nixos/unbound: add settings option, deprecate extraConfig

[rissson]

Motivation for this change

Follow RFC 42 by adding a settings option. Other options have been deprecated or removed when renaming them was not possible.

It builds on top of #79559 to include the latest modifications to the unbound service.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[rissson]

I am currently using this here without any problems so far.

[rissson]

Also, I'm willing to add myself as a maintainer for this module :D

[lovesegfault]

Welcome improvement :)

[aanderse]

I love PRs that implement settings options! Unfortunately I don't know anything at all about unbound, so if some of my comments are entirely invalid I apologize in advance. Hopefully at least some of my comments will be useful.

[Ma27]

oops, @aanderse was faster explaning our concerns %)

[rissson]

Actually, before merging that, I'd like to add configuration checking at build time.

[rissson]

Actually, before merging that, I'd like to add configuration checking at build time.

Argh it seems unbound wants its chroot directory to exist when checking the configuration. Is there a way to create, for instance, /var/lib/unbound/ when using pkgs.runCommandNoCC?

[Ma27]

It should be sufficient to create it in the build sandbox (I'd expect to get the dir thrown away after that) or am I missing something?

Stale?

[rissson]

Anything else blocking from merging this?

[lovesegfault]

I suspect verifying that even without Restart = "on-failure"; all the tests pass is the only remaining thing here.

[rissson]

They don't:

authoritative # [    7.590374] unbound[775]: [1619032662] unbound[775:0] error: can't bind socket: Cannot assign requested address for fd21::1 port 53
authoritative # [    7.607125] unbound[775]: [1619032662] unbound[775:0] fatal error: could not open ports
authoritative # [    7.612835] systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE

and I have no idea why this is happening.

[rnhmjoj]

It's trying to bind to a ULA address that has been configured manually. I'd say the service is running before network-setup.service and the interface is not set up, yet.

[rissson]

With the tests problem fixed, would it be possible to get this in for 21.05?

[andir]

With the tests problem fixed, would it be possible to get this in for 21.05?

If you write the changelog entry this is good to go in :)

[rissson]

Done!

[andir]

LGTM just remove that cherry pick line from the commit message. This should be the authoritative commit.

[rissson]

Done.

[andir]

Done.

Did yo accidentally squash to changes? The commit message still doesn't look "clean".

[rissson]

I don't think so. Does this look better?

[lovesegfault]

I don't think so. Does this look better?

I suspect nixos/unbound: deprecate extraConfig in favor of settings might be more descriptive.

As-is, it sounds like settings was added but nothing was deprecated when reading the commit title.

[lovesegfault]

Alright, with the new commit message and the tests passing as before this looks A-OK to me. Deferring to @andir to press the big green button :)

[lovesegfault]

Thank you for pushing this through @rissson! Using unbound in NixOS just got way better!