diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2020-04-24 01:23:56 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2020-05-25 09:16:23 +0200 |
| commit | 743eea4c5f6ae0642d37f4e92332fb9734fe5d81 (patch) | |
| tree | 444be7db007429b9cb7ac57a6e7033c59a88c1ef /nixos | |
| parent | fd3727a3130ad3b07cea53648e86ac3d79b55462 (diff) | |
| download | nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.tar nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.tar.gz nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.tar.bz2 nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.tar.lz nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.tar.xz nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.tar.zst nixlib-743eea4c5f6ae0642d37f4e92332fb9734fe5d81.zip | |
nixos/dnscrypt-wrapper: make provider keys configurable
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/dnscrypt-wrapper.nix | 51 |
1 files changed, 44 insertions, 7 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 38cb7eed6614..b9333cd19a2a 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -5,12 +5,20 @@ let cfg = config.services.dnscrypt-wrapper; dataDir = "/var/lib/dnscrypt-wrapper"; + mkPath = path: default: + if path != null + then toString path + else default; + + publicKey = mkPath cfg.providerKey.public "${dataDir}/public.key"; + secretKey = mkPath cfg.providerKey.secret "${dataDir}/secret.key"; + daemonArgs = with cfg; [ "--listen-address=${address}:${toString port}" "--resolver-address=${upstream.address}:${toString upstream.port}" "--provider-name=${providerName}" - "--provider-publickey-file=public.key" - "--provider-secretkey-file=secret.key" + "--provider-publickey-file=${publicKey}" + "--provider-secretkey-file=${secretKey}" "--provider-cert-file=${providerName}.crt" "--crypt-secretkey-file=${providerName}.key" ]; @@ -24,17 +32,19 @@ let dnscrypt-wrapper --gen-cert-file \ --crypt-secretkey-file=${cfg.providerName}.key \ --provider-cert-file=${cfg.providerName}.crt \ - --provider-publickey-file=public.key \ - --provider-secretkey-file=secret.key \ + --provider-publickey-file=${publicKey} \ + --provider-secretkey-file=${secretKey} \ --cert-file-expire-days=${toString cfg.keys.expiration} } cd ${dataDir} # generate provider keypair (first run only) - if [ ! -f public.key ] || [ ! -f secret.key ]; then - dnscrypt-wrapper --gen-provider-keypair - fi + ${optionalString (cfg.providerKey.public == null || cfg.providerKey.secret == null) '' + if [ ! -f ${publicKey} ] || [ ! -f ${secretKey} ]; then + dnscrypt-wrapper --gen-provider-keypair + fi + ''} # generate new keys for rotation if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then @@ -139,6 +149,26 @@ in { ''; }; + providerKey.public = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/public.key"; + description = '' + The filepath to the provider public key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + + providerKey.secret = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/secret.key"; + description = '' + The filepath to the provider secret key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + upstream.address = mkOption { type = types.str; default = "127.0.0.1"; @@ -237,6 +267,13 @@ in { }; }; + assertions = with cfg; [ + { assertion = (providerKey.public == null && providerKey.secret == null) || + (providerKey.secret != null && providerKey.public != null); + message = "The secret and public provider key must be set together."; + } + ]; + }; meta.maintainers = with lib.maintainers; [ rnhmjoj ]; |