cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #186652 from peterhoeg/u/http-dns

Browse source 
nixos/https-dns-proxy: bump version and add support for OpenDNS
This commit is contained in:
Guillaume Girol 2022-08-20 18:09:23 +00:00 committed by GitHub
commit e941a9d433
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
nixos/modules/services/networking/https-dns-proxy.nix
View file

@ -20,19 +20,23 @@ let
ips = [ "9.9.9.9" "149.112.112.112" ]; ips = [ "9.9.9.9" "149.112.112.112" ];
url = "https://dns.quad9.net/dns-query"; url = "https://dns.quad9.net/dns-query";
}; };
opendns = {
ips = [ "208.67.222.222" "208.67.220.220" ];
url = "https://doh.opendns.com/dns-query";
};
custom = {
inherit (cfg.provider) ips url;
};
}; };
defaultProvider = "quad9"; defaultProvider = "quad9";
providerCfg = providerCfg =
let concatStringsSep " " [
isCustom = cfg.provider.kind == "custom";
in
lib.concatStringsSep " " [
"-b" "-b"
(concatStringsSep "," (if isCustom then cfg.provider.ips else providers."${cfg.provider.kind}".ips)) (concatStringsSep "," providers."${cfg.provider.kind}".ips)
"-r" "-r"
(if isCustom then cfg.provider.url else providers."${cfg.provider.kind}".url) providers."${cfg.provider.kind}".url
]; ];
in in
@ -62,14 +66,16 @@ in
The upstream provider to use or custom in case you do not trust any of The upstream provider to use or custom in case you do not trust any of
the predefined providers or just want to use your own. the predefined providers or just want to use your own.
The default is ${defaultProvider} and there are privacy and security trade-offs The default is ${defaultProvider} and there are privacy and security
when using any upstream provider. Please consider that before using any trade-offs when using any upstream provider. Please consider that
of them. before using any of them.
If you pick a custom provider, you will need to provide the bootstrap Supported providers: ${concatStringsSep ", " (builtins.attrNames providers)}
IP addresses as well as the resolver https URL.
If you pick the custom provider, you will need to provide the
bootstrap IP addresses as well as the resolver https URL.
''; '';
type = types.enum ((builtins.attrNames providers) ++ [ "custom" ]); type = types.enum (builtins.attrNames providers);
default = defaultProvider; default = defaultProvider;
}; };
@ -105,14 +111,18 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
systemd.services.https-dns-proxy = { systemd.services.https-dns-proxy = {
description = "DNS to DNS over HTTPS (DoH) proxy"; description = "DNS to DNS over HTTPS (DoH) proxy";
requires = [ "network.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
wants = [ "nss-lookup.target" ];
before = [ "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = rec { serviceConfig = rec {
Type = "exec"; Type = "exec";
DynamicUser = true; DynamicUser = true;
ProtectHome = "tmpfs";
ExecStart = lib.concatStringsSep " " ( ExecStart = lib.concatStringsSep " " (
[ [
"${pkgs.https-dns-proxy}/bin/https_dns_proxy" (lib.getExe pkgs.https-dns-proxy)
"-a ${toString cfg.address}" "-a ${toString cfg.address}"
"-p ${toString cfg.port}" "-p ${toString cfg.port}"
"-l -" "-l -"

31
pkgs/servers/dns/https-dns-proxy/default.nix
View file

@ -1,24 +1,40 @@
{ lib, stdenv, fetchFromGitHub, cmake, gtest, c-ares, curl, libev }: { lib, stdenv, fetchFromGitHub, cmake, gtest, c-ares, curl, libev }:
let
# https-dns-proxy supports HTTP3 if curl has support, but as of 2022-08 curl doesn't work with that enabled
# curl' = (curl.override { http3Support = true; });
curl' = curl;
in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "https-dns-proxy"; pname = "https-dns-proxy";
# there are no stable releases (yet?) # there are no stable releases (yet?)
version = "unstable-2021-03-29"; version = "unstable-2022-05-05";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "aarond10"; owner = "aarond10";
repo = "https_dns_proxy"; repo = "https_dns_proxy";
rev = "bbd9ef272dcda3ead515871f594768af13192af7"; rev = "d310a378795790350703673388821558163944de";
sha256 = "sha256-r+IpDklI3vITK8ZlZvIFm3JdDe2r8DK2ND3n1a/ThrM="; hash = "sha256-On4SKUeltPhzM/x+K9aKciKBw5lmVySxnmLi2tnKr3Y=";
}; };
postPatch = ''
substituteInPlace https_dns_proxy.service.in \
--replace "\''${CMAKE_INSTALL_PREFIX}/" ""
substituteInPlace munin/https_dns_proxy.plugin \
--replace '--unit https_dns_proxy.service' '--unit https-dns-proxy.service'
'';
nativeBuildInputs = [ cmake gtest ]; nativeBuildInputs = [ cmake gtest ];
buildInputs = [ c-ares curl libev ]; buildInputs = [ c-ares curl' libev ];
installPhase = '' postInstall = ''
install -Dm555 -t $out/bin https_dns_proxy install -Dm444 -t $out/share/doc/${pname} ../{LICENSE,*.md}
install -Dm444 -t $out/share/doc/${pname} ../{LICENSE,README}.* install -Dm444 -t $out/share/${pname}/munin ../munin/*
# the systemd service definition is garbage, and we use our own with NixOS
mv $out/lib/systemd $out/share/${pname}
rmdir $out/lib
''; '';
# upstream wants to add tests and the gtest framework is in place, so be ready # upstream wants to add tests and the gtest framework is in place, so be ready
@ -30,5 +46,6 @@ stdenv.mkDerivation rec {
license = licenses.mit; license = licenses.mit;
maintainers = with maintainers; [ peterhoeg ]; maintainers = with maintainers; [ peterhoeg ];
platforms = platforms.linux; platforms = platforms.linux;
mainProgram = "https_dns_proxy";
}; };
} }