commit e941a9d43306f86c690b370812f2d34632ce5d35 · pyrox.dev/nixpkgs

+23 -13

nixos/modules/services/networking/https-dns-proxy.nix

···

       20
       20
        
             ips = [ "9.9.9.9" "149.112.112.112" ];

     

       21
       21
        
             url = "https://dns.quad9.net/dns-query";

     

       22
       22
        
           };

     

       23
       23
       +
           opendns = {

     

       24
       24
       +
             ips = [ "208.67.222.222" "208.67.220.220" ];

     

       25
       25
       +
             url = "https://doh.opendns.com/dns-query";

     

       26
       26
       +
           };

     

       27
       27
       +
           custom = {

     

       28
       28
       +
             inherit (cfg.provider) ips url;

     

       29
       29
       +
           };

     

       23
       30
        
         };

     

       24
       31
        
       

     

       25
       32
        
         defaultProvider = "quad9";

     

       26
       33
        
       

     

       27
       34
        
         providerCfg =

     

       28
       28
       -
           let

     

       29
       29
       -
             isCustom = cfg.provider.kind == "custom";

     

       30
       30
       -
           in

     

       31
       31
       -
           lib.concatStringsSep " " [

     

       35
       35
       +
           concatStringsSep " " [

     

       32
       36
        
             "-b"

     

       33
       33
       -
             (concatStringsSep "," (if isCustom then cfg.provider.ips else providers."${cfg.provider.kind}".ips))

     

       37
       37
       +
             (concatStringsSep "," providers."${cfg.provider.kind}".ips)

     

       34
       38
        
             "-r"

     

       35
       35
       -
             (if isCustom then cfg.provider.url else providers."${cfg.provider.kind}".url)

     

       39
       39
       +
             providers."${cfg.provider.kind}".url

     

       36
       40
        
           ];

     

       37
       41
        
       

     

       38
       42
        
       in

     
···

       62
       66
        
                 The upstream provider to use or custom in case you do not trust any of

     

       63
       67
        
                 the predefined providers or just want to use your own.

     

       64
       68
        
       

     

       65
       65
       -
                 The default is ${defaultProvider} and there are privacy and security trade-offs

     

       66
       66
       -
                 when using any upstream provider. Please consider that before using any

     

       67
       67
       -
                 of them.

     

       69
       69
       +
                 The default is ${defaultProvider} and there are privacy and security

     

       70
       70
       +
                 trade-offs when using any upstream provider. Please consider that

     

       71
       71
       +
                 before using any of them.

     

       68
       72
        
       

     

       69
       69
       -
                 If you pick a custom provider, you will need to provide the bootstrap

     

       70
       70
       -
                 IP addresses as well as the resolver https URL.

     

       73
       73
       +
                 Supported providers: ${concatStringsSep ", " (builtins.attrNames providers)}

     

       74
       74
       +
       

     

       75
       75
       +
                 If you pick the custom provider, you will need to provide the

     

       76
       76
       +
                 bootstrap IP addresses as well as the resolver https URL.

     

       71
       77
        
               '';

     

       72
       72
       -
               type = types.enum ((builtins.attrNames providers) ++ [ "custom" ]);

     

       78
       78
       +
               type = types.enum (builtins.attrNames providers);

     

       73
       79
        
               default = defaultProvider;

     

       74
       80
        
             };

     

       75
       81
        
       

     
···

       105
       111
        
         config = lib.mkIf cfg.enable {

     

       106
       112
        
           systemd.services.https-dns-proxy = {

     

       107
       113
        
             description = "DNS to DNS over HTTPS (DoH) proxy";

     

       114
       114
       +
             requires = [ "network.target" ];

     

       108
       115
        
             after = [ "network.target" ];

     

       116
       116
       +
             wants = [ "nss-lookup.target" ];

     

       117
       117
       +
             before = [ "nss-lookup.target" ];

     

       109
       118
        
             wantedBy = [ "multi-user.target" ];

     

       110
       119
        
             serviceConfig = rec {

     

       111
       120
        
               Type = "exec";

     

       112
       121
        
               DynamicUser = true;

     

       122
       122
       +
               ProtectHome = "tmpfs";

     

       113
       123
        
               ExecStart = lib.concatStringsSep " " (

     

