Merge pull request #270595 from rnhmjoj/pr-dnsdist

- `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`.

- New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).

  The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.

- The Yama LSM is now enabled by default in the kernel, which prevents ptracing

  non-child processes. This means you will not be able to attach gdb to an

  existing process, but will need to start that process from gdb (so it is a

let

  cfg = config.services.dnsdist;

  toLua = lib.generators.toLua {};

  mkBind = cfg: toLua "${cfg.listenAddress}:${toString cfg.listenPort}";

  configFile = pkgs.writeText "dnsdist.conf" ''

    setLocal('${cfg.listenAddress}:${toString cfg.listenPort}')

    setLocal(${mkBind cfg})

    ${lib.optionalString cfg.dnscrypt.enable dnscryptSetup}

    ${cfg.extraConfig}

  '';

  dnscryptSetup = ''

    last_rotation = 0

    cert_serial = 0

    provider_key = ${toLua cfg.dnscrypt.providerKey}

    cert_lifetime = ${toLua cfg.dnscrypt.certLifetime} * 60

    function file_exists(name)

       local f = io.open(name, "r")

       return f ~= nil and io.close(f)

    end

    function dnscrypt_setup()

      -- generate provider keys on first run

      if provider_key == nil then

        provider_key = "/var/lib/dnsdist/private.key"

        if not file_exists(provider_key) then

          generateDNSCryptProviderKeys("/var/lib/dnsdist/public.key",

                                       "/var/lib/dnsdist/private.key")

          print("DNSCrypt: generated provider keypair")

        end

      end

      -- generate resolver certificate

      local now = os.time()

      generateDNSCryptCertificate(

        provider_key, "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key",

        cert_serial, now - 60, now + cert_lifetime)

      addDNSCryptBind(

        ${mkBind cfg.dnscrypt}, ${toLua cfg.dnscrypt.providerName},

        "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key")

    end

    function maintenance()

      -- certificate rotation

      local now = os.time()

      local dnscrypt = getDNSCryptBind(0)

      if ((now - last_rotation) > 0.9 * cert_lifetime) then

        -- generate and start using a new certificate

        dnscrypt:generateAndLoadInMemoryCertificate(

          provider_key, cert_serial + 1,

          now - 60, now + cert_lifetime)

        -- stop advertising the last certificate

        dnscrypt:markInactive(cert_serial)

        -- remove the second to last certificate

        if (cert_serial > 1)  then

          dnscrypt:removeInactiveCertificate(cert_serial - 1)

        end

        print("DNSCrypt: rotated certificate")

        -- increment serial number

        cert_serial = cert_serial + 1

        last_rotation = now

      end

    end

    dnscrypt_setup()

  '';

in {

  options = {

    services.dnsdist = {

      listenAddress = mkOption {

        type = types.str;

        description = lib.mdDoc "Listen IP Address";

        description = lib.mdDoc "Listen IP address";

        default = "0.0.0.0";

      };

      listenPort = mkOption {

        type = types.int;

        type = types.port;

        description = lib.mdDoc "Listen port";

        default = 53;

      };

      dnscrypt = {

        enable = mkEnableOption (lib.mdDoc "a DNSCrypt endpoint to dnsdist");

        listenAddress = mkOption {

          type = types.str;

          description = lib.mdDoc "Listen IP address of the endpoint";

          default = "0.0.0.0";

        };

        listenPort = mkOption {

          type = types.port;

          description = lib.mdDoc "Listen port of the endpoint";

          default = 443;

        };

        providerName = mkOption {

          type = types.str;

          default = "2.dnscrypt-cert.${config.networking.hostName}";

          defaultText = literalExpression "2.dnscrypt-cert.\${config.networking.hostName}";

          example = "2.dnscrypt-cert.myresolver";

          description = lib.mdDoc ''

            The name that will be given to this DNSCrypt resolver.

            ::: {.note}

            The provider name must start with `2.dnscrypt-cert.`.

            :::

          '';

        };

        providerKey = mkOption {

          type = types.nullOr types.path;

          default = null;

          description = lib.mdDoc ''

            The filepath to the provider secret key.

            If not given a new provider key pair will be generated in

            /var/lib/dnsdist on the first run.

            ::: {.note}

            The file must be readable by the dnsdist user/group.

            :::

          '';

        };

        certLifetime = mkOption {

          type = types.ints.positive;

          default = 15;

          description = lib.mdDoc ''

            The lifetime (in minutes) of the resolver certificate.

            This will be automatically rotated before expiration.

