pyrox.dev / nixpkgs
lol
fork atom

Revert "nixos/dnscrypt-proxy: remove"

This reverts commit 5dc2853981b6e9287668dd17477375adfeb60ebf.
The project has a new maintainer.

rnhmjoj 4ebb9621 9dcb4b40

+424 -9
unified split
-6
nixos/doc/manual/release-notes/rl-1803.xml
··· 139 will be accessible at <literal>/run/memcached/memcached.sock</literal>. 140 </para> 141 </listitem> 142 - <listitem> 143 - <para> 144 - The DNSCrypt proxy module has been removed, the upstream project 145 - is no longer maintained. 146 - </para> 147 - </listitem> 148 </itemizedlist> 149 150 </section>
··· 139 will be accessible at <literal>/run/memcached/memcached.sock</literal>. 140 </para> 141 </listitem> 142 </itemizedlist> 143 144 </section>
+1
nixos/modules/module-list.nix
··· 446 ./services/networking/dhcpd.nix 447 ./services/networking/dnscache.nix 448 ./services/networking/dnschain.nix 449 ./services/networking/dnscrypt-wrapper.nix 450 ./services/networking/dnsmasq.nix 451 ./services/networking/ejabberd.nix
··· 446 ./services/networking/dhcpd.nix 447 ./services/networking/dnscache.nix 448 ./services/networking/dnschain.nix 449 + ./services/networking/dnscrypt-proxy.nix 450 ./services/networking/dnscrypt-wrapper.nix 451 ./services/networking/dnsmasq.nix 452 ./services/networking/ejabberd.nix
-3
nixos/modules/rename.nix
··· 89 # Tarsnap 90 (mkRenamedOptionModule [ "services" "tarsnap" "config" ] [ "services" "tarsnap" "archives" ]) 91 92 - # dnscrypt-proxy 93 - (mkRemovedOptionModule [ "services" "dnscrypt-proxy" "enable" ] "") 94 - 95 # ibus 96 (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) 97
··· 89 # Tarsnap 90 (mkRenamedOptionModule [ "services" "tarsnap" "config" ] [ "services" "tarsnap" "archives" ]) 91 92 # ibus 93 (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ]) 94
+321
nixos/modules/services/networking/dnscrypt-proxy.nix
···
··· 1 + { config, lib, pkgs, ... }: 2 + with lib; 3 + 4 + let 5 + cfg = config.services.dnscrypt-proxy; 6 + 7 + stateDirectory = "/var/lib/dnscrypt-proxy"; 8 + 9 + # The minisign public key used to sign the upstream resolver list. 10 + # This is somewhat more flexible than preloading the key as an 11 + # embedded string. 12 + upstreamResolverListPubKey = pkgs.fetchurl { 13 + url = https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/minisign.pub; 14 + sha256 = "18lnp8qr6ghfc2sd46nn1rhcpr324fqlvgsp4zaigw396cd7vnnh"; 15 + }; 16 + 17 + # Internal flag indicating whether the upstream resolver list is used. 18 + useUpstreamResolverList = cfg.customResolver == null; 19 + 20 + # The final local address. 21 + localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; 22 + 23 + # The final resolvers list path. 24 + resolverList = "${stateDirectory}/dnscrypt-resolvers.csv"; 25 + 26 + # Build daemon command line 27 + 28 + resolverArgs = 29 + if (cfg.customResolver == null) 30 + then 31 + [ "-L ${resolverList}" 32 + "-R ${cfg.resolverName}" 33 + ] 34 + else with cfg.customResolver; 35 + [ "-N ${name}" 36 + "-k ${key}" 37 + "-r ${address}:${toString port}" 38 + ]; 39 + 40 + daemonArgs = 41 + [ "-a ${localAddress}" ] 42 + ++ resolverArgs 43 + ++ cfg.extraArgs; 44 + in 45 + 46 + { 47 + meta = { 48 + maintainers = with maintainers; [ joachifm ]; 49 + doc = ./dnscrypt-proxy.xml; 50 + }; 51 + 52 + options = { 53 + # Before adding another option, consider whether it could 54 + # equally well be passed via extraArgs. 55 + 56 + services.dnscrypt-proxy = { 57 + enable = mkOption { 58 + default = false; 59 + type = types.bool; 60 + description = "Whether to enable the DNSCrypt client proxy"; 61 + }; 62 + 63 + localAddress = mkOption { 64 + default = "127.0.0.1"; 65 + type = types.str; 66 + description = '' 67 + Listen for DNS queries to relay on this address. The only reason to 68 + change this from its default value is to proxy queries on behalf 69 + of other machines (typically on the local network). 