       114
       124
        
                 [

     

       115
       115
       -
                   "${pkgs.https-dns-proxy}/bin/https_dns_proxy"

     

       125
       125
       +
                   (lib.getExe pkgs.https-dns-proxy)

     

       116
       126
        
                   "-a ${toString cfg.address}"

     

       117
       127
        
                   "-p ${toString cfg.port}"

     

       118
       128
        
                   "-l -"

+24 -7

pkgs/servers/dns/https-dns-proxy/default.nix

···

       1
       1
        
       { lib, stdenv, fetchFromGitHub, cmake, gtest, c-ares, curl, libev }:

     

       2
       2
        
       

     

       3
       3
       +
       let

     

       4
       4
       +
         # https-dns-proxy supports HTTP3 if curl has support, but as of 2022-08 curl doesn't work with that enabled

     

       5
       5
       +
         # curl' = (curl.override { http3Support = true; });

     

       6
       6
       +
         curl' = curl;

     

       7
       7
       +
       

     

       8
       8
       +
       in

     

       3
       9
        
       stdenv.mkDerivation rec {

     

       4
       10
        
         pname = "https-dns-proxy";

     

       5
       11
        
         # there are no stable releases (yet?)

     

       6
       6
       -
         version = "unstable-2021-03-29";

     

       12
       12
       +
         version = "unstable-2022-05-05";

     

       7
       13
        
       

     

       8
       14
        
         src = fetchFromGitHub {

     

       9
       15
        
           owner = "aarond10";

     

       10
       16
        
           repo = "https_dns_proxy";

     

       11
       11
       -
           rev = "bbd9ef272dcda3ead515871f594768af13192af7";

     

       12
       12
       -
           sha256 = "sha256-r+IpDklI3vITK8ZlZvIFm3JdDe2r8DK2ND3n1a/ThrM=";

     

       17
       17
       +
           rev = "d310a378795790350703673388821558163944de";

     

       18
       18
       +
           hash = "sha256-On4SKUeltPhzM/x+K9aKciKBw5lmVySxnmLi2tnKr3Y=";

     

       13
       19
        
         };

     

       14
       20
        
       

     

       21
       21
       +
         postPatch = ''

     

       22
       22
       +
           substituteInPlace https_dns_proxy.service.in \

     

       23
       23
       +
             --replace "\''${CMAKE_INSTALL_PREFIX}/" ""

     

       24
       24
       +
           substituteInPlace munin/https_dns_proxy.plugin \

     

       25
       25
       +
             --replace '--unit https_dns_proxy.service' '--unit https-dns-proxy.service'

     

       26
       26
       +
         '';

     

       27
       27
       +
       

     

       15
       28
        
         nativeBuildInputs = [ cmake gtest ];

     

       16
       29
        
       

     

       17
       17
       -
         buildInputs = [ c-ares curl libev ];

     

       30
       30
       +
         buildInputs = [ c-ares curl' libev ];

     

       18
       31
        
       

     

       19
       19
       -
         installPhase = ''

     

       20
       20
       -
           install -Dm555 -t $out/bin https_dns_proxy

     

       21
       21
       -
           install -Dm444 -t $out/share/doc/${pname} ../{LICENSE,README}.*

     

       32
       32
       +
         postInstall = ''

     

       33
       33
       +
           install -Dm444 -t $out/share/doc/${pname} ../{LICENSE,*.md}

     

       34
       34
       +
           install -Dm444 -t $out/share/${pname}/munin ../munin/*

     

       35
       35
       +
           # the systemd service definition is garbage, and we use our own with NixOS

     

       36
       36
       +
           mv $out/lib/systemd $out/share/${pname}

     

       37
       37
       +
           rmdir $out/lib

     

       22
       38
        
         '';

     

       23
       39
        
       

     

       24
       40
        
         # upstream wants to add tests and the gtest framework is in place, so be ready

     
···

       30
       46
        
           license = licenses.mit;

     

       31
       47
        
           maintainers = with maintainers; [ peterhoeg ];

     

       32
       48
        
           platforms = platforms.linux;

     

       49
       49
       +
           mainProgram = "https_dns_proxy";

     

       33
       50
        
         };

     

       34
       51
        
       }