-6

nixos/doc/manual/release-notes/rl-1803.xml

··· 139 139 will be accessible at <literal>/run/memcached/memcached.sock</literal>. 140 140 </para> 141 141 </listitem> 142 142 - <listitem> 143 143 - <para> 144 144 - The DNSCrypt proxy module has been removed, the upstream project 145 145 - is no longer maintained. 146 146 - </para> 147 147 - </listitem> 148 142 </itemizedlist> 149 143 150 144 </section>

+1

nixos/modules/module-list.nix

··· 446 446 ./services/networking/dhcpd.nix 447 447 ./services/networking/dnscache.nix 448 448 ./services/networking/dnschain.nix 449 449 + ./services/networking/dnscrypt-proxy.nix 449 450 ./services/networking/dnscrypt-wrapper.nix 450 451 ./services/networking/dnsmasq.nix 451 452 ./services/networking/ejabberd.nix

-3

nixos/modules/rename.nix

··· 89 89 # Tarsnap 90 90 (mkRenamedOptionModule [ "services" "tarsnap" "config" ] [ "services" "tarsnap" "archives" ]) 91 91 92 92 - # dnscrypt-proxy 93 93 - (mkRemovedOptionModule [ "services" "dnscrypt-proxy" "enable" ] "") 94 94 - 95 92 # ibus 96 93 (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) 97 94

