pyrox.dev
nixos/dnscrypt-wrapper: avoid using polkit
+5
-16
nixos/modules/services/networking/dnscrypt-wrapper.nix
+5
-16
nixos/modules/services/networking/dnscrypt-wrapper.nix
···
71
71
if ! keyValid; then
72
72
echo "certificate soon to become invalid; backing up old cert"
73
73
mkdir -p oldkeys
74
-
mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
75
-
mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
76
-
systemctl restart dnscrypt-wrapper
74
+
mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key"
75
+
mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt"
76
+
kill "$(pidof -s dnscrypt-wrapper)"
77
77
fi
78
78
'';
79
79
···
222
222
};
223
223
users.groups.dnscrypt-wrapper = { };
224
224
225
-
security.polkit.extraConfig = ''
226
-
// Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service
227
-
polkit.addRule(function(action, subject) {
228
-
if (action.id == "org.freedesktop.systemd1.manage-units" &&
229
-
action.lookup("unit") == "dnscrypt-wrapper.service" &&
230
-
subject.user == "dnscrypt-wrapper") {
231
-
return polkit.Result.YES;
232
-
}
233
-
});
234
-
'';
235
-
236
225
systemd.services.dnscrypt-wrapper = {
237
226
description = "dnscrypt-wrapper daemon";
238
227
after = [ "network.target" ];
···
242
231
serviceConfig = {
243
232
User = "dnscrypt-wrapper";
244
233
WorkingDirectory = dataDir;
245
-
Restart = "on-failure";
234
+
Restart = "always";
246
235
ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}";
247
236
};
248
237
···
255
244
requires = [ "dnscrypt-wrapper.service" ];
256
245
description = "Rotates DNSCrypt wrapper keys if soon to expire";
257
246
258
-
path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ];
247
+
path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ];
259
248
script = rotateKeys;
260
249
serviceConfig.User = "dnscrypt-wrapper";
261
250
};