diff options
Diffstat (limited to 'nixos/modules/services/networking/dnscrypt-proxy2.nix')
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy2.nix | 67 |
1 files changed, 63 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix index 28691e83827..72965c267a8 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy2.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix @@ -11,7 +11,7 @@ in settings = mkOption { description = '' Attrset that is converted and passed as TOML config file. - For available params, see: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> + For available params, see: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/${pkgs.dnscrypt-proxy2.version}/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> ''; example = literalExample '' { @@ -27,6 +27,16 @@ in default = {}; }; + upstreamDefaults = mkOption { + description = '' + Whether to base the config declared in <literal>services.dnscrypt-proxy2.settings</literal> on the upstream example config (<link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/>) + + Disable this if you want to declare your dnscrypt config from scratch. + ''; + type = types.bool; + default = true; + }; + configFile = mkOption { description = '' Path to TOML config file. See: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> @@ -38,7 +48,13 @@ in json = builtins.toJSON cfg.settings; passAsFile = [ "json" ]; } '' - ${pkgs.remarshal}/bin/json2toml < $jsonPath > $out + ${if cfg.upstreamDefaults then '' + ${pkgs.remarshal}/bin/toml2json ${pkgs.dnscrypt-proxy2.src}/dnscrypt-proxy/example-dnscrypt-proxy.toml > example.json + ${pkgs.jq}/bin/jq --slurp add example.json $jsonPath > config.json # merges the two + '' else '' + cp $jsonPath config.json + ''} + ${pkgs.remarshal}/bin/json2toml < config.json > $out ''; defaultText = literalExample "TOML file generated from services.dnscrypt-proxy2.settings"; }; @@ -49,13 +65,56 @@ in networking.nameservers = lib.mkDefault [ "127.0.0.1" ]; systemd.services.dnscrypt-proxy2 = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + description = "DNSCrypt-proxy client"; + wants = [ + "network-online.target" + "nss-lookup.target" + ]; + before = [ + "nss-lookup.target" + ]; + wantedBy = [ + "multi-user.target" + ]; serviceConfig = { AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CacheDirectory = "dnscrypt-proxy"; DynamicUser = true; ExecStart = "${pkgs.dnscrypt-proxy2}/bin/dnscrypt-proxy -config ${cfg.configFile}"; + LockPersonality = true; + LogsDirectory = "dnscrypt-proxy"; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + NonBlocking = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; Restart = "always"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "dnscrypt-proxy"; + StateDirectory = "dnscrypt-proxy"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@chown" + "~@aio" + "~@keyring" + "~@memlock" + "~@resources" + "~@setuid" + "~@timer" + ]; }; }; }; |