Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 32bcda741a9f
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 06520c7fb785
Choose a head ref
  • 4 commits
  • 1 file changed
  • 1 contributor

Commits on Mar 8, 2017

  1. nixos/dnscrypt-proxy: refactoring 

    Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
    @joachifm
    joachifm committed Mar 8, 2017
    Copy the full SHA
    adf044e View commit details

  2. nixos/dnscrypt-proxy: support updating before nss is up 

    Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
    @joachifm
    joachifm committed Mar 8, 2017
    Copy the full SHA
    e72aaa7 View commit details

  3. nixos/dnscrypt-proxy: more fs isolation for the updater 

    It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.
    @joachifm
    joachifm committed Mar 8, 2017
    Copy the full SHA
    5f27abe View commit details

  4. nixos/dnscrypt-proxy: indicate update status 

    Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
    @joachifm
    joachifm committed Mar 8, 2017
    Copy the full SHA
    06520c7 View commit details
Showing with 78 additions and 58 deletions.
  1. +78 −58 nixos/modules/services/networking/dnscrypt-proxy.nix
136 changes: 78 additions & 58 deletions nixos/modules/services/networking/dnscrypt-proxy.nix
View file
Original file line number Diff line number Diff line change
@@ -155,15 +155,59 @@ in
};
};

config = mkIf cfg.enable {

config = mkIf cfg.enable (mkMerge [{
assertions = [
{ assertion = (cfg.customResolver != null) || (cfg.resolverName != null);
message = "please configure upstream DNSCrypt resolver";
}
];

security.apparmor.profiles = optional apparmorEnabled (pkgs.writeText "apparmor-dnscrypt-proxy" ''
users.users.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon user";
isSystemUser = true;
group = "dnscrypt-proxy";
};
users.groups.dnscrypt-proxy = {};

systemd.sockets.dnscrypt-proxy = {
description = "dnscrypt-proxy listening socket";
documentation = [ "man:dnscrypt-proxy(8)" ];

wantedBy = [ "sockets.target" ];

socketConfig = {
ListenStream = localAddress;
ListenDatagram = localAddress;
};
};

systemd.services.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon";
documentation = [ "man:dnscrypt-proxy(8)" ];

before = [ "nss-lookup.target" ];

after = [ "network.target" ]
++ optional apparmorEnabled "apparmor.service";

requires = [ "dnscrypt-proxy.socket "]
++ optional apparmorEnabled "apparmor.service";

serviceConfig = {
NonBlocking = "true";
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";

User = "dnscrypt-proxy";

PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
};
};
}

(mkIf apparmorEnabled {
security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
${dnscrypt-proxy}/bin/dnscrypt-proxy {
/dev/null rw,
/dev/urandom r,
@@ -188,102 +232,78 @@ in
${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
${getLib pkgs.libcap}/lib/libcap.so.* mr,
${getLib pkgs.lz4}/lib/liblz4.so.* mr,
${getLib pkgs.attr}/lib/libattr.so.* mr,
${getLib pkgs.attr}/lib/libattr.so.* mr, # */
${resolverList} r,
}
'');
})

users.users.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon user";
isSystemUser = true;
group = "dnscrypt-proxy";
};
users.groups.dnscrypt-proxy = {};

systemd.services.init-dnscrypt-proxy-statedir = optionalAttrs useUpstreamResolverList {
(mkIf useUpstreamResolverList {
systemd.services.init-dnscrypt-proxy-statedir = {
description = "Initialize dnscrypt-proxy state directory";

wantedBy = [ "dnscrypt-proxy.service" ];
before = [ "dnscrypt-proxy.service" ];

script = ''
mkdir -pv ${stateDirectory}
chown -c dnscrypt-proxy:dnscrypt-proxy ${stateDirectory}
cp --preserve=timestamps -uv \
cp -uv \
${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv \
${stateDirectory}
'';

serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};

systemd.services.update-dnscrypt-resolvers = optionalAttrs useUpstreamResolverList {
systemd.services.update-dnscrypt-resolvers = {
description = "Update list of DNSCrypt resolvers";

requires = [ "init-dnscrypt-proxy-statedir.service" ];
after = [ "init-dnscrypt-proxy-statedir.service" ];

path = with pkgs; [ curl minisign ];
path = with pkgs; [ curl diffutils dnscrypt-proxy minisign ];
script = ''
cd ${stateDirectory}
curl -fSsL -o dnscrypt-resolvers.csv.tmp \
https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
curl -fSsL -o dnscrypt-resolvers.csv.minisig.tmp \
https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig
domain=download.dnscrypt.org
get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)"
$get -o dnscrypt-resolvers.csv.tmp \
https://$domain/dnscrypt-proxy/dnscrypt-resolvers.csv
$get -o dnscrypt-resolvers.csv.minisig.tmp \
https://$domain/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig
mv dnscrypt-resolvers.csv.minisig{.tmp,}
minisign -q -V -p ${upstreamResolverListPubKey} \
-m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig
[[ -f dnscrypt-resolvers.csv ]] && mv dnscrypt-resolvers.csv{,.old}
mv dnscrypt-resolvers.csv{.tmp,}
if cmp dnscrypt-resolvers.csv{,.old} ; then
echo "no change"
else
echo "resolver list updated"
fi
'';

serviceConfig = {
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
ProtectSystem = true;
ProtectSystem = "strict";
ReadWritePaths = "${dirOf stateDirectory} ${stateDirectory}";
SystemCallFilter = "~@mount";
};
};

systemd.timers.update-dnscrypt-resolvers = optionalAttrs useUpstreamResolverList {
systemd.timers.update-dnscrypt-resolvers = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5min";
OnUnitActiveSec = "6h";
};
wantedBy = [ "timers.target" ];
};

systemd.sockets.dnscrypt-proxy = {
description = "dnscrypt-proxy listening socket";
socketConfig = {
ListenStream = localAddress;
ListenDatagram = localAddress;
};
wantedBy = [ "sockets.target" ];
};

systemd.services.dnscrypt-proxy = {
description = "dnscrypt-proxy daemon";

before = [ "nss-lookup.target" ];

after = [ "network.target" ]
++ optional apparmorEnabled "apparmor.service"
++ optional useUpstreamResolverList "init-dnscrypt-proxy-statedir.service";

requires = [ "dnscrypt-proxy.socket "]
++ optional apparmorEnabled "apparmor.service"
++ optional useUpstreamResolverList "init-dnscrypt-proxy-statedir.service";

serviceConfig = {
Type = "simple";
NonBlocking = "true";
ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";

User = "dnscrypt-proxy";

PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
};
};
};
})
]);
}