+321

nixos/modules/services/networking/dnscrypt-proxy.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + with lib; 3 3 + 4 4 + let 5 5 + cfg = config.services.dnscrypt-proxy; 6 6 + 7 7 + stateDirectory = "/var/lib/dnscrypt-proxy"; 8 8 + 9 9 + # The minisign public key used to sign the upstream resolver list. 10 10 + # This is somewhat more flexible than preloading the key as an 11 11 + # embedded string. 12 12 + upstreamResolverListPubKey = pkgs.fetchurl { 13 13 + url = https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/minisign.pub; 14 14 + sha256 = "18lnp8qr6ghfc2sd46nn1rhcpr324fqlvgsp4zaigw396cd7vnnh"; 15 15 + }; 16 16 + 17 17 + # Internal flag indicating whether the upstream resolver list is used. 18 18 + useUpstreamResolverList = cfg.customResolver == null; 19 19 + 20 20 + # The final local address. 21 21 + localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; 22 22 + 23 23 + # The final resolvers list path. 24 24 + resolverList = "${stateDirectory}/dnscrypt-resolvers.csv"; 25 25 + 26 26 + # Build daemon command line 27 27 + 28 28 + resolverArgs = 29 29 + if (cfg.customResolver == null) 30 30 + then 31 31 + [ "-L ${resolverList}" 32 32 + "-R ${cfg.resolverName}" 33 33 + ] 34 34 + else with cfg.customResolver; 35 35 + [ "-N ${name}" 36 36 + "-k ${key}" 37 37 + "-r ${address}:${toString port}" 38 38 + ]; 39 39 + 40 40 + daemonArgs = 41 41 + [ "-a ${localAddress}" ] 42 42 + ++ resolverArgs 43 43 + ++ cfg.extraArgs; 44 44 + in 45 45 + 46 46 + { 47 47 + meta = { 48 48 + maintainers = with maintainers; [ joachifm ]; 49 49 + doc = ./dnscrypt-proxy.xml; 50 50 + }; 51 51 + 52 52 + options = { 53 53 + # Before adding another option, consider whether it could 54 54 + # equally well be passed via extraArgs. 55 55 + 56 56 + services.dnscrypt-proxy = { 57 57 + enable = mkOption { 58 58 + default = false; 59 59 + type = types.bool; 60 60 + description = "Whether to enable the DNSCrypt client proxy"; 61 61 + }; 62 62 + 63 63 + localAddress = mkOption { 64 64 + default = "127.0.0.1"; 65 65 + type = types.str; 66 66 + description = '' 67 67 + Listen for DNS queries to relay on this address. The only reason to 68 68 + change this from its default value is to proxy queries on behalf 69 69 + of other machines (typically on the local network). 70 70 + ''; 71 71 + }; 72 72 + 73 73 + localPort = mkOption { 74 74 + default = 53; 75 75 + type = types.int; 76 76 + description = '' 77 77 + Listen for DNS queries to relay on this port. The default value 78 78 + assumes that the DNSCrypt proxy should relay DNS queries directly. 79 79 + When running as a forwarder for another DNS client, set this option 80 80 + to a different value; otherwise leave the default. 81 81 + ''; 82 82 + }; 83 83 + 84 84 + resolverName = mkOption { 85 85 + default = "random"; 86 86 + example = "dnscrypt.eu-nl"; 87 87 + type = types.nullOr types.str; 88 88 + description = '' 89 89 + The name of the DNSCrypt resolver to use, taken from 90 90 + <filename>${resolverList}</filename>. The default is to 91 91 + pick a random non-logging resolver that supports DNSSEC. 92 92 + ''; 93 93 + }; 94 94 + 95 95 + customResolver = mkOption { 96 96 + default = null; 97 97 + description = '' 98 98 + Use an unlisted resolver (e.g., a private DNSCrypt provider). For 99 99 + advanced users only. If specified, this option takes precedence. 