commit 823bb5dd4d9fabf39a81c9374076b8ecdc209a61 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixos: implement socket-activation for dnscrypt-proxy

The socket definition is derived from upstream with the
exception that it does not depend on network.target, as
this creates a cycle between basic.target and sockets.target.

The apparmor profile has been updated to account for additional
runtime dependencies introduced by enabling systemd support.

Joachim Fasting 10 years ago 823bb5dd 114cb31b

+22 -5

1 changed file

expand all

unified split

nixos

modules

services

networking

dnscrypt-proxy.nix

+22 -5

nixos/modules/services/networking/dnscrypt-proxy.nix

··· 7 cfg = config.services.dnscrypt-proxy; 8 uid = config.ids.uids.dnscrypt-proxy; 9 daemonArgs = 10 - [ "--daemonize" 11 - "--user=dnscrypt-proxy" 12 "--local-address=${cfg.localAddress}:${toString cfg.port}" 13 (optionalString cfg.tcpOnly "--tcp-only") 14 "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv" ··· 114 ${dnscrypt-proxy}/share/dnscrypt-proxy/** r, 115 ${pkgs.gcc.cc}/lib/libssp.so.* mr, 116 ${pkgs.libsodium}/lib/libsodium.so.* mr, 117 } 118 '') 119 ]; ··· 128 129 ### Service definition 130 131 systemd.services.dnscrypt-proxy = { 132 description = "dnscrypt-proxy daemon"; 133 after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; 134 - requires = mkIf apparmorEnabled [ "apparmor.service" ]; 135 - wantedBy = [ "multi-user.target" ]; 136 serviceConfig = { 137 - Type = "forking"; 138 ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; 139 }; 140 };

··· 7 cfg = config.services.dnscrypt-proxy; 8 uid = config.ids.uids.dnscrypt-proxy; 9 daemonArgs = 10 + [ "--user=dnscrypt-proxy" 11 "--local-address=${cfg.localAddress}:${toString cfg.port}" 12 (optionalString cfg.tcpOnly "--tcp-only") 13 "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv" ··· 113 ${dnscrypt-proxy}/share/dnscrypt-proxy/** r, 114 ${pkgs.gcc.cc}/lib/libssp.so.* mr, 115 ${pkgs.libsodium}/lib/libsodium.so.* mr, 116 + ${pkgs.systemd}/lib/libsystemd.so.* mr, 117 + ${pkgs.xz}/lib/liblzma.so.* mr, 118 + ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr, 119 + ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr, 120 } 121 '') 122 ]; ··· 131 132 ### Service definition 133 134 + ## derived from upstream dnscrypt-proxy.socket 135 + systemd.sockets.dnscrypt-proxy = { 136 + description = "dnscrypt-proxy listening socket"; 137 + 138 + socketConfig = { 139 + ListenStream = "${cfg.localAddress}:${toString cfg.port}"; 140 + ListenDatagram = "${cfg.localAddress}:${toString cfg.port}"; 141 + }; 142 + 143 + wantedBy = [ "sockets.target" ]; 144 + }; 145 + 146 + # derived from upstream dnscrypt-proxy.service 147 systemd.services.dnscrypt-proxy = { 148 description = "dnscrypt-proxy daemon"; 149 after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; 150 + requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; 151 serviceConfig = { 152 + Type = "simple"; 153 + ## note: NonBlocking is required for socket activation to work 154 + NonBlocking = "true"; 155 ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; 156 }; 157 };