public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dnscrypt-proxy service: documentation fixes

Browse Source 
- fix `enable` option description
  using `mkEnableOption longDescription` is incorrect; override
  `description` instead
- additional details for proper usage of the service, including
  an example of the recommended configuration
- clarify `localAddress` option description
- clarify `localPort` option description
- clarify `customResolver` option description
This commit is contained in:
Joachim Fasting 2016-03-17 14:14:46 +01:00
parent e524debaf0
commit a0663e3709
1 changed files with 41 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
nixos/modules/services/networking/dnscrypt-proxy.nix
View File

@ -27,25 +27,46 @@ in
{ {
options = { options = {
services.dnscrypt-proxy = { services.dnscrypt-proxy = {
enable = mkEnableOption '' enable = mkEnableOption "dnscrypt-proxy" // { description = ''
Enable dnscrypt-proxy. The proxy relays regular DNS queries to a Whether to enable the DNSCrypt client proxy. The proxy relays
DNSCrypt enabled upstream resolver. The traffic between the DNS queries to a DNSCrypt enabled upstream resolver. The traffic
client and the upstream resolver is encrypted and authenticated, between the client and the upstream resolver is encrypted and
which may mitigate the risk of MITM attacks and third-party authenticated, mitigating the risk of MITM attacks and third-party
snooping (assuming the upstream is trustworthy). snooping (assuming the upstream is trustworthy).
'';
Enabling this option does not alter the system nameserver; to relay
local queries, prepend <literal>127.0.0.1</literal> to
<option>networking.nameservers</option>.
The recommended configuration is to run DNSCrypt proxy as a forwarder
for a caching DNS client, as in
<programlisting>
{
services.dnscrypt-proxy.enable = true;
services.dnscrypt-proxy.localPort = 43;
services.dnsmasq.enable = true;
services.dnsmasq.servers = [ "127.0.0.1#43" ];
services.dnsmasq.resolveLocalQueries = true; # this is the default
}
</programlisting>
''; };
localAddress = mkOption { localAddress = mkOption {
default = "127.0.0.1"; default = "127.0.0.1";
type = types.string; type = types.string;
description = '' description = ''
Listen for DNS queries on this address. Listen for DNS queries to relay on this address. The only reason to
change this from its default value is to proxy queries on behalf
of other machines (typically on the local network).
''; '';
}; };
localPort = mkOption { localPort = mkOption {
default = 53; default = 53;
type = types.int; type = types.int;
description = '' description = ''
Listen on this port. Listen for DNS queries to relay on this port. The default value
assumes that the DNSCrypt proxy should relay DNS queries directly.
When running as a forwarder for another DNS client, set this option
to a different value; otherwise leave the default.
''; '';
}; };
resolverName = mkOption { resolverName = mkOption {
@ -53,7 +74,7 @@ in
type = types.nullOr types.string; type = types.nullOr types.string;
description = '' description = ''
The name of the upstream DNSCrypt resolver to use. See The name of the upstream DNSCrypt resolver to use. See
<literal>${resolverListFile}</literal> for alternative resolvers <filename>${resolverListFile}</filename> for alternative resolvers
(e.g., if you are concerned about logging and/or server (e.g., if you are concerned about logging and/or server
location). location).
''; '';
@ -61,9 +82,8 @@ in
customResolver = mkOption { customResolver = mkOption {
default = null; default = null;
description = '' description = ''
Use a resolver not listed in the upstream list (e.g., Use an unlisted resolver (e.g., a private DNSCrypt provider). For
a private DNSCrypt provider). For advanced users only. advanced users only. If specified, this option takes precedence.
If specified, this option takes precedence.
''; '';
type = types.nullOr (types.submodule ({ ... }: { options = { type = types.nullOr (types.submodule ({ ... }: { options = {
address = mkOption { address = mkOption {
@ -85,15 +105,15 @@ in
type = types.str; type = types.str;
description = "Provider public key"; description = "Provider public key";
example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"; example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79";
}; }; })); };
}; }));
}; };
tcpOnly = mkOption { tcpOnly = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
description = '' description = ''
Force sending encrypted DNS queries to the upstream resolver Force sending encrypted DNS queries to the upstream resolver over
over TCP instead of UDP (on port 443). Enabling this option may TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
help circumvent filtering, but should not be used otherwise.
''; '';
}; };
}; };