public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/dnscrypt-proxy: refactoring

Browse Source 
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
This commit is contained in:
Joachim Fasting 2017-03-07 23:40:31 +01:00
parent 32bcda741a
commit adf044e1fb
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08
1 changed files with 62 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
nixos/modules/services/networking/dnscrypt-proxy.nix
View File

@ -155,15 +155,59 @@ in
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable (mkMerge [{
assertions = [ assertions = [
{ assertion = (cfg.customResolver != null) || (cfg.resolverName != null); { assertion = (cfg.customResolver != null) || (cfg.resolverName != null);
message = "please configure upstream DNSCrypt resolver"; message = "please configure upstream DNSCrypt resolver";
} }
]; ];
security.apparmor.profiles = optional apparmorEnabled (pkgs.writeText "apparmor-dnscrypt-proxy" '' users.users.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon user";
isSystemUser = true;
group = "dnscrypt-proxy";
};
users.groups.dnscrypt-proxy = {};
systemd.sockets.dnscrypt-proxy = {
description = "dnscrypt-proxy listening socket";
documentation = [ "man:dnscrypt-proxy(8)" ];
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = localAddress;
ListenDatagram = localAddress;
};
};
systemd.services.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon";
documentation = [ "man:dnscrypt-proxy(8)" ];
before = [ "nss-lookup.target" ];
after = [ "network.target" ]
++ optional apparmorEnabled "apparmor.service";
requires = [ "dnscrypt-proxy.socket "]
++ optional apparmorEnabled "apparmor.service";
serviceConfig = {
NonBlocking = "true";
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
User = "dnscrypt-proxy";
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
};
};
}
(mkIf apparmorEnabled {
security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
${dnscrypt-proxy}/bin/dnscrypt-proxy { ${dnscrypt-proxy}/bin/dnscrypt-proxy {
/dev/null rw, /dev/null rw,
/dev/urandom r, /dev/urandom r,
@ -188,35 +232,35 @@ in
${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr, ${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
${getLib pkgs.libcap}/lib/libcap.so.* mr, ${getLib pkgs.libcap}/lib/libcap.so.* mr,
${getLib pkgs.lz4}/lib/liblz4.so.* mr, ${getLib pkgs.lz4}/lib/liblz4.so.* mr,
${getLib pkgs.attr}/lib/libattr.so.* mr, ${getLib pkgs.attr}/lib/libattr.so.* mr, # */
${resolverList} r, ${resolverList} r,
} }
''); '');
})
users.users.dnscrypt-proxy = { (mkIf useUpstreamResolverList {
description = "dnscrypt-proxy daemon user"; systemd.services.init-dnscrypt-proxy-statedir = {
isSystemUser = true;
group = "dnscrypt-proxy";
};
users.groups.dnscrypt-proxy = {};
systemd.services.init-dnscrypt-proxy-statedir = optionalAttrs useUpstreamResolverList {
description = "Initialize dnscrypt-proxy state directory"; description = "Initialize dnscrypt-proxy state directory";
wantedBy = [ "dnscrypt-proxy.service" ];
before = [ "dnscrypt-proxy.service" ];
script = '' script = ''
mkdir -pv ${stateDirectory} mkdir -pv ${stateDirectory}
chown -c dnscrypt-proxy:dnscrypt-proxy ${stateDirectory} chown -c dnscrypt-proxy:dnscrypt-proxy ${stateDirectory}
cp --preserve=timestamps -uv \ cp -uv \
${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv \ ${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv \
${stateDirectory} ${stateDirectory}
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
}; };
systemd.services.update-dnscrypt-resolvers = optionalAttrs useUpstreamResolverList { systemd.services.update-dnscrypt-resolvers = {
description = "Update list of DNSCrypt resolvers"; description = "Update list of DNSCrypt resolvers";
requires = [ "init-dnscrypt-proxy-statedir.service" ]; requires = [ "init-dnscrypt-proxy-statedir.service" ];
@ -243,47 +287,13 @@ in
}; };
}; };
systemd.timers.update-dnscrypt-resolvers = optionalAttrs useUpstreamResolverList { systemd.timers.update-dnscrypt-resolvers = {
wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnBootSec = "5min"; OnBootSec = "5min";
OnUnitActiveSec = "6h"; OnUnitActiveSec = "6h";
}; };
wantedBy = [ "timers.target" ];
}; };
})
systemd.sockets.dnscrypt-proxy = { ]);
description = "dnscrypt-proxy listening socket";
socketConfig = {
ListenStream = localAddress;
ListenDatagram = localAddress;
};
wantedBy = [ "sockets.target" ];
};
systemd.services.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon";
before = [ "nss-lookup.target" ];
after = [ "network.target" ]
++ optional apparmorEnabled "apparmor.service"
++ optional useUpstreamResolverList "init-dnscrypt-proxy-statedir.service";
requires = [ "dnscrypt-proxy.socket "]
++ optional apparmorEnabled "apparmor.service"
++ optional useUpstreamResolverList "init-dnscrypt-proxy-statedir.service";
serviceConfig = {
Type = "simple";
NonBlocking = "true";
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
User = "dnscrypt-proxy";
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
};
};
};
} }