From 9b7e02dd4b8ac50e568b076e9d3903c7a75808ac Mon Sep 17 00:00:00 2001 From: Diogo Correia Date: Sun, 11 Feb 2024 14:22:27 +0100 Subject: [PATCH 1/2] nixos/dnsproxy: init module --- nixos/modules/module-list.nix | 1 + .../modules/services/networking/dnsproxy.nix | 106 ++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 nixos/modules/services/networking/dnsproxy.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c9e6c3794ffe..3239939d4110 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -934,6 +934,7 @@ ./services/networking/dnscrypt-wrapper.nix ./services/networking/dnsdist.nix ./services/networking/dnsmasq.nix + ./services/networking/dnsproxy.nix ./services/networking/doh-proxy-rust.nix ./services/networking/ejabberd.nix ./services/networking/envoy.nix diff --git a/nixos/modules/services/networking/dnsproxy.nix b/nixos/modules/services/networking/dnsproxy.nix new file mode 100644 index 000000000000..f0be74d7591f --- /dev/null +++ b/nixos/modules/services/networking/dnsproxy.nix @@ -0,0 +1,106 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + escapeShellArgs + getExe + lists + literalExpression + maintainers + mdDoc + mkEnableOption + mkIf + mkOption + mkPackageOption + types; + + cfg = config.services.dnsproxy; + + yaml = pkgs.formats.yaml { }; + configFile = yaml.generate "config.yaml" cfg.settings; + + finalFlags = (lists.optional (cfg.settings != { }) "--config-path=${configFile}") ++ cfg.flags; +in +{ + + options.services.dnsproxy = { + + enable = mkEnableOption (lib.mdDoc "dnsproxy"); + + package = mkPackageOption pkgs "dnsproxy" { }; + + settings = mkOption { + type = yaml.type; + default = { }; + example = literalExpression '' + { + bootstrap = [ + "8.8.8.8:53" + ]; + listen-addrs = [ + "0.0.0.0" + ]; + listen-ports = [ + 53 + ]; + upstream = [ + "1.1.1.1:53" + ]; + } + ''; + description = mdDoc '' + Contents of the `config.yaml` config file. + The `--config-path` argument will only be passed if this set is not empty. + + See . + ''; + }; + + flags = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--upstream=1.1.1.1:53" ]; + description = lib.mdDoc '' + A list of extra command-line flags to pass to dnsproxy. For details on the + available options, see . + Keep in mind that options passed through command-line flags override + config options. + ''; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.dnsproxy = { + description = "Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${getExe cfg.package} ${escapeShellArgs finalFlags}"; + Restart = "always"; + RestartSec = 10; + DynamicUser = true; + + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + }; + }; + }; + + meta.maintainers = with maintainers; [ diogotcorreia ]; + +} From e035dab4fffc152878e73988272d099c3e6b13c1 Mon Sep 17 00:00:00 2001 From: Diogo Correia Date: Sun, 11 Feb 2024 14:36:51 +0100 Subject: [PATCH 2/2] doc: add services.dnsproxy to 24.05 release notes --- nixos/doc/manual/release-notes/rl-2405.section.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 05c06ebcac1b..32ec2cc8d3fa 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -56,6 +56,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [pretalx](https://github.com/pretalx/pretalx), a conference planning tool. Available as [services.pretalx](#opt-services.pretalx.enable). +- [dnsproxy](https://github.com/AdguardTeam/dnsproxy), a simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support. Available as [services.dnsproxy](#opt-services.dnsproxy.enable). + - [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training. - [ollama](https://ollama.ai), server for running large language models locally.