diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-03-17 14:34:56 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-03-17 15:02:33 +0100 |
commit | 12877098cb6f76bd021ba74684cb70759a7b76b9 (patch) | |
tree | 005765a3a563d1eae018af38e3ed19cb0080f7e3 /nixos/modules/services/networking | |
parent | cdef1cdd384601ee92c021dad6450733badc9e1f (diff) | |
download | nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.tar nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.tar.gz nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.tar.bz2 nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.tar.lz nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.tar.xz nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.tar.zst nixlib-12877098cb6f76bd021ba74684cb70759a7b76b9.zip |
dnscrypt-proxy service: expose option to use ephemeral keys
Some users may wish to improve their privacy by using per-query key pairs, which makes it more difficult for upstream resolvers to track users across IP addresses.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index d9ca430161ee..a6b5b1deed76 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -10,6 +10,7 @@ let daemonArgs = [ "--local-address=${localAddress}" (optionalString cfg.tcpOnly "--tcp-only") + (optionalString cfg.ephemeralKeys "-E") ] ++ resolverArgs; resolverArgs = if (cfg.customResolver != null) @@ -116,6 +117,17 @@ in TCP instead of UDP (on port 443). Use only if the UDP port is blocked. ''; }; + ephemeralKeys = mkOption { + default = false; + type = types.bool; + description = '' + Compute a new key pair for every query. Enabling this option + increases CPU usage, but makes it more difficult for the upstream + resolver to track your usage of their service across IP addresses. + The default is to re-use the public key pair for all queries, making + tracking trivial. + ''; + }; }; }; |