pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / dnscrypt-proxy2.nix
at 23.11-pre 4.1 kB view raw
1{ config, lib, pkgs, ... }: with lib; 2 3let 4 cfg = config.services.dnscrypt-proxy2; 5in 6 7{ 8 options.services.dnscrypt-proxy2 = { 9 enable = mkEnableOption (lib.mdDoc "dnscrypt-proxy2"); 10 11 settings = mkOption { 12 description = lib.mdDoc '' 13 Attrset that is converted and passed as TOML config file. 14 For available params, see: <https://github.com/DNSCrypt/dnscrypt-proxy/blob/${pkgs.dnscrypt-proxy2.version}/dnscrypt-proxy/example-dnscrypt-proxy.toml> 15 ''; 16 example = literalExpression '' 17 { 18 sources.public-resolvers = { 19 urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; 20 cache_file = "public-resolvers.md"; 21 minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; 22 refresh_delay = 72; 23 }; 24 } 25 ''; 26 type = types.attrs; 27 default = {}; 28 }; 29 30 upstreamDefaults = mkOption { 31 description = lib.mdDoc '' 32 Whether to base the config declared in {option}`services.dnscrypt-proxy2.settings` on the upstream example config (<https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml>) 33 34 Disable this if you want to declare your dnscrypt config from scratch. 35 ''; 36 type = types.bool; 37 default = true; 38 }; 39 40 configFile = mkOption { 41 description = lib.mdDoc '' 42 Path to TOML config file. See: <https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml> 43 If this option is set, it will override any configuration done in options.services.dnscrypt-proxy2.settings. 44 ''; 45 example = "/etc/dnscrypt-proxy/dnscrypt-proxy.toml"; 46 type = types.path; 47 default = pkgs.runCommand "dnscrypt-proxy.toml" { 48 json = builtins.toJSON cfg.settings; 49 passAsFile = [ "json" ]; 50 } '' 51 ${if cfg.upstreamDefaults then '' 52 ${pkgs.remarshal}/bin/toml2json ${pkgs.dnscrypt-proxy2.src}/dnscrypt-proxy/example-dnscrypt-proxy.toml > example.json 53 ${pkgs.jq}/bin/jq --slurp add example.json $jsonPath > config.json # merges the two 54 '' else '' 55 cp $jsonPath config.json 56 ''} 57 ${pkgs.remarshal}/bin/json2toml < config.json > $out 58 ''; 59 defaultText = literalMD "TOML file generated from {option}`services.dnscrypt-proxy2.settings`"; 60 }; 61 }; 62 63 config = mkIf cfg.enable { 64 65 networking.nameservers = lib.mkDefault [ "127.0.0.1" ]; 66 67 systemd.services.dnscrypt-proxy2 = { 68 description = "DNSCrypt-proxy client"; 69 wants = [ 70 "network-online.target" 71 "nss-lookup.target" 72 ]; 73 before = [ 74 "nss-lookup.target" 75 ]; 76 wantedBy = [ 77 "multi-user.target" 78 ]; 79 serviceConfig = { 80 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 81 CacheDirectory = "dnscrypt-proxy"; 82 DynamicUser = true; 83 ExecStart = "${pkgs.dnscrypt-proxy2}/bin/dnscrypt-proxy -config ${cfg.configFile}"; 84 LockPersonality = true; 85 LogsDirectory = "dnscrypt-proxy"; 86 MemoryDenyWriteExecute = true; 87 NoNewPrivileges = true; 88 NonBlocking = true; 89 PrivateDevices = true; 90 ProtectClock = true; 91 ProtectControlGroups = true; 92 ProtectHome = true; 93 ProtectHostname = true; 94 ProtectKernelLogs = true; 95 ProtectKernelModules = true; 96 ProtectKernelTunables = true; 97 ProtectSystem = "strict"; 98 Restart = "always"; 99 RestrictAddressFamilies = [ 100 "AF_INET" 101 "AF_INET6" 102 ]; 103 RestrictNamespaces = true; 104 RestrictRealtime = true; 105 RuntimeDirectory = "dnscrypt-proxy"; 106 StateDirectory = "dnscrypt-proxy"; 107 SystemCallArchitectures = "native"; 108 SystemCallFilter = [ 109 "@system-service" 110 "@chown" 111 "~@aio" 112 "~@keyring" 113 "~@memlock" 114 "~@setuid" 115 "~@timer" 116 ]; 117 }; 118 }; 119 }; 120 121 # uses attributes of the linked package 122 meta.buildDocsInSandbox = false; 123}