70 + ''; 71 + }; 72 + 73 + localPort = mkOption { 74 + default = 53; 75 + type = types.int; 76 + description = '' 77 + Listen for DNS queries to relay on this port. The default value 78 + assumes that the DNSCrypt proxy should relay DNS queries directly. 79 + When running as a forwarder for another DNS client, set this option 80 + to a different value; otherwise leave the default. 81 + ''; 82 + }; 83 + 84 + resolverName = mkOption { 85 + default = "random"; 86 + example = "dnscrypt.eu-nl"; 87 + type = types.nullOr types.str; 88 + description = '' 89 + The name of the DNSCrypt resolver to use, taken from 90 + <filename>${resolverList}</filename>. The default is to 91 + pick a random non-logging resolver that supports DNSSEC. 92 + ''; 93 + }; 94 + 95 + customResolver = mkOption { 96 + default = null; 97 + description = '' 98 + Use an unlisted resolver (e.g., a private DNSCrypt provider). For 99 + advanced users only. If specified, this option takes precedence. 100 + ''; 101 + type = types.nullOr (types.submodule ({ ... }: { options = { 102 + address = mkOption { 103 + type = types.str; 104 + description = "IP address"; 105 + example = "208.67.220.220"; 106 + }; 107 + 108 + port = mkOption { 109 + type = types.int; 110 + description = "Port"; 111 + default = 443; 112 + }; 113 + 114 + name = mkOption { 115 + type = types.str; 116 + description = "Fully qualified domain name"; 117 + example = "2.dnscrypt-cert.example.com"; 118 + }; 119 + 120 + key = mkOption { 121 + type = types.str; 122 + description = "Public key"; 123 + example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"; 124 + }; 125 + }; })); 126 + }; 127 + 128 + extraArgs = mkOption { 129 + default = []; 130 + type = types.listOf types.str; 131 + description = '' 132 + Additional command-line arguments passed verbatim to the daemon. 133 + See <citerefentry><refentrytitle>dnscrypt-proxy</refentrytitle> 134 + <manvolnum>8</manvolnum></citerefentry> for details. 135 + ''; 136 + example = [ "-X libdcplugin_example_cache.so,--min-ttl=60" ]; 137 + }; 138 + }; 139 + }; 140 + 141 + config = mkIf cfg.enable (mkMerge [{ 142 + assertions = [ 143 + { assertion = (cfg.customResolver != null) || (cfg.resolverName != null); 144 + message = "please configure upstream DNSCrypt resolver"; 145 + } 146 + ]; 147 + 148 + users.users.dnscrypt-proxy = { 149 + description = "dnscrypt-proxy daemon user"; 150 + isSystemUser = true; 151 + group = "dnscrypt-proxy"; 152 + }; 153 + users.groups.dnscrypt-proxy = {}; 154 + 155 + systemd.sockets.dnscrypt-proxy = { 156 + description = "dnscrypt-proxy listening socket"; 157 + documentation = [ "man:dnscrypt-proxy(8)" ]; 158 + 159 + wantedBy = [ "sockets.target" ]; 160 + 161 + socketConfig = { 162 + ListenStream = localAddress; 163 + ListenDatagram = localAddress; 164 + }; 165 + }; 166 + 167 + systemd.services.dnscrypt-proxy = { 168 + description = "dnscrypt-proxy daemon"; 169 + documentation = [ "man:dnscrypt-proxy(8)" ]; 170 + 171 + before = [ "nss-lookup.target" ]; 172 + after = [ "network.target" ]; 173 + requires = [ "dnscrypt-proxy.socket "]; 174 + 175 + serviceConfig = { 176 + NonBlocking = "true"; 177 + ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; 178 + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 179 + 180 + User = "dnscrypt-proxy"; 181 + 182 + PrivateTmp = true; 183 + PrivateDevices = true; 184 + ProtectHome = true; 185 + }; 186 + }; 187 + } 188 + 189 + (mkIf config.security.apparmor.enable { 190 + systemd.services.dnscrypt-proxy.after = [ "apparmor.service" ]; 191 + 192 + security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" '' 193 + ${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy { 194 + /dev/null rw, 195 + /dev/urandom r, 196 + 197 + /etc/passwd r, 198 + /etc/group r, 199 + ${config.environment.etc."nsswitch.conf".source} r, 200 + 201 + ${getLib pkgs.glibc}/lib/*.so mr, 202 + ${pkgs.tzdata}/share/zoneinfo/** r, 203 + 204 + network inet stream, 205 + network inet6 stream, 206 + network inet dgram, 207 + network inet6 dgram, 208 + 209 + ${getLib pkgs.dnscrypt-proxy}/lib/dnscrypt-proxy/libdcplugin*.so mr, 210 + 211 + ${getLib pkgs.gcc.cc}/lib/libssp.so.