Merge pull request #245852 from rnhmjoj/pr-fix-dnscrypt

pyrox.dev / nixpkgs

fork atom

lol

fork atom

dnscrypt-wrapper fixes

authored by

Michele Guerini Rocco and committed by

GitHub 2 years ago ccc33bd3 8f1e7a5d

+22 -24

4 changed files

expand all

unified split

nixos

modules

services

networking

dnscrypt-wrapper.nix

tests

all-tests.nix

dnscrypt-wrapper

default.nix

pkgs

tools

networking

dnscrypt-wrapper

default.nix

+5 -16

nixos/modules/services/networking/dnscrypt-wrapper.nix

··· 71 71 if ! keyValid; then 72 72 echo "certificate soon to become invalid; backing up old cert" 73 73 mkdir -p oldkeys 74 - mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key 75 - mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt 76 - systemctl restart dnscrypt-wrapper 74 + mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key" 75 + mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt" 76 + kill "$(pidof -s dnscrypt-wrapper)" 77 77 fi 78 78 ''; 79 79 ··· 222 222 }; 223 223 users.groups.dnscrypt-wrapper = { }; 224 224 225 - security.polkit.extraConfig = '' 226 - // Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service 227 - polkit.addRule(function(action, subject) { 228 - if (action.id == "org.freedesktop.systemd1.manage-units" && 229 - action.lookup("unit") == "dnscrypt-wrapper.service" && 230 - subject.user == "dnscrypt-wrapper") { 231 - return polkit.Result.YES; 232 - } 233 - }); 234 - ''; 235 - 236 225 systemd.services.dnscrypt-wrapper = { 237 226 description = "dnscrypt-wrapper daemon"; 238 227 after = [ "network.target" ]; ··· 242 231 serviceConfig = { 243 232 User = "dnscrypt-wrapper"; 244 233 WorkingDirectory = dataDir; 245 - Restart = "on-failure"; 234 + Restart = "always"; 246 235 ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; 247 236 }; 248 237 ··· 255 244 requires = [ "dnscrypt-wrapper.service" ]; 256 245 description = "Rotates DNSCrypt wrapper keys if soon to expire"; 257 246 258 - path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; 247 + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ]; 259 248 script = rotateKeys; 260 249 serviceConfig.User = "dnscrypt-wrapper"; 261 250 };

+1 -1

nixos/tests/all-tests.nix

··· 217 217 disable-installer-tools = handleTest ./disable-installer-tools.nix {}; 218 218 discourse = handleTest ./discourse.nix {}; 219 219 dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; 220 - dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {}; 220 + dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper; 221 221 dnsdist = handleTest ./dnsdist.nix {}; 222 222 doas = handleTest ./doas.nix {}; 223 223 docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {};

+8 -6

nixos/tests/dnscrypt-wrapper/default.nix

··· 1 - import ../make-test-python.nix ({ pkgs, ... }: { 1 + { lib, pkgs, ... }: 2 + 3 + { 2 4 name = "dnscrypt-wrapper"; 3 5 meta = with pkgs.lib.maintainers; { 4 6 maintainers = [ rnhmjoj ]; ··· 50 52 server.wait_for_unit("dnscrypt-wrapper") 51 53 server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key") 52 54 server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt") 55 + almost_expiration = server.succeed("date --date '4days 23 hours 56min'").strip() 53 56 54 57 with subtest("The client can connect to the server"): 55 58 server.wait_for_unit("tinydns") 56 59 client.wait_for_unit("dnscrypt-proxy2") 57 - assert "1.2.3.4" in client.succeed( 60 + assert "1.2.3.4" in client.wait_until_succeeds( 58 61 "host it.works" 59 62 ), "The IP address of 'it.works' does not match 1.2.3.4" 60 63 61 64 with subtest("The server rotates the ephemeral keys"): 62 65 # advance time by a little less than 5 days 63 - server.succeed("date -s \"$(date --date '4 days 6 hours')\"") 64 - client.succeed("date -s \"$(date --date '4 days 6 hours')\"") 66 + server.succeed(f"date -s '{almost_expiration}'") 67 + client.succeed(f"date -s '{almost_expiration}'") 65 68 server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys") 66 69 67 70 with subtest("The client can still connect to the server"): 68 71 server.wait_for_unit("dnscrypt-wrapper") 69 72 client.succeed("host it.works") 70 73 ''; 71 - }) 72 - 74 + }

+8 -1

pkgs/tools/networking/dnscrypt-wrapper/default.nix

··· 1 - { lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libsodium, libevent }: 1 + { lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libsodium, libevent, nixosTests }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "dnscrypt-wrapper"; ··· 13 13 14 14 enableParallelBuilding = true; 15 15 16 + # causes `dnscrypt-wrapper --gen-provider-keypair` to crash 17 + hardeningDisable = [ "fortify3" ]; 18 + 16 19 nativeBuildInputs = [ pkg-config autoreconfHook ]; 17 20 buildInputs = [ libsodium libevent ]; 21 + 22 + passthru.tests = { 23 + inherit (nixosTests) dnscrypt-wrapper; 24 + }; 18 25 19 26 meta = with lib; { 20 27 description = "A tool for adding dnscrypt support to any name resolver";