth = "[::1]:5353";`
			`};`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`default = { };`
			`description = ''`
nixos/pdns-recursor: add option for recursive forward zones 2019-11-07 17:08:09 +01:00			`DNS zones to be forwarded to other recursive servers.`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`'';`
			`};`

			`dnssecValidation = mkOption {`
			`type = types.enum [`
			`"off"`
			`"process-no-validate"`
			`"process"`
			`"log-fail"`
			`"validate"`
			`];`
			`default = "validate";`
			`description = ''`
			`Controls the level of DNSSEC processing done by the PowerDNS Recursor.`
			`See https://doc.powerdns.com/md/recursor/dnssec/ for a detailed explanation.`
			`'';`
			`};`

			`serveRFC1918 = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`Whether to directly resolve the RFC1918 reverse-mapping domains:`
			`10.in-addr.arpa`,
			`168.192.in-addr.arpa`,
			`16-31.172.in-addr.arpa`
			`This saves load on the AS112 servers.`
			`'';`
			`};`

nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`settings = mkOption {`
			`type = configType;`
			`default = { };`
nixos/doc: clean up defaults and examples 2021-10-03 18:06:03 +02:00			`example = literalExpression ''`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`{`
			`loglevel = 8;`
			`log-common-errors = true;`
			`}`
			`'';`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`description = ''`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`PowerDNS Recursor settings. Use this option to configure Recursor`
			`settings not exposed in a NixOS option or to bypass one.`
			`See the full documentation at`
			`<https://doc.powerdns.com/recursor/settings.html>`
			`for the available options.`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`'';`
			`};`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00
nixos/pdns-recursor: add luaConfig option 2019-08-22 15:03:14 +02:00			`luaConfig = mkOption {`
			`type = types.lines;`
			`default = "";`
			`description = ''`
			`The content Lua configuration file for PowerDNS Recursor. See`
			`<https://doc.powerdns.com/recursor/lua-config/index.html>.`
			`'';`
			`};`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`};`

			`config = mkIf cfg.enable {`

pdns: Changed paths in /etc to use pdns instead of powerdns 2023-06-29 12:42:01 +02:00			`environment.etc."pdns-recursor".source = configDir;`
nixos/powerdns, nixos/pdns-recurser: Symlink configuration into /etc This places a symlink to the running configuration where the admin tools expect it, allowing users to control the powerdns server or recursor without manually specifying a config file. 2023-02-25 16:33:36 +01:00
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`services.pdns-recursor.settings = mkDefaultAttrs {`
			`local-address = cfg.dns.address;`
			`local-port = cfg.dns.port;`
			`allow-from = cfg.dns.allowFrom;`

			`webserver-address = cfg.api.address;`
			`webserver-port = cfg.api.port;`
			`webserver-allow-from = cfg.api.allowFrom;`

nixos/pdns-recursor: add option for recursive forward zones 2019-11-07 17:08:09 +01:00			`forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;`
			`forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse;`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`export-etc-hosts = cfg.exportHosts;`
			`dnssec = cfg.dnssecValidation;`
			`serve-rfc1918 = cfg.serveRFC1918;`
nixos/pdns-recursor: add luaConfig option 2019-08-22 15:03:14 +02:00			`lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig;`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00
nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00			`daemon = false;`
			`write-pid = false;`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00			`log-timestamp = false;`
			`disable-syslog = true;`
			`};`

nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00			`systemd.packages = [ pkgs.pdns-recursor ];`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00
			`systemd.services.pdns-recursor = {`
			`wantedBy = [ "multi-user.target" ];`

			`serviceConfig = {`
nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00			`ExecStart = [`
			`""`
			`"${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=${configDir}"`
			`];`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`};`
nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00			`};`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00
nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00			`users.users.pdns-recursor = {`
			`isSystemUser = true;`
			`group = "pdns-recursor";`
			`description = "PowerDNS Recursor daemon user";`
pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`};`
nixos/pdns-recursor: use upstream systemd unit 2020-10-17 17:59:18 -04:00
			`users.groups.pdns-recursor = { };`

pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`};`
nixos/pdns-recursor: implement a `settings` option 2019-08-22 14:02:02 +02:00
			`imports = [`
			`(mkRemovedOptionModule [`
			`"services"`
			`"pdns-recursor"`
			`"extraConfig"`
			`] "To change extra Recursor settings use services.pdns-recursor.settings instead.")`
			`];`

nixos: add myself to maintainers 2019-12-04 17:07:45 +01:00			`meta.maintainers = with lib.maintainers; [ rnhmjoj ];`

pdns-recursor: add service 2017-01-18 00:29:59 +01:00			`}`