          '';

        };

      };

      extraConfig = mkOption {

        type = types.lines;

        default = "";

  };

  config = mkIf cfg.enable {

    users.users.dnsdist = {

      description = "dnsdist daemons user";

      isSystemUser = true;

      group = "dnsdist";

    };

    users.groups.dnsdist = {};

    systemd.packages = [ pkgs.dnsdist ];

    systemd.services.dnsdist = {

      startLimitIntervalSec = 0;

      serviceConfig = {

        DynamicUser = true;

        User = "dnsdist";

        Group = "dnsdist";

        RuntimeDirectory = "dnsdist";

        StateDirectory = "dnsdist";

        # upstream overrides for better nixos compatibility

        ExecStartPre = [ "" "${pkgs.dnsdist}/bin/dnsdist --check-config --config ${configFile}" ];

        ExecStart = [ "" "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}" ];

  discourse = handleTest ./discourse.nix {};

  dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};

  dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper;

  dnsdist = handleTest ./dnsdist.nix {};

  dnsdist = import ./dnsdist.nix { inherit pkgs runTest; };

  doas = handleTest ./doas.nix {};

  docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {};

  docker-rootless = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker-rootless.nix {};

import ./make-test-python.nix (

  { pkgs, ... }: {

    name = "dnsdist";

    meta = with pkgs.lib; {

      maintainers = with maintainers; [ jojosch ];

    };

{ pkgs, runTest }:

let

  inherit (pkgs) lib;

    nodes.machine = { pkgs, lib, ... }: {

  baseConfig = {

    networking.nameservers = [ "::1" ];

    services.bind = {

      enable = true;

      extraOptions = "empty-zones-enable no;";

        newServer({address="127.0.0.1:53", name="local-bind"})

      '';

    };

      environment.systemPackages = with pkgs; [ dig ];

  };

in

{

  base = runTest {

    name = "dnsdist-base";

    meta.maintainers = with lib.maintainers; [ jojosch ];

    nodes.machine = baseConfig;

    testScript = ''

      machine.wait_for_unit("bind.service")

      machine.wait_for_open_port(53)

      machine.succeed("dig @127.0.0.1 +short -x 192.168.0.1 | grep -qF ns.example.org")

      machine.succeed("host -p 53 192.168.0.1 | grep -qF ns.example.org")

      machine.wait_for_unit("dnsdist.service")

      machine.wait_for_open_port(5353)

      machine.succeed("dig @127.0.0.1 -p 5353 +short -x 192.168.0.1 | grep -qF ns.example.org")

      machine.succeed("host -p 5353 192.168.0.1 | grep -qF ns.example.org")

    '';

  };

  dnscrypt = runTest {

    name = "dnsdist-dnscrypt";

    meta.maintainers = with lib.maintainers; [ rnhmjoj ];

    nodes.server = lib.mkMerge [

      baseConfig

      {

        networking.firewall.allowedTCPPorts = [ 443 ];

        networking.firewall.allowedUDPPorts = [ 443 ];

        services.dnsdist.dnscrypt.enable = true;

        services.dnsdist.dnscrypt.providerKey = "${./dnscrypt-wrapper/secret.key}";

      }

    ];

    nodes.client = {

      services.dnscrypt-proxy2.enable = true;

      services.dnscrypt-proxy2.upstreamDefaults = false;

      services.dnscrypt-proxy2.settings =

        { server_names = [ "server" ];

          listen_addresses = [ "[::1]:53" ];

          cache = false;

          # Computed using https://dnscrypt.info/stamps/

          static.server.stamp =

            "sdns://AQAAAAAAAAAADzE5Mi4xNjguMS4yOjQ0MyAUQdg6_RIIpK6pHkINhrv7nxwIG5c7b_m5NJVT3A1AXRYyLmRuc2NyeXB0LWNlcnQuc2VydmVy";

        };

      networking.nameservers = [ "::1" ];

    };

    testScript = ''

      with subtest("The DNSCrypt server is accepting connections"):

          server.wait_for_unit("bind.service")

          server.wait_for_unit("dnsdist.service")

          server.wait_for_open_port(443)

          almost_expiration = server.succeed("date --date '14min'").strip()

      with subtest("The DNSCrypt client can connect to the server"):

          client.wait_until_succeeds("journalctl -u dnscrypt-proxy2 --grep '\[server\] OK'")

      with subtest("DNS queries over UDP are working"):

          client.wait_for_open_port(53)

          client.succeed("host -U 192.168.0.1 | grep -qF ns.example.org")

      with subtest("DNS queries over TCP are working"):

          client.wait_for_open_port(53)

          client.succeed("host -T 192.168.0.1 | grep -qF ns.example.org")

      with subtest("The server rotates the ephemeral keys"):

          server.succeed(f"date -s '{almost_expiration}'")

          client.succeed(f"date -s '{almost_expiration}'")

          server.wait_until_succeeds("journalctl -u dnsdist --grep 'rotated certificate'")

      with subtest("The client can still connect to the server"):

          client.wait_until_succeeds("host -T 192.168.0.1")

          client.wait_until_succeeds("host -U 192.168.0.1")

    '';

  };

}

)