···
services.dnscrypt-proxy = {
-
The proxy relays regular DNS queries to a DNSCrypt enabled
-
The traffic between the client and the upstream resolver is
-
encrypted and authenticated, which may mitigate the risk of MITM
-
attacks and third-party snooping (assuming the upstream is
localAddress = mkOption {
···
Listen for DNS queries on this address.
···
resolverName = mkOption {
···
Force sending encrypted DNS queries to the upstream resolver
-
over TCP instead of UDP (on port 443).
-
Enabling this option may help circumvent filtering, but should
config = mkIf cfg.enable {
-
security.apparmor.profiles = mkIf apparmorEnabled [
-
(pkgs.writeText "apparmor-dnscrypt-proxy" ''
-
${dnscrypt-proxy}/bin/dnscrypt-proxy {
-
${config.environment.etc."nsswitch.conf".source} r,
-
${pkgs.glibc}/lib/*.so mr,
-
${pkgs.tzdata}/share/zoneinfo/** r,
-
${pkgs.gcc.cc}/lib/libssp.so.* mr,
-
${pkgs.libsodium}/lib/libsodium.so.* mr,
-
${pkgs.systemd}/lib/libsystemd.so.* mr,
-
${pkgs.xz}/lib/liblzma.so.* mr,
-
${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
-
${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
users.extraUsers.dnscrypt-proxy = {
uid = config.ids.uids.dnscrypt-proxy;
···
users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;
-
## derived from upstream dnscrypt-proxy.socket
systemd.sockets.dnscrypt-proxy = {
description = "dnscrypt-proxy listening socket";
ListenStream = "${cfg.localAddress}:${toString cfg.port}";
ListenDatagram = "${cfg.localAddress}:${toString cfg.port}";
wantedBy = [ "sockets.target" ];
-
# derived from upstream dnscrypt-proxy.service
systemd.services.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon";
after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";
-
## note: NonBlocking is required for socket activation to work
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
···
pyrox.dev