From 823bb5dd4d9fabf39a81c9374076b8ecdc209a61 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sat, 7 Mar 2015 19:13:12 +0100
Subject: [PATCH] nixos: implement socket-activation for dnscrypt-proxy

The socket definition is derived from upstream with the
exception that it does not depend on network.target, as
this creates a cycle between basic.target and sockets.target.

The apparmor profile has been updated to account for additional
runtime dependencies introduced by enabling systemd support.
---
 .../services/networking/dnscrypt-proxy.nix    | 27 +++++++++++++++----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix
index 78e240e49ba..2e3add3db85 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -7,8 +7,7 @@ let
   cfg = config.services.dnscrypt-proxy;
   uid = config.ids.uids.dnscrypt-proxy;
   daemonArgs =
-    [ "--daemonize"
-      "--user=dnscrypt-proxy"
+    [ "--user=dnscrypt-proxy"
       "--local-address=${cfg.localAddress}:${toString cfg.port}"
       (optionalString cfg.tcpOnly "--tcp-only")
       "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
@@ -114,6 +113,10 @@ in
           ${dnscrypt-proxy}/share/dnscrypt-proxy/** r,
           ${pkgs.gcc.cc}/lib/libssp.so.* mr,
           ${pkgs.libsodium}/lib/libsodium.so.* mr,
+          ${pkgs.systemd}/lib/libsystemd.so.* mr,
+          ${pkgs.xz}/lib/liblzma.so.* mr,
+          ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
+          ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
         }
       '')
     ];
@@ -128,13 +131,27 @@ in
 
     ### Service definition
 
+    ## derived from upstream dnscrypt-proxy.socket
+    systemd.sockets.dnscrypt-proxy = {
+      description = "dnscrypt-proxy listening socket";
+
+      socketConfig = {
+        ListenStream = "${cfg.localAddress}:${toString cfg.port}";
+        ListenDatagram = "${cfg.localAddress}:${toString cfg.port}";
+      };
+
+      wantedBy = [ "sockets.target" ];
+    };
+
+    # derived from upstream dnscrypt-proxy.service
     systemd.services.dnscrypt-proxy = {
       description = "dnscrypt-proxy daemon";
       after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
-      requires = mkIf apparmorEnabled [ "apparmor.service" ];
-      wantedBy = [ "multi-user.target" ];
+      requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";
       serviceConfig = {
-        Type = "forking";
+        Type = "simple";
+        ## note: NonBlocking is required for socket activation to work
+        NonBlocking = "true";
         ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
       };
     };