2018-10-12 21:38:54 +00:00
|
|
|
{ config, lib, pkgs, ... }: with lib;
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.dnscrypt-proxy2;
|
|
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
options.services.dnscrypt-proxy2 = {
|
|
|
|
|
enable = mkEnableOption "dnscrypt-proxy2";
|
|
|
|
|
|
|
|
|
|
settings = mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Attrset that is converted and passed as TOML config file.
|
2020-09-28 06:28:12 -04:00
|
|
|
For available params, see: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/${pkgs.dnscrypt-proxy2.version}/dnscrypt-proxy/example-dnscrypt-proxy.toml"/>
|
2018-10-12 21:38:54 +00:00
|
|
|
'';
|
|
|
|
|
example = literalExample ''
|
|
|
|
|
{
|
|
|
|
|
sources.public-resolvers = {
|
|
|
|
|
urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
|
|
|
|
|
cache_file = "public-resolvers.md";
|
|
|
|
|
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
|
|
|
|
refresh_delay = 72;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
type = types.attrs;
|
|
|
|
|
default = {};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
configFile = mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Path to TOML config file. See: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/>
|
|
|
|
|
If this option is set, it will override any configuration done in options.services.dnscrypt-proxy2.settings.
|
|
|
|
|
'';
|
|
|
|
|
example = "/etc/dnscrypt-proxy/dnscrypt-proxy.toml";
|
|
|
|
|
type = types.path;
|
|
|
|
|
default = pkgs.runCommand "dnscrypt-proxy.toml" {
|
|
|
|
|
json = builtins.toJSON cfg.settings;
|
|
|
|
|
passAsFile = [ "json" ];
|
|
|
|
|
} ''
|
|
|
|
|
${pkgs.remarshal}/bin/json2toml < $jsonPath > $out
|
|
|
|
|
'';
|
|
|
|
|
defaultText = literalExample "TOML file generated from services.dnscrypt-proxy2.settings";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
|
|
|
|
|
networking.nameservers = lib.mkDefault [ "127.0.0.1" ];
|
|
|
|
|
|
|
|
|
|
systemd.services.dnscrypt-proxy2 = {
|
2020-09-28 07:41:20 -04:00
|
|
|
description = "DNSCrypt-proxy client";
|
|
|
|
|
wants = [
|
|
|
|
|
"network-online.target"
|
|
|
|
|
"nss-lookup.target"
|
|
|
|
|
];
|
|
|
|
|
before = [
|
|
|
|
|
"nss-lookup.target"
|
|
|
|
|
];
|
|
|
|
|
wantedBy = [
|
|
|
|
|
"multi-user.target"
|
|
|
|
|
];
|
2018-10-12 21:38:54 +00:00
|
|
|
serviceConfig = {
|
|
|
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
2020-09-28 07:41:20 -04:00
|
|
|
CacheDirectory = "dnscrypt-proxy";
|
2018-10-12 21:38:54 +00:00
|
|
|
DynamicUser = true;
|
|
|
|
|
ExecStart = "${pkgs.dnscrypt-proxy2}/bin/dnscrypt-proxy -config ${cfg.configFile}";
|
2020-09-28 07:41:20 -04:00
|
|
|
LockPersonality = true;
|
|
|
|
|
LogsDirectory = "dnscrypt-proxy";
|
|
|
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
|
NonBlocking = true;
|
|
|
|
|
PrivateDevices = true;
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
ProtectHome = true;
|
|
|
|
|
ProtectHostname = true;
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
ProtectSystem = "strict";
|
2020-05-07 00:00:42 +02:00
|
|
|
Restart = "always";
|
2020-09-28 07:41:20 -04:00
|
|
|
RestrictAddressFamilies = [
|
|
|
|
|
"AF_INET"
|
|
|
|
|
"AF_INET6"
|
|
|
|
|
];
|
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
RestrictRealtime = true;
|
|
|
|
|
RuntimeDirectory = "dnscrypt-proxy";
|
|
|
|
|
StateDirectory = "dnscrypt-proxy";
|
|
|
|
|
SystemCallArchitectures = "native";
|
|
|
|
|
SystemCallFilter = [
|
|
|
|
|
"@system-service"
|
|
|
|
|
"@chown"
|
|
|
|
|
"~@resources"
|
|
|
|
|
"@privileged"
|
|
|
|
|
];
|
2018-10-12 21:38:54 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