100 100 + ''; 101 101 + type = types.nullOr (types.submodule ({ ... }: { options = { 102 102 + address = mkOption { 103 103 + type = types.str; 104 104 + description = "IP address"; 105 105 + example = "208.67.220.220"; 106 106 + }; 107 107 + 108 108 + port = mkOption { 109 109 + type = types.int; 110 110 + description = "Port"; 111 111 + default = 443; 112 112 + }; 113 113 + 114 114 + name = mkOption { 115 115 + type = types.str; 116 116 + description = "Fully qualified domain name"; 117 117 + example = "2.dnscrypt-cert.example.com"; 118 118 + }; 119 119 + 120 120 + key = mkOption { 121 121 + type = types.str; 122 122 + description = "Public key"; 123 123 + example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"; 124 124 + }; 125 125 + }; })); 126 126 + }; 127 127 + 128 128 + extraArgs = mkOption { 129 129 + default = []; 130 130 + type = types.listOf types.str; 131 131 + description = '' 132 132 + Additional command-line arguments passed verbatim to the daemon. 133 133 + See <citerefentry><refentrytitle>dnscrypt-proxy</refentrytitle> 134 134 + <manvolnum>8</manvolnum></citerefentry> for details. 135 135 + ''; 136 136 + example = [ "-X libdcplugin_example_cache.so,--min-ttl=60" ]; 137 137 + }; 138 138 + }; 139 139 + }; 140 140 + 141 141 + config = mkIf cfg.enable (mkMerge [{ 142 142 + assertions = [ 143 143 + { assertion = (cfg.customResolver != null) || (cfg.resolverName != null); 144 144 + message = "please configure upstream DNSCrypt resolver"; 145 145 + } 146 146 + ]; 147 147 + 148 148 + users.users.dnscrypt-proxy = { 149 149 + description = "dnscrypt-proxy daemon user"; 150 150 + isSystemUser = true; 151 151 + group = "dnscrypt-proxy"; 152 152 + }; 153 153 + users.groups.dnscrypt-proxy = {}; 154 154 + 155 155 + systemd.sockets.dnscrypt-proxy = { 156 156 + description = "dnscrypt-proxy listening socket"; 157 157 + documentation = [ "man:dnscrypt-proxy(8)" ]; 158 158 + 159 159 + wantedBy = [ "sockets.target" ]; 160 160 + 161 161 + socketConfig = { 162 162 + ListenStream = localAddress; 163 163 + ListenDatagram = localAddress; 164 164 + }; 165 165 + }; 166 166 + 167 167 + systemd.services.dnscrypt-proxy = { 168 168 + description = "dnscrypt-proxy daemon"; 169 169 + documentation = [ "man:dnscrypt-proxy(8)" ]; 170 170 + 171 171 + before = [ "nss-lookup.target" ]; 172 172 + after = [ "network.target" ]; 173 173 + requires = [ "dnscrypt-proxy.socket "]; 174 174 + 175 175 + serviceConfig = { 176 176 + NonBlocking = "true"; 177 177 + ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; 178 178 + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 179 179 + 180 180 + User = "dnscrypt-proxy"; 181 181 + 182 182 + PrivateTmp = true; 183 183 + PrivateDevices = true; 184 184 + ProtectHome = true; 185 185 + }; 186 186 + }; 187 187 + } 188 188 + 189 189 + (mkIf config.security.apparmor.enable { 190 190 + systemd.services.dnscrypt-proxy.after = [ "apparmor.service" ]; 191 191 + 192 192 + security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" '' 193 193 + ${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy { 194 194 + /dev/null rw, 195 195 + /dev/urandom r, 196 196 + 197 197 + /etc/passwd r, 198 198 + /etc/group r, 199 199 + ${config.environment.etc."nsswitch.conf".source} r, 200 200 + 201 201 + ${getLib pkgs.glibc}/lib/*.so mr, 202 202 + ${pkgs.tzdata}/share/zoneinfo/** r, 203 203 + 204 204 + network inet stream, 205 205 + network inet6 stream, 206 206 + network inet dgram, 207 207 + network inet6 dgram, 208 208 + 209 209 + ${getLib pkgs.dnscrypt-proxy}/lib/dnscrypt-proxy/libdcplugin*.so mr, 210 210 + 211 211 + ${getLib pkgs.gcc.cc}/lib/libssp.so.* mr, 212 212 + ${getLib pkgs.libsodium}/lib/libsodium.so.* mr, 213 213 + ${getLib pkgs.systemd}/lib/libsystemd.so.* mr, 214 214 + ${getLib pkgs.xz}/lib/liblzma.so.* mr, 215 215 + ${getLib pkgs.libgcrypt}/lib/libgcrypt.so.* mr, 216 216 + ${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr, 217 217 + ${getLib pkgs.libcap}/lib/libcap.so.* mr, 218 218 + ${getLib pkgs.lz4}/lib/liblz4.so.