···
services.dnscrypt-proxy = {
28
-
Enable dnscrypt-proxy.
29
-
The proxy relays regular DNS queries to a DNSCrypt enabled
31
-
The traffic between the client and the upstream resolver is
32
-
encrypted and authenticated, which may mitigate the risk of MITM
33
-
attacks and third-party snooping (assuming the upstream is
24
+
Enable dnscrypt-proxy. The proxy relays regular DNS queries to a
25
+
DNSCrypt enabled upstream resolver. The traffic between the
26
+
client and the upstream resolver is encrypted and authenticated,
27
+
which may mitigate the risk of MITM attacks and third-party
28
+
snooping (assuming the upstream is trustworthy).
localAddress = mkOption {
···
Listen for DNS queries on this address.
···
resolverName = mkOption {
···
Force sending encrypted DNS queries to the upstream resolver
70
-
over TCP instead of UDP (on port 443).
71
-
Enabling this option may help circumvent filtering, but should
72
-
not be used otherwise.
60
+
over TCP instead of UDP (on port 443). Enabling this option may
61
+
help circumvent filtering, but should not be used otherwise.
80
-
##### implementation
config = mkIf cfg.enable {
84
-
### AppArmor profile
69
+
security.apparmor.profiles = mkIf apparmorEnabled (singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
70
+
${dnscrypt-proxy}/bin/dnscrypt-proxy {
86
-
security.apparmor.profiles = mkIf apparmorEnabled [
87
-
(pkgs.writeText "apparmor-dnscrypt-proxy" ''
76
+
${config.environment.etc."nsswitch.conf".source} r,
89
-
${dnscrypt-proxy}/bin/dnscrypt-proxy {
78
+
${pkgs.glibc}/lib/*.so mr,
79
+
${pkgs.tzdata}/share/zoneinfo/** r,
81
+
network inet stream,
82
+
network inet6 stream,
84
+
network inet6 dgram,
96
-
${config.environment.etc."nsswitch.conf".source} r,
98
-
${pkgs.glibc}/lib/*.so mr,
99
-
${pkgs.tzdata}/share/zoneinfo/** r,
101
-
network inet stream,
102
-
network inet6 stream,
103
-
network inet dgram,
104
-
network inet6 dgram,
106
-
${pkgs.gcc.cc}/lib/libssp.so.* mr,
107
-
${pkgs.libsodium}/lib/libsodium.so.* mr,
108
-
${pkgs.systemd}/lib/libsystemd.so.* mr,
109
-
${pkgs.xz}/lib/liblzma.so.* mr,
110
-
${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
111
-
${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
86
+
${pkgs.gcc.cc}/lib/libssp.so.* mr,
87
+
${pkgs.libsodium}/lib/libsodium.so.* mr,
88
+
${pkgs.systemd}/lib/libsystemd.so.* mr,
89
+
${pkgs.xz}/lib/liblzma.so.* mr,
90
+
${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
91
+
${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
113
-
${resolverListFile} r,
93
+
${resolverListFile} r,
users.extraUsers.dnscrypt-proxy = {
uid = config.ids.uids.dnscrypt-proxy;
···
users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;
124
-
## derived from upstream dnscrypt-proxy.socket
systemd.sockets.dnscrypt-proxy = {
description = "dnscrypt-proxy listening socket";
ListenStream = "${cfg.localAddress}:${toString cfg.port}";
ListenDatagram = "${cfg.localAddress}:${toString cfg.port}";
wantedBy = [ "sockets.target" ];
136
-
# derived from upstream dnscrypt-proxy.service
systemd.services.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon";
after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";
143
-
## note: NonBlocking is required for socket activation to work
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
···
pyrox.dev