* mr, 212 + ${getLib pkgs.libsodium}/lib/libsodium.so.* mr, 213 + ${getLib pkgs.systemd}/lib/libsystemd.so.* mr, 214 + ${getLib pkgs.xz}/lib/liblzma.so.* mr, 215 + ${getLib pkgs.libgcrypt}/lib/libgcrypt.so.* mr, 216 + ${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr, 217 + ${getLib pkgs.libcap}/lib/libcap.so.* mr, 218 + ${getLib pkgs.lz4}/lib/liblz4.so.* mr, 219 + ${getLib pkgs.attr}/lib/libattr.so.* mr, # */ 220 + 221 + ${resolverList} r, 222 + 223 + /run/systemd/notify rw, 224 + } 225 + ''); 226 + }) 227 + 228 + (mkIf useUpstreamResolverList { 229 + systemd.services.init-dnscrypt-proxy-statedir = { 230 + description = "Initialize dnscrypt-proxy state directory"; 231 + 232 + wantedBy = [ "dnscrypt-proxy.service" ]; 233 + before = [ "dnscrypt-proxy.service" ]; 234 + 235 + script = '' 236 + mkdir -pv ${stateDirectory} 237 + chown -c dnscrypt-proxy:dnscrypt-proxy ${stateDirectory} 238 + cp -uv \ 239 + ${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv \ 240 + ${stateDirectory} 241 + ''; 242 + 243 + serviceConfig = { 244 + Type = "oneshot"; 245 + RemainAfterExit = true; 246 + }; 247 + }; 248 + 249 + systemd.services.update-dnscrypt-resolvers = { 250 + description = "Update list of DNSCrypt resolvers"; 251 + 252 + requires = [ "init-dnscrypt-proxy-statedir.service" ]; 253 + after = [ "init-dnscrypt-proxy-statedir.service" ]; 254 + 255 + path = with pkgs; [ curl diffutils dnscrypt-proxy minisign ]; 256 + script = '' 257 + cd ${stateDirectory} 258 + domain=raw.githubusercontent.com 259 + get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)" 260 + $get -o dnscrypt-resolvers.csv.tmp \ 261 + https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv 262 + $get -o dnscrypt-resolvers.csv.minisig.tmp \ 263 + https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv.minisig 264 + mv dnscrypt-resolvers.csv.minisig{.tmp,} 265 + if ! minisign -q -V -p ${upstreamResolverListPubKey} \ 266 + -m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig ; then 267 + echo "failed to verify resolver list!" >&2 268 + exit 1 269 + fi 270 + [[ -f dnscrypt-resolvers.csv ]] && mv dnscrypt-resolvers.csv{,.old} 271 + mv dnscrypt-resolvers.csv{.tmp,} 272 + if cmp dnscrypt-resolvers.csv{,.old} ; then 273 + echo "no change" 274 + else 275 + echo "resolver list updated" 276 + fi 277 + ''; 278 + 279 + serviceConfig = { 280 + PrivateTmp = true; 281 + PrivateDevices = true; 282 + ProtectHome = true; 283 + ProtectSystem = "strict"; 284 + ReadWritePaths = "${dirOf stateDirectory} ${stateDirectory}"; 285 + SystemCallFilter = "~@mount"; 286 + }; 287 + }; 288 + 289 + systemd.timers.update-dnscrypt-resolvers = { 290 + wantedBy = [ "timers.target" ]; 291 + timerConfig = { 292 + OnBootSec = "5min"; 293 + OnUnitActiveSec = "6h"; 294 + }; 295 + }; 296 + }) 297 + ]); 298 + 299 + imports = [ 300 + (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ]) 301 + 302 + (mkChangedOptionModule 303 + [ "services" "dnscrypt-proxy" "tcpOnly" ] 304 + [ "services" "dnscrypt-proxy" "extraArgs" ] 305 + (config: 306 + let val = getAttrFromPath [ "services" "dnscrypt-proxy" "tcpOnly" ] config; in 307 + optional val "-T")) 308 + 309 + (mkChangedOptionModule 310 + [ "services" "dnscrypt-proxy" "ephemeralKeys" ] 311 + [ "services" "dnscrypt-proxy" "extraArgs" ] 312 + (config: 313 + let val = getAttrFromPath [ "services" "dnscrypt-proxy" "ephemeralKeys" ] config; in 314 + optional val "-E")) 315 + 316 + (mkRemovedOptionModule [ "services" "dnscrypt-proxy" "resolverList" ] '' 317 + The current resolver listing from upstream is always used 318 + unless a custom resolver is specified. 319 + '') 320 + ]; 321 + }
+69
