diff options
author | Sandro <sandro.jaeckel@gmail.com> | 2021-04-08 22:32:12 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-08 22:32:12 +0200 |
commit | 26f16c1cef5d4467423bb78ade2e47b0f0c392f8 (patch) | |
tree | 8ca79d1d4b8c385d57553aa8714ec89bfea31a8c /nixos | |
parent | e630784ffa30843e1afc82be0dad8c1bd3dad564 (diff) | |
parent | 20481bd027e378037bb912ca707549d838f43587 (diff) | |
download | nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.tar nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.tar.gz nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.tar.bz2 nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.tar.lz nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.tar.xz nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.tar.zst nixpkgs-26f16c1cef5d4467423bb78ade2e47b0f0c392f8.zip |
Merge pull request #91318 from stephank/pkg-doh-proxy-rust
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/doh-proxy-rust.nix | 60 | ||||
-rw-r--r-- | nixos/tests/doh-proxy-rust.nix | 43 |
3 files changed, 104 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6f600a608dc..509bccb1ec7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -658,6 +658,7 @@ ./services/networking/dnscrypt-wrapper.nix ./services/networking/dnsdist.nix ./services/networking/dnsmasq.nix + ./services/networking/doh-proxy-rust.nix ./services/networking/ncdns.nix ./services/networking/nomad.nix ./services/networking/ejabberd.nix diff --git a/nixos/modules/services/networking/doh-proxy-rust.nix b/nixos/modules/services/networking/doh-proxy-rust.nix new file mode 100644 index 00000000000..0e55bc38665 --- /dev/null +++ b/nixos/modules/services/networking/doh-proxy-rust.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.doh-proxy-rust; + +in { + + options.services.doh-proxy-rust = { + + enable = mkEnableOption "doh-proxy-rust"; + + flags = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample [ "--server-address=9.9.9.9:53" ]; + description = '' + A list of command-line flags to pass to doh-proxy. For details on the + available options, see <link xlink:href="https://github.com/jedisct1/doh-server#usage"/>. + ''; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.doh-proxy-rust = { + description = "doh-proxy-rust"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${escapeShellArgs cfg.flags}"; + Restart = "always"; + RestartSec = 10; + DynamicUser = true; + + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + }; + }; + }; + + meta.maintainers = with maintainers; [ stephank ]; + +} diff --git a/nixos/tests/doh-proxy-rust.nix b/nixos/tests/doh-proxy-rust.nix new file mode 100644 index 00000000000..ca150cafab5 --- /dev/null +++ b/nixos/tests/doh-proxy-rust.nix @@ -0,0 +1,43 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "doh-proxy-rust"; + meta = with lib.maintainers; { + maintainers = [ stephank ]; + }; + + nodes = { + machine = { pkgs, lib, ... }: { + services.bind = { + enable = true; + extraOptions = "empty-zones-enable no;"; + zones = lib.singleton { + name = "."; + master = true; + file = pkgs.writeText "root.zone" '' + $TTL 3600 + . IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d ) + . IN NS ns.example.org. + ns.example.org. IN A 192.168.0.1 + ''; + }; + }; + services.doh-proxy-rust = { + enable = true; + flags = [ + "--server-address=127.0.0.1:53" + ]; + }; + }; + }; + + testScript = { nodes, ... }: '' + url = "http://localhost:3000/dns-query" + query = "AAABAAABAAAAAAAAAm5zB2V4YW1wbGUDb3JnAAABAAE=" # IN A ns.example.org. + bin_ip = r"$'\xC0\xA8\x00\x01'" # 192.168.0.1, as shell binary string + + machine.wait_for_unit("bind.service") + machine.wait_for_unit("doh-proxy-rust.service") + machine.wait_for_open_port(53) + machine.wait_for_open_port(3000) + machine.succeed(f"curl --fail '{url}?dns={query}' | grep -qF {bin_ip}") + ''; +}) |