nixos/dnscrypt-wrapper: make provider keys configurable

pyrox.dev / nixpkgs

fork atom

lol

fork atom

rnhmjoj 5 years ago 743eea4c fd3727a3

+44 -7

1 changed file

expand all

nixos

modules

services

networking

dnscrypt-wrapper.nix

+44 -7

nixos/modules/services/networking/dnscrypt-wrapper.nix

··· 5 5 cfg = config.services.dnscrypt-wrapper; 6 6 dataDir = "/var/lib/dnscrypt-wrapper"; 7 7 8 + mkPath = path: default: 9 + if path != null 10 + then toString path 11 + else default; 12 + 13 + publicKey = mkPath cfg.providerKey.public "${dataDir}/public.key"; 14 + secretKey = mkPath cfg.providerKey.secret "${dataDir}/secret.key"; 15 + 8 16 daemonArgs = with cfg; [ 9 17 "--listen-address=${address}:${toString port}" 10 18 "--resolver-address=${upstream.address}:${toString upstream.port}" 11 19 "--provider-name=${providerName}" 12 - "--provider-publickey-file=public.key" 13 - "--provider-secretkey-file=secret.key" 20 + "--provider-publickey-file=${publicKey}" 21 + "--provider-secretkey-file=${secretKey}" 14 22 "--provider-cert-file=${providerName}.crt" 15 23 "--crypt-secretkey-file=${providerName}.key" 16 24 ]; ··· 24 32 dnscrypt-wrapper --gen-cert-file \ 25 33 --crypt-secretkey-file=${cfg.providerName}.key \ 26 34 --provider-cert-file=${cfg.providerName}.crt \ 27 - --provider-publickey-file=public.key \ 28 - --provider-secretkey-file=secret.key \ 35 + --provider-publickey-file=${publicKey} \ 36 + --provider-secretkey-file=${secretKey} \ 29 37 --cert-file-expire-days=${toString cfg.keys.expiration} 30 38 } 31 39 32 40 cd ${dataDir} 33 41 34 42 # generate provider keypair (first run only) 35 - if [ ! -f public.key ] || [ ! -f secret.key ]; then 36 - dnscrypt-wrapper --gen-provider-keypair 37 - fi 43 + ${optionalString (cfg.providerKey.public == null || cfg.providerKey.secret == null) '' 44 + if [ ! -f ${publicKey} ] || [ ! -f ${secretKey} ]; then 45 + dnscrypt-wrapper --gen-provider-keypair 46 + fi 47 + ''} 38 48 39 49 # generate new keys for rotation 40 50 if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then ··· 139 149 ''; 140 150 }; 141 151 152 + providerKey.public = mkOption { 153 + type = types.nullOr types.path; 154 + default = null; 155 + example = "/etc/secrets/public.key"; 156 + description = '' 157 + The filepath to the provider public key. If not given a new 158 + provider key pair will be generated on the first run. 159 + ''; 160 + }; 161 + 162 + providerKey.secret = mkOption { 163 + type = types.nullOr types.path; 164 + default = null; 165 + example = "/etc/secrets/secret.key"; 166 + description = '' 167 + The filepath to the provider secret key. If not given a new 168 + provider key pair will be generated on the first run. 169 + ''; 170 + }; 171 + 142 172 upstream.address = mkOption { 143 173 type = types.str; 144 174 default = "127.0.0.1"; ··· 236 266 OnUnitActiveSec = cfg.keys.checkInterval * 60; 237 267 }; 238 268 }; 269 + 270 + assertions = with cfg; [ 271 + { assertion = (providerKey.public == null && providerKey.secret == null) || 272 + (providerKey.secret != null && providerKey.public != null); 273 + message = "The secret and public provider key must be set together."; 274 + } 275 + ]; 239 276 240 277 }; 241 278