* mr, 219 219 + ${getLib pkgs.attr}/lib/libattr.so.* mr, # */ 220 220 + 221 221 + ${resolverList} r, 222 222 + 223 223 + /run/systemd/notify rw, 224 224 + } 225 225 + ''); 226 226 + }) 227 227 + 228 228 + (mkIf useUpstreamResolverList { 229 229 + systemd.services.init-dnscrypt-proxy-statedir = { 230 230 + description = "Initialize dnscrypt-proxy state directory"; 231 231 + 232 232 + wantedBy = [ "dnscrypt-proxy.service" ]; 233 233 + before = [ "dnscrypt-proxy.service" ]; 234 234 + 235 235 + script = '' 236 236 + mkdir -pv ${stateDirectory} 237 237 + chown -c dnscrypt-proxy:dnscrypt-proxy ${stateDirectory} 238 238 + cp -uv \ 239 239 + ${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv \ 240 240 + ${stateDirectory} 241 241 + ''; 242 242 + 243 243 + serviceConfig = { 244 244 + Type = "oneshot"; 245 245 + RemainAfterExit = true; 246 246 + }; 247 247 + }; 248 248 + 249 249 + systemd.services.update-dnscrypt-resolvers = { 250 250 + description = "Update list of DNSCrypt resolvers"; 251 251 + 252 252 + requires = [ "init-dnscrypt-proxy-statedir.service" ]; 253 253 + after = [ "init-dnscrypt-proxy-statedir.service" ]; 254 254 + 255 255 + path = with pkgs; [ curl diffutils dnscrypt-proxy minisign ]; 256 256 + script = '' 257 257 + cd ${stateDirectory} 258 258 + domain=raw.githubusercontent.com 259 259 + get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)" 260 260 + $get -o dnscrypt-resolvers.csv.tmp \ 261 261 + https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv 262 262 + $get -o dnscrypt-resolvers.csv.minisig.tmp \ 263 263 + https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv.minisig 264 264 + mv dnscrypt-resolvers.csv.minisig{.tmp,} 265 265 + if ! minisign -q -V -p ${upstreamResolverListPubKey} \ 266 266 + -m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig ; then 267 267 + echo "failed to verify resolver list!" >&2 268 268 + exit 1 269 269 + fi 270 270 + [[ -f dnscrypt-resolvers.csv ]] && mv dnscrypt-resolvers.csv{,.old} 271 271 + mv dnscrypt-resolvers.csv{.tmp,} 272 272 + if cmp dnscrypt-resolvers.csv{,.old} ; then 273 273 + echo "no change" 274 274 + else 275 275 + echo "resolver list updated" 276 276 + fi 277 277 + ''; 278 278 + 279 279 + serviceConfig = { 280 280 + PrivateTmp = true; 281 281 + PrivateDevices = true; 282 282 + ProtectHome = true; 283 283 + ProtectSystem = "strict"; 284 284 + ReadWritePaths = "${dirOf stateDirectory} ${stateDirectory}"; 285 285 + SystemCallFilter = "~@mount"; 286 286 + }; 287 287 + }; 288 288 + 289 289 + systemd.timers.update-dnscrypt-resolvers = { 290 290 + wantedBy = [ "timers.target" ]; 291 291 + timerConfig = { 292 292 + OnBootSec = "5min"; 293 293 + OnUnitActiveSec = "6h"; 294 294 + }; 295 295 + }; 296 296 + }) 297 297 + ]); 298 298 + 299 299 + imports = [ 300 300 + (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ]) 301 301 + 302 302 + (mkChangedOptionModule 303 303 + [ "services" "dnscrypt-proxy" "tcpOnly" ] 304 304 + [ "services" "dnscrypt-proxy" "extraArgs" ] 305 305 + (config: 306 306 + let val = getAttrFromPath [ "services" "dnscrypt-proxy" "tcpOnly" ] config; in 307 307 + optional val "-T")) 308 308 + 309 309 + (mkChangedOptionModule 310 310 + [ "services" "dnscrypt-proxy" "ephemeralKeys" ] 311 311 + [ "services" "dnscrypt-proxy" "extraArgs" ] 312 312 + (config: 313 313 + let val = getAttrFromPath [ "services" "dnscrypt-proxy" "ephemeralKeys" ] config; in 314 314 + optional val "-E")) 315 315 + 316 316 + (mkRemovedOptionModule [ "services" "dnscrypt-proxy" "resolverList" ] '' 317 317 + The current resolver listing from upstream is always used 318 318 + unless a custom resolver is specified. 319 319 + '') 320 320 + ]; 321 321 + }

