commit 2e8bc2bd5c264cf30bfb9b357e2a2b64416002e1 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixos: cosmetic improvements to dnscrypt-proxy service module

Remove superflous whitespace & comments

Joachim Fasting 10 years ago 2e8bc2bd a88a6bc6

+29 -56

1 changed file

expand all

unified split

nixos

modules

services

networking

dnscrypt-proxy.nix

+29 -56

nixos/modules/services/networking/dnscrypt-proxy.nix

··· 15 in 16 17 { 18 - ##### interface 19 - 20 options = { 21 - 22 services.dnscrypt-proxy = { 23 - 24 enable = mkOption { 25 default = false; 26 type = types.bool; 27 description = '' 28 - Enable dnscrypt-proxy. 29 - The proxy relays regular DNS queries to a DNSCrypt enabled 30 - upstream resolver. 31 - The traffic between the client and the upstream resolver is 32 - encrypted and authenticated, which may mitigate the risk of MITM 33 - attacks and third-party snooping (assuming the upstream is 34 - trustworthy). 35 ''; 36 }; 37 - 38 localAddress = mkOption { 39 default = "127.0.0.1"; 40 type = types.string; ··· 42 Listen for DNS queries on this address. 43 ''; 44 }; 45 - 46 port = mkOption { 47 default = 53; 48 type = types.int; ··· 50 Listen on this port. 51 ''; 52 }; 53 - 54 resolverName = mkOption { 55 default = "opendns"; 56 type = types.string; ··· 61 location). 62 ''; 63 }; 64 - 65 tcpOnly = mkOption { 66 default = false; 67 type = types.bool; 68 description = '' 69 Force sending encrypted DNS queries to the upstream resolver 70 - over TCP instead of UDP (on port 443). 71 - Enabling this option may help circumvent filtering, but should 72 - not be used otherwise. 73 ''; 74 }; 75 - 76 }; 77 - 78 }; 79 80 - ##### implementation 81 - 82 config = mkIf cfg.enable { 83 84 - ### AppArmor profile 85 86 - security.apparmor.profiles = mkIf apparmorEnabled [ 87 - (pkgs.writeText "apparmor-dnscrypt-proxy" '' 88 89 - ${dnscrypt-proxy}/bin/dnscrypt-proxy { 90 91 - /dev/null rw, 92 - /dev/urandom r, 93 94 - /etc/passwd r, 95 - /etc/group r, 96 - ${config.environment.etc."nsswitch.conf".source} r, 97 - 98 - ${pkgs.glibc}/lib/*.so mr, 99 - ${pkgs.tzdata}/share/zoneinfo/** r, 100 - 101 - network inet stream, 102 - network inet6 stream, 103 - network inet dgram, 104 - network inet6 dgram, 105 - 106 - ${pkgs.gcc.cc}/lib/libssp.so.* mr, 107 - ${pkgs.libsodium}/lib/libsodium.so.* mr, 108 - ${pkgs.systemd}/lib/libsystemd.so.* mr, 109 - ${pkgs.xz}/lib/liblzma.so.* mr, 110 - ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr, 111 - ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr, 112 113 - ${resolverListFile} r, 114 - } 115 - '') 116 - ]; 117 118 users.extraUsers.dnscrypt-proxy = { 119 uid = config.ids.uids.dnscrypt-proxy; ··· 121 }; 122 users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy; 123 124 - ## derived from upstream dnscrypt-proxy.socket 125 systemd.sockets.dnscrypt-proxy = { 126 description = "dnscrypt-proxy listening socket"; 127 - 128 socketConfig = { 129 ListenStream = "${cfg.localAddress}:${toString cfg.port}"; 130 ListenDatagram = "${cfg.localAddress}:${toString cfg.port}"; 131 }; 132 - 133 wantedBy = [ "sockets.target" ]; 134 }; 135 136 - # derived from upstream dnscrypt-proxy.service 137 systemd.services.dnscrypt-proxy = { 138 description = "dnscrypt-proxy daemon"; 139 after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; 140 requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; 141 serviceConfig = { 142 Type = "simple"; 143 - ## note: NonBlocking is required for socket activation to work 144 NonBlocking = "true"; 145 ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; 146 User = "dnscrypt-proxy"; ··· 149 PrivateDevices = true; 150 }; 151 }; 152 - 153 }; 154 }

··· 15 in 16 17 { 18 options = { 19 services.dnscrypt-proxy = { 20 enable = mkOption { 21 default = false; 22 type = types.bool; 23 description = '' 24 + Enable dnscrypt-proxy. The proxy relays regular DNS queries to a 25 + DNSCrypt enabled upstream resolver. The traffic between the 26 + client and the upstream resolver is encrypted and authenticated, 27 + which may mitigate the risk of MITM attacks and third-party 28 + snooping (assuming the upstream is trustworthy). 29 ''; 30 }; 31 localAddress = mkOption { 32 default = "127.0.0.1"; 33 type = types.string; ··· 35 Listen for DNS queries on this address. 36 ''; 37 }; 38 port = mkOption { 39 default = 53; 40 type = types.int; ··· 42 Listen on this port. 43 ''; 44 }; 45 resolverName = mkOption { 46 default = "opendns"; 47 type = types.string; ··· 52 location). 53 ''; 54 }; 55 tcpOnly = mkOption { 56 default = false; 57 type = types.bool; 58 description = '' 59 Force sending encrypted DNS queries to the upstream resolver 60 + over TCP instead of UDP (on port 443). Enabling this option may 61 + help circumvent filtering, but should not be used otherwise. 62 ''; 63 }; 64 }; 65 }; 66 67 config = mkIf cfg.enable { 68 69 + security.apparmor.profiles = mkIf apparmorEnabled (singleton (pkgs.writeText "apparmor-dnscrypt-proxy" '' 70 + ${dnscrypt-proxy}/bin/dnscrypt-proxy { 71 + /dev/null rw, 72 + /dev/urandom r, 73 74 + /etc/passwd r, 75 + /etc/group r, 76 + ${config.environment.etc."nsswitch.conf".source} r, 77 78 + ${pkgs.glibc}/lib/*.so mr, 79 + ${pkgs.tzdata}/share/zoneinfo/** r, 80 81 + network inet stream, 82 + network inet6 stream, 83 + network inet dgram, 84 + network inet6 dgram, 85 86 + ${pkgs.gcc.cc}/lib/libssp.so.* mr, 87 + ${pkgs.libsodium}/lib/libsodium.so.* mr, 88 + ${pkgs.systemd}/lib/libsystemd.so.* mr, 89 + ${pkgs.xz}/lib/liblzma.so.* mr, 90 + ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr, 91 + ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr, 92 93 + ${resolverListFile} r, 94 + } 95 + '')); 96 97 users.extraUsers.dnscrypt-proxy = { 98 uid = config.ids.uids.dnscrypt-proxy; ··· 100 }; 101 users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy; 102 103 systemd.sockets.dnscrypt-proxy = { 104 description = "dnscrypt-proxy listening socket"; 105 socketConfig = { 106 ListenStream = "${cfg.localAddress}:${toString cfg.port}"; 107 ListenDatagram = "${cfg.localAddress}:${toString cfg.port}"; 108 }; 109 wantedBy = [ "sockets.target" ]; 110 }; 111 112 systemd.services.dnscrypt-proxy = { 113 description = "dnscrypt-proxy daemon"; 114 after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; 115 requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; 116 serviceConfig = { 117 Type = "simple"; 118 NonBlocking = "true"; 119 ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; 120 User = "dnscrypt-proxy"; ··· 123 PrivateDevices = true; 124 }; 125 }; 126 }; 127 }