nixos/modules/services/networking/dnscrypt-proxy.xml
···
··· 1 + <chapter xmlns="http://docbook.org/ns/docbook" 2 + xmlns:xlink="http://www.w3.org/1999/xlink" 3 + xmlns:xi="http://www.w3.org/2001/XInclude" 4 + version="5.0" 5 + xml:id="sec-dnscrypt-proxy"> 6 + 7 + <title>DNSCrypt client proxy</title> 8 + 9 + <para> 10 + The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled 11 + upstream resolver. The traffic between the client and the upstream 12 + resolver is encrypted and authenticated, mitigating the risk of MITM 13 + attacks, DNS poisoning attacks, and third-party snooping (assuming the 14 + upstream is trustworthy). 15 + </para> 16 + 17 + <sect1><title>Basic configuration</title> 18 + 19 + <para> 20 + To enable the client proxy, set 21 + <programlisting> 22 + services.dnscrypt-proxy.enable = true; 23 + </programlisting> 24 + </para> 25 + 26 + <para> 27 + Enabling the client proxy does not alter the system nameserver; to 28 + relay local queries, prepend <literal>127.0.0.1</literal> to 29 + <option>networking.nameservers</option>. 30 + </para> 31 + 32 + </sect1> 33 + 34 + <sect1><title>As a forwarder for another DNS client</title> 35 + 36 + <para> 37 + To run the DNSCrypt proxy client as a forwarder for another 38 + DNS client, change the default proxy listening port to a 39 + non-standard value and point the other client to it: 40 + <programlisting> 41 + services.dnscrypt-proxy.localPort = 43; 42 + </programlisting> 43 + </para> 44 + 45 + <sect2><title>dnsmasq</title> 46 + <para> 47 + <programlisting> 48 + { 49 + services.dnsmasq.enable = true; 50 + services.dnsmasq.servers = [ "127.0.0.1#43" ]; 51 + } 52 + </programlisting> 53 + </para> 54 + </sect2> 55 + 56 + <sect2><title>unbound</title> 57 + <para> 58 + <programlisting> 59 + { 60 + services.unbound.enable = true; 61 + services.unbound.forwardAddresses = [ "127.0.0.1@43" ]; 62 + } 63 + </programlisting> 64 + </para> 65 + </sect2> 66 + 67 + </sect1> 68 + 69 + </chapter>
+1
nixos/release.nix
··· 255 tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; }); 256 tests.docker-edge = hydraJob (import tests/docker-edge.nix { system = "x86_64-linux"; }); 257 tests.dovecot = callTest tests/dovecot.nix {}; 258 tests.ecryptfs = callTest tests/ecryptfs.nix {}; 259 tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; }); 260 tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;
··· 255 tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; }); 256 tests.docker-edge = hydraJob (import tests/docker-edge.nix { system = "x86_64-linux"; }); 257 tests.dovecot = callTest tests/dovecot.nix {}; 258 + tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; }; 259 tests.ecryptfs = callTest tests/ecryptfs.nix {}; 260 tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; }); 261 tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;
+32
nixos/tests/dnscrypt-proxy.nix
···
··· 1 + import ./make-test.nix ({ pkgs, ... }: { 2 + name = "dnscrypt-proxy"; 3 + meta = with pkgs.stdenv.lib.maintainers; { 4 + maintainers = [ joachifm ]; 5 + }; 6 + 7 + nodes = { 8 + # A client running the recommended setup: DNSCrypt proxy as a forwarder 9 + # for a caching DNS client. 10 + client = 11 + { config, pkgs, ... }: 12 + let localProxyPort = 43; in 13 + { 14 + security.apparmor.enable = true; 15 + 16 + services.dnscrypt-proxy.enable = true; 17 + services.dnscrypt-proxy.localPort = localProxyPort; 18 + services.dnscrypt-proxy.extraArgs = [ "-X libdcplugin_example.so" ]; 19 + 20 + services.dnsmasq.enable = true; 21 + services.dnsmasq.servers = [ "127.0.0.1#${toString localProxyPort}" ]; 22 + }; 23 + }; 24 + 25 + testScript = '' 26 + $client->waitForUnit("dnsmasq"); 27 + 28 + # The daemon is socket activated; sending a single ping should activate it. 29 + $client->execute("${pkgs.iputils}/bin/ping -c1 example.com"); 30 + $client->succeed("systemctl is-active dnscrypt-proxy"); 31 + ''; 32 + })