···
apparmorEnabled = config.security.apparmor.enable;
dnscrypt-proxy = pkgs.dnscrypt-proxy;
cfg = config.services.dnscrypt-proxy;
8
-
uid = config.ids.uids.dnscrypt-proxy;
8
+
resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
10
-
[ "--user=dnscrypt-proxy"
11
-
"--local-address=${cfg.localAddress}:${toString cfg.port}"
10
+
[ "--local-address=${cfg.localAddress}:${toString cfg.port}"
(optionalString cfg.tcpOnly "--tcp-only")
13
-
"--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
12
+
"--resolvers-list=${resolverListFile}"
"--resolver-name=${cfg.resolverName}"
···
59
-
The name of the upstream DNSCrypt resolver to use.
60
-
See <literal>${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv</literal>
61
-
for alternative resolvers (e.g., if you are concerned about logging
62
-
and/or server location).
58
+
The name of the upstream DNSCrypt resolver to use. See
59
+
<literal>${resolverListFile}</literal> for alternative resolvers
60
+
(e.g., if you are concerned about logging and/or server
···
(pkgs.writeText "apparmor-dnscrypt-proxy" ''
${dnscrypt-proxy}/bin/dnscrypt-proxy {
91
-
network inet stream,
92
-
network inet6 stream,
94
-
network inet6 dgram,
96
-
capability ipc_lock,
97
-
capability net_bind_service,
98
-
capability net_admin,
99
-
capability sys_chroot,
···
${pkgs.glibc}/lib/*.so mr,
${pkgs.tzdata}/share/zoneinfo/** r,
113
-
${dnscrypt-proxy}/share/dnscrypt-proxy/** r,
101
+
network inet stream,
102
+
network inet6 stream,
103
+
network inet dgram,
104
+
network inet6 dgram,
${pkgs.gcc.cc}/lib/libssp.so.* mr,
${pkgs.libsodium}/lib/libsodium.so.* mr,
${pkgs.systemd}/lib/libsystemd.so.* mr,
${pkgs.xz}/lib/liblzma.so.* mr,
${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
113
+
${resolverListFile} r,
126
-
users.extraUsers = singleton {
128
-
name = "dnscrypt-proxy";
118
+
users.extraUsers.dnscrypt-proxy = {
119
+
uid = config.ids.uids.dnscrypt-proxy;
description = "dnscrypt-proxy daemon user";
132
-
### Service definition
122
+
users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;
## derived from upstream dnscrypt-proxy.socket
systemd.sockets.dnscrypt-proxy = {
···
## note: NonBlocking is required for socket activation to work
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
146
+
User = "dnscrypt-proxy";
147
+
Group = "dnscrypt-proxy";
149
+
PrivateDevices = true;
pyrox.dev