diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-03-10 15:36:13 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-03-15 01:12:37 +0100 |
| commit | 719813caf6309441fcf502d4c88aabddc7d5ca70 (patch) | |
| tree | da9e2feeb83dad73a22b02e1ea832df4f100a3f9 /nixos/modules/services/networking/dnscrypt-proxy.nix | |
| parent | 9325c3a61646fb1da6ff7377da23c119523d038a (diff) | |
| download | nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.tar nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.tar.gz nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.tar.bz2 nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.tar.lz nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.tar.xz nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.tar.zst nixlib-719813caf6309441fcf502d4c88aabddc7d5ca70.zip | |
nixos/dnscrypt-proxy: replace unimportant options with extraArgs
Removes tcpOnly and ephemeralKeys: reifying them as nixos options adds little beyond improved discoverability. Until 17.09 we'll automatically translate these options into extraArgs for convenience. Unless reifying an option is necessary for conditional computation or greatly simplifies configuration/reduces risk of misconfiguration, it should go into extraArgs instead.
Diffstat (limited to 'nixos/modules/services/networking/dnscrypt-proxy.nix')
| -rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 81 |
1 files changed, 45 insertions, 36 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 37d56f1c3c17..251097c160c7 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -6,8 +6,6 @@ let stateDirectory = "/var/lib/dnscrypt-proxy"; - localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; - # The minisign public key used to sign the upstream resolver list. # This is somewhat more flexible than preloading the key as an # embedded string. @@ -16,31 +14,36 @@ let sha256 = "18lnp8qr6ghfc2sd46nn1rhcpr324fqlvgsp4zaigw396cd7vnnh"; }; - # Internal flag indicating whether the upstream resolver list is used + # Internal flag indicating whether the upstream resolver list is used. useUpstreamResolverList = cfg.resolverList == null && cfg.customResolver == null; + # The final local address. + localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; + + # The final resolvers list path. resolverList = if (cfg.resolverList != null) then cfg.resolverList else "${stateDirectory}/dnscrypt-resolvers.csv"; - resolverArgs = if (cfg.customResolver != null) - then - [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}" - "--provider-name=${cfg.customResolver.name}" - "--provider-key=${cfg.customResolver.key}" - ] - else - [ "--resolvers-list=${resolverList}" - "--resolver-name=${cfg.resolverName}" - ]; - - # The final command line arguments passed to the daemon + # Build daemon command line + + resolverArgs = + if (cfg.customResolver == null) + then + [ "-L ${resolverList}" + "-R ${cfg.resolverName}" + ] + else with cfg.customResolver; + [ "-N ${name}" + "-k ${key}" + "-r ${address}:${toString port}" + ]; + daemonArgs = - [ "--local-address=${localAddress}" ] - ++ optional cfg.tcpOnly "--tcp-only" - ++ optional cfg.ephemeralKeys "-E" - ++ resolverArgs; + [ "-a ${localAddress}" ] + ++ resolverArgs + ++ cfg.extraArgs; in { @@ -50,6 +53,9 @@ in }; options = { + # Before adding another option, consider whether it could + # equally well be passed via extraArgs. + services.dnscrypt-proxy = { enable = mkOption { default = false; @@ -131,24 +137,13 @@ in }; })); }; - tcpOnly = mkOption { - default = false; - type = types.bool; - description = '' - Force sending encrypted DNS queries to the upstream resolver over - TCP instead of UDP (on port 443). Use only if the UDP port is blocked. - ''; - }; - - ephemeralKeys = mkOption { - default = false; - type = types.bool; + extraArgs = mkOption { + default = []; + type = types.listOf types.str; description = '' - Compute a new key pair for every query. Enabling this option - increases CPU usage, but makes it more difficult for the upstream - resolver to track your usage of their service across IP addresses. - The default is to re-use the public key pair for all queries, making - tracking trivial. + Additional command-line arguments passed verbatim to the daemon. + See <citerefentry><refentrytitle>dnscrypt-proxy</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> for details. ''; }; }; @@ -309,5 +304,19 @@ in imports = [ (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ]) + + (mkChangedOptionModule + [ "services" "dnscrypt-proxy" "tcpOnly" ] + [ "services" "dnscrypt-proxy" "extraArgs" ] + (config: + let val = getAttrFromPath [ "services" "dnscrypt-proxy" "tcpOnly" ] config; in + optional val "-T")) + + (mkChangedOptionModule + [ "services" "dnscrypt-proxy" "ephemeralKeys" ] + [ "services" "dnscrypt-proxy" "extraArgs" ] + (config: + let val = getAttrFromPath [ "services" "dnscrypt-proxy" "ephemeralKeys" ] config; in + optional val "-E")) ]; } |