nixpkgs/nixos/modules/services/networking/dnsproxy.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

{ config, lib, pkgs, ... }:

let
  inherit (lib)
    escapeShellArgs
    getExe
    lists
    literalExpression
    maintainers
    mdDoc
    mkEnableOption
    mkIf
    mkOption
    mkPackageOption
    types;

  cfg = config.services.dnsproxy;

  yaml = pkgs.formats.yaml { };
  configFile = yaml.generate "config.yaml" cfg.settings;

  finalFlags = (lists.optional (cfg.settings != { }) "--config-path=${configFile}") ++ cfg.flags;
in
{

  options.services.dnsproxy = {

    enable = mkEnableOption (lib.mdDoc "dnsproxy");

    package = mkPackageOption pkgs "dnsproxy" { };

    settings = mkOption {
      type = yaml.type;
      default = { };
      example = literalExpression ''
        {
          bootstrap = [
            "8.8.8.8:53"
          ];
          listen-addrs = [
            "0.0.0.0"
          ];
          listen-ports = [
            53
          ];
          upstream = [
            "1.1.1.1:53"
          ];
        }
      '';
      description = mdDoc ''
        Contents of the `config.yaml` config file.
        The `--config-path` argument will only be passed if this set is not empty.

        See <https://github.com/AdguardTeam/dnsproxy/blob/master/config.yaml.dist>.
      '';
    };

    flags = mkOption {
      type = types.listOf types.str;
      default = [ ];
      example = [ "--upstream=1.1.1.1:53" ];
      description = lib.mdDoc ''
        A list of extra command-line flags to pass to dnsproxy. For details on the
        available options, see <https://github.com/AdguardTeam/dnsproxy#usage>.
        Keep in mind that options passed through command-line flags override
        config options.
      '';
    };

  };

  config = mkIf cfg.enable {
    systemd.services.dnsproxy = {
      description = "Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support";
      after = [ "network.target" "nss-lookup.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${getExe cfg.package} ${escapeShellArgs finalFlags}";
        Restart = "always";
        RestartSec = 10;
        DynamicUser = true;

        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        ProtectClock = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        RemoveIPC = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = [ "@system-service" "~@privileged @resources" ];
      };
    };
  };

  meta.maintainers = with maintainers; [ diogotcorreia ];

}