commit c7c288fbd5ba0adbe15b6cd03b0ecd170597d619 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixos/dnscrypt-wrapper: avoid using polkit

rnhmjoj 2 years ago c7c288fb f65d93f9

+5 -16

1 changed file

expand all

unified split

nixos

modules

services

networking

dnscrypt-wrapper.nix

+5 -16

nixos/modules/services/networking/dnscrypt-wrapper.nix

··· 71 if ! keyValid; then 72 echo "certificate soon to become invalid; backing up old cert" 73 mkdir -p oldkeys 74 - mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key 75 - mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt 76 - systemctl restart dnscrypt-wrapper 77 fi 78 ''; 79 ··· 222 }; 223 users.groups.dnscrypt-wrapper = { }; 224 225 - security.polkit.extraConfig = '' 226 - // Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service 227 - polkit.addRule(function(action, subject) { 228 - if (action.id == "org.freedesktop.systemd1.manage-units" && 229 - action.lookup("unit") == "dnscrypt-wrapper.service" && 230 - subject.user == "dnscrypt-wrapper") { 231 - return polkit.Result.YES; 232 - } 233 - }); 234 - ''; 235 - 236 systemd.services.dnscrypt-wrapper = { 237 description = "dnscrypt-wrapper daemon"; 238 after = [ "network.target" ]; ··· 242 serviceConfig = { 243 User = "dnscrypt-wrapper"; 244 WorkingDirectory = dataDir; 245 - Restart = "on-failure"; 246 ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; 247 }; 248 ··· 255 requires = [ "dnscrypt-wrapper.service" ]; 256 description = "Rotates DNSCrypt wrapper keys if soon to expire"; 257 258 - path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; 259 script = rotateKeys; 260 serviceConfig.User = "dnscrypt-wrapper"; 261 };

··· 71 if ! keyValid; then 72 echo "certificate soon to become invalid; backing up old cert" 73 mkdir -p oldkeys 74 + mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key" 75 + mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt" 76 + kill "$(pidof -s dnscrypt-wrapper)" 77 fi 78 ''; 79 ··· 222 }; 223 users.groups.dnscrypt-wrapper = { }; 224 225 systemd.services.dnscrypt-wrapper = { 226 description = "dnscrypt-wrapper daemon"; 227 after = [ "network.target" ]; ··· 231 serviceConfig = { 232 User = "dnscrypt-wrapper"; 233 WorkingDirectory = dataDir; 234 + Restart = "always"; 235 ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; 236 }; 237 ··· 244 requires = [ "dnscrypt-wrapper.service" ]; 245 description = "Rotates DNSCrypt wrapper keys if soon to expire"; 246 247 + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ]; 248 script = rotateKeys; 249 serviceConfig.User = "dnscrypt-wrapper"; 250 };