diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-03-07 23:17:01 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-03-08 19:07:50 +0100 |
commit | e72aaa73eacb15b82270fe702517be97d1beba37 (patch) | |
tree | c8dc49cb6f4bcecdcfb8988a259779d3a5c6cd28 | |
parent | adf044e1fbb723e65942da887486a873c022e3ac (diff) | |
download | nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.tar nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.tar.gz nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.tar.bz2 nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.tar.lz nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.tar.xz nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.tar.zst nixlib-e72aaa73eacb15b82270fe702517be97d1beba37.zip |
nixos/dnscrypt-proxy: support updating before nss is up
Resolve download.dnscrypt.org using hostip with a bootstrap resolver (hard-coded to Google Public DNS for now), to ensure that we can get an up-to-date resolver list without working name service lookups. This makes us more robust to the upstream resolver list getting out of date and other DNS configuration problems. We use the curl --resolver switch to allow https cert validation (we'd need to do --insecure if using just the ip addr). Note that we don't rely on https for security but it's nice to have it ...
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 60ce0bc2aa26..636caf25a552 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -266,13 +266,15 @@ in requires = [ "init-dnscrypt-proxy-statedir.service" ]; after = [ "init-dnscrypt-proxy-statedir.service" ]; - path = with pkgs; [ curl minisign ]; + path = with pkgs; [ curl dnscrypt-proxy minisign ]; script = '' cd ${stateDirectory} - curl -fSsL -o dnscrypt-resolvers.csv.tmp \ - https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv - curl -fSsL -o dnscrypt-resolvers.csv.minisig.tmp \ - https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig + domain=download.dnscrypt.org + get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)" + $get -o dnscrypt-resolvers.csv.tmp \ + https://$domain/dnscrypt-proxy/dnscrypt-resolvers.csv + $get -o dnscrypt-resolvers.csv.minisig.tmp \ + https://$domain/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig mv dnscrypt-resolvers.csv.minisig{.tmp,} minisign -q -V -p ${upstreamResolverListPubKey} \ -m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig |