nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Get rid of some cruft, and un-nest systemd

Browse Source
This commit is contained in:
niten 2024-08-22 17:52:20 -07:00
parent 2c20446df3
commit 763670e46a
1 changed files with 65 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/fudo/adguard-dns-proxy.nix
View File

@ -246,18 +246,7 @@ in {
verbose = mkEnableOption "Keep verbose logs.";
};
config = mkIf cfg.enable (let
upgrade-perms = cfg.dns.listen-port <= 1024 || cfg.http.listen-port <= 1024;
in {
users = mkIf upgrade-perms {
users.${cfg.user} = {
isSystemUser = true;
group = cfg.user;
};
groups.${cfg.user} = { members = [ cfg.user ]; };
};
config = mkIf cfg.enable {
fudo = {
secrets.host-secrets.${hostname} = {
adguard-dns-proxy-admin-password = {
@ -266,12 +255,12 @@ in {
user = "root";
};
};
};
systemd.services.adguard-dns-proxy =
let configFile = "/run/adguard-dns-proxy/config.yaml";
in {
description =
"DNS proxy for ad filtering and DNS-over-HTTPS lookups.";
description = "DNS proxy for ad filtering and DNS-over-HTTPS lookups.";
wantedBy = [ "default.target" ];
after = [ "syslog.target" "network.target" ];
requires = [ "syslog.target" "network.target" ];
@ -288,7 +277,9 @@ in {
"--port ${toString cfg.http.listen-port}"
"--config $RUNTIME_DIRECTORY/config.yaml"
];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = optional
(cfg.dns.listen-port <= 1024 || cfg.http.listen-port <= 1024)
[ "CAP_NET_BIND_SERVICE" ];
DynamicUser = true;
RuntimeDirectory = "adguard-dns-proxy";
};
@ -329,5 +320,4 @@ in {
# in "${pkgs.adguardhome}/bin/adguardhome ${arg-string}";
# };
};
});
}