+69

nixos/modules/services/networking/dnscrypt-proxy.xml

··· 1 1 + <chapter xmlns="http://docbook.org/ns/docbook" 2 2 + xmlns:xlink="http://www.w3.org/1999/xlink" 3 3 + xmlns:xi="http://www.w3.org/2001/XInclude" 4 4 + version="5.0" 5 5 + xml:id="sec-dnscrypt-proxy"> 6 6 + 7 7 + <title>DNSCrypt client proxy</title> 8 8 + 9 9 + <para> 10 10 + The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled 11 11 + upstream resolver. The traffic between the client and the upstream 12 12 + resolver is encrypted and authenticated, mitigating the risk of MITM 13 13 + attacks, DNS poisoning attacks, and third-party snooping (assuming the 14 14 + upstream is trustworthy). 15 15 + </para> 16 16 + 17 17 + <sect1><title>Basic configuration</title> 18 18 + 19 19 + <para> 20 20 + To enable the client proxy, set 21 21 + <programlisting> 22 22 + services.dnscrypt-proxy.enable = true; 23 23 + </programlisting> 24 24 + </para> 25 25 + 26 26 + <para> 27 27 + Enabling the client proxy does not alter the system nameserver; to 28 28 + relay local queries, prepend <literal>127.0.0.1</literal> to 29 29 + <option>networking.nameservers</option>. 30 30 + </para> 31 31 + 32 32 + </sect1> 33 33 + 34 34 + <sect1><title>As a forwarder for another DNS client</title> 35 35 + 36 36 + <para> 37 37 + To run the DNSCrypt proxy client as a forwarder for another 38 38 + DNS client, change the default proxy listening port to a 39 39 + non-standard value and point the other client to it: 40 40 + <programlisting> 41 41 + services.dnscrypt-proxy.localPort = 43; 42 42 + </programlisting> 43 43 + </para> 44 44 + 45 45 + <sect2><title>dnsmasq</title> 46 46 + <para> 47 47 + <programlisting> 48 48 + { 49 49 + services.dnsmasq.enable = true; 50 50 + services.dnsmasq.servers = [ "127.0.0.1#43" ]; 51 51 + } 52 52 + </programlisting> 53 53 + </para> 54 54 + </sect2> 55 55 + 56 56 + <sect2><title>unbound</title> 57 57 + <para> 58 58 + <programlisting> 59 59 + { 60 60 + services.unbound.enable = true; 61 61 + services.unbound.forwardAddresses = [ "127.0.0.1@43" ]; 62 62 + } 63 63 + </programlisting> 64 64 + </para> 65 65 + </sect2> 66 66 + 67 67 + </sect1> 68 68 + 69 69 + </chapter>

+1

nixos/release.nix

··· 255 255 tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; }); 256 256 tests.docker-edge = hydraJob (import tests/docker-edge.nix { system = "x86_64-linux"; }); 257 257 tests.dovecot = callTest tests/dovecot.nix {}; 258 258 + tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; }; 258 259 tests.ecryptfs = callTest tests/ecryptfs.nix {}; 259 260 tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; }); 260 261 tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;

+32

nixos/tests/dnscrypt-proxy.nix

··· 1 1 + import ./make-test.nix ({ pkgs, ... }: { 2 2 + name = "dnscrypt-proxy"; 3 3 + meta = with pkgs.stdenv.lib.maintainers; { 4 4 + maintainers = [ joachifm ]; 5 5 + }; 6 6 + 7 7 + nodes = { 8 8 + # A client running the recommended setup: DNSCrypt proxy as a forwarder 9 9 + # for a caching DNS client. 10 10 + client = 11 11 + { config, pkgs, ... }: 12 12 + let localProxyPort = 43; in 13 13 + { 14 14 + security.apparmor.enable = true; 15 15 + 16 16 + services.dnscrypt-proxy.enable = true; 17 17 + services.dnscrypt-proxy.localPort = localProxyPort; 18 18 + services.dnscrypt-proxy.extraArgs = [ "-X libdcplugin_example.so" ]; 19 19 + 20 20 + services.dnsmasq.enable = true; 21 21 + services.dnsmasq.servers = [ "127.0.0.1#${toString localProxyPort}" ]; 22 22 + }; 23 23 + }; 24 24 + 25 25 + testScript = '' 26 26 + $client->waitForUnit("dnsmasq"); 27 27 + 28 28 + # The daemon is socket activated; sending a single ping should activate it. 29 29 + $client->execute("${pkgs.iputils}/bin/ping -c1 example.com"); 30 30 + $client->succeed("systemctl is-active dnscrypt-proxy"); 31 31 + ''; 32 32 + })