Skip to content

Commit

Permalink
Merge pull request NixOS#245852 from rnhmjoj/pr-fix-dnscrypt
Browse files Browse the repository at this point in the history 
dnscrypt-wrapper fixes
  • Loading branch information
@rnhmjoj
rnhmjoj authored Aug 8, 2023
2 parents 8f1e7a5 + 4cd4b1b commit ccc33bd
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 24 deletions.
21 changes: 5 additions & 16 deletions nixos/modules/services/networking/dnscrypt-wrapper.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,9 @@ let
if ! keyValid; then
echo "certificate soon to become invalid; backing up old cert"
mkdir -p oldkeys
mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
systemctl restart dnscrypt-wrapper
mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key"
mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt"
kill "$(pidof -s dnscrypt-wrapper)"
fi
'';

Expand Down Expand Up @@ -222,17 +222,6 @@ in {
};
users.groups.dnscrypt-wrapper = { };

security.polkit.extraConfig = ''
// Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "dnscrypt-wrapper.service" &&
subject.user == "dnscrypt-wrapper") {
return polkit.Result.YES;
}
});
'';

systemd.services.dnscrypt-wrapper = {
description = "dnscrypt-wrapper daemon";
after = [ "network.target" ];
Expand All @@ -242,7 +231,7 @@ in {
serviceConfig = {
User = "dnscrypt-wrapper";
WorkingDirectory = dataDir;
Restart = "on-failure";
Restart = "always";
ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}";
};

Expand All @@ -255,7 +244,7 @@ in {
requires = [ "dnscrypt-wrapper.service" ];
description = "Rotates DNSCrypt wrapper keys if soon to expire";

path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ];
path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ];
script = rotateKeys;
serviceConfig.User = "dnscrypt-wrapper";
};
Expand Down
2 changes: 1 addition & 1 deletion nixos/tests/all-tests.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ in {
disable-installer-tools = handleTest ./disable-installer-tools.nix {};
discourse = handleTest ./discourse.nix {};
dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};
dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {};
dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper;
dnsdist = handleTest ./dnsdist.nix {};
doas = handleTest ./doas.nix {};
docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {};
Expand Down
14 changes: 8 additions & 6 deletions nixos/tests/dnscrypt-wrapper/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
import ../make-test-python.nix ({ pkgs, ... }: {
{ lib, pkgs, ... }:

{
name = "dnscrypt-wrapper";
meta = with pkgs.lib.maintainers; {
maintainers = [ rnhmjoj ];
Expand Down Expand Up @@ -50,23 +52,23 @@ import ../make-test-python.nix ({ pkgs, ... }: {
server.wait_for_unit("dnscrypt-wrapper")
server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key")
server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt")
almost_expiration = server.succeed("date --date '4days 23 hours 56min'").strip()
with subtest("The client can connect to the server"):
server.wait_for_unit("tinydns")
client.wait_for_unit("dnscrypt-proxy2")
assert "1.2.3.4" in client.succeed(
assert "1.2.3.4" in client.wait_until_succeeds(
"host it.works"
), "The IP address of 'it.works' does not match 1.2.3.4"
with subtest("The server rotates the ephemeral keys"):
# advance time by a little less than 5 days
server.succeed("date -s \"$(date --date '4 days 6 hours')\"")
client.succeed("date -s \"$(date --date '4 days 6 hours')\"")
server.succeed(f"date -s '{almost_expiration}'")
client.succeed(f"date -s '{almost_expiration}'")
server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys")
with subtest("The client can still connect to the server"):
server.wait_for_unit("dnscrypt-wrapper")
client.succeed("host it.works")
'';
})

}
9 changes: 8 additions & 1 deletion pkgs/tools/networking/dnscrypt-wrapper/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libsodium, libevent }:
{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libsodium, libevent, nixosTests }:

stdenv.mkDerivation rec {
pname = "dnscrypt-wrapper";
Expand All @@ -13,9 +13,16 @@ stdenv.mkDerivation rec {

enableParallelBuilding = true;

# causes `dnscrypt-wrapper --gen-provider-keypair` to crash
hardeningDisable = [ "fortify3" ];

nativeBuildInputs = [ pkg-config autoreconfHook ];
buildInputs = [ libsodium libevent ];

passthru.tests = {
inherit (nixosTests) dnscrypt-wrapper;
};

meta = with lib; {
description = "A tool for adding dnscrypt support to any name resolver";
homepage = "https://dnscrypt.info/";
Expand Down

0 comments on commit ccc33bd

Please sign in to comment.