public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/dnscrypt-wrapper: make provider keys configurable

Browse Source
This commit is contained in:
rnhmjoj 2020-04-24 01:23:56 +02:00
parent fd3727a313
commit 743eea4c5f
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450
1 changed files with 44 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
nixos/modules/services/networking/dnscrypt-wrapper.nix
View File

@ -5,12 +5,20 @@ let
cfg = config.services.dnscrypt-wrapper; cfg = config.services.dnscrypt-wrapper;
dataDir = "/var/lib/dnscrypt-wrapper"; dataDir = "/var/lib/dnscrypt-wrapper";
mkPath = path: default:
if path != null
then toString path
else default;
publicKey = mkPath cfg.providerKey.public "${dataDir}/public.key";
secretKey = mkPath cfg.providerKey.secret "${dataDir}/secret.key";
daemonArgs = with cfg; [ daemonArgs = with cfg; [
"--listen-address=${address}:${toString port}" "--listen-address=${address}:${toString port}"
"--resolver-address=${upstream.address}:${toString upstream.port}" "--resolver-address=${upstream.address}:${toString upstream.port}"
"--provider-name=${providerName}" "--provider-name=${providerName}"
"--provider-publickey-file=public.key" "--provider-publickey-file=${publicKey}"
"--provider-secretkey-file=secret.key" "--provider-secretkey-file=${secretKey}"
"--provider-cert-file=${providerName}.crt" "--provider-cert-file=${providerName}.crt"
"--crypt-secretkey-file=${providerName}.key" "--crypt-secretkey-file=${providerName}.key"
]; ];
@ -24,17 +32,19 @@ let
dnscrypt-wrapper --gen-cert-file \ dnscrypt-wrapper --gen-cert-file \
--crypt-secretkey-file=${cfg.providerName}.key \ --crypt-secretkey-file=${cfg.providerName}.key \
--provider-cert-file=${cfg.providerName}.crt \ --provider-cert-file=${cfg.providerName}.crt \
--provider-publickey-file=public.key \ --provider-publickey-file=${publicKey} \
--provider-secretkey-file=secret.key \ --provider-secretkey-file=${secretKey} \
--cert-file-expire-days=${toString cfg.keys.expiration} --cert-file-expire-days=${toString cfg.keys.expiration}
} }
cd ${dataDir} cd ${dataDir}
# generate provider keypair (first run only) # generate provider keypair (first run only)
if [ ! -f public.key ] || [ ! -f secret.key ]; then ${optionalString (cfg.providerKey.public == null || cfg.providerKey.secret == null) ''
dnscrypt-wrapper --gen-provider-keypair if [ ! -f ${publicKey} ] || [ ! -f ${secretKey} ]; then
fi dnscrypt-wrapper --gen-provider-keypair
fi
''}
# generate new keys for rotation # generate new keys for rotation
if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then
@ -139,6 +149,26 @@ in {
''; '';
}; };
providerKey.public = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/secrets/public.key";
description = ''
The filepath to the provider public key. If not given a new
provider key pair will be generated on the first run.
'';
};
providerKey.secret = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/secrets/secret.key";
description = ''
The filepath to the provider secret key. If not given a new
provider key pair will be generated on the first run.
'';
};
upstream.address = mkOption { upstream.address = mkOption {
type = types.str; type = types.str;
default = "127.0.0.1"; default = "127.0.0.1";
@ -237,6 +267,13 @@ in {
}; };
}; };
assertions = with cfg; [
{ assertion = (providerKey.public == null && providerKey.secret == null) ||
(providerKey.secret != null && providerKey.public != null);
message = "The secret and public provider key must be set together.";
}
];
}; };
meta.maintainers = with lib.maintainers; [ rnhmjoj ]; meta.maintainers = with lib.maintainers; [ rnhmjoj ];