nixpkgs/nixos/modules/services/networking/dnscrypt-proxy.nix

{ config, lib, pkgs, ... }:
with lib;

let
  apparmorEnabled = config.security.apparmor.enable;
  dnscrypt-proxy = pkgs.dnscrypt-proxy;
  cfg = config.services.dnscrypt-proxy;
  resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
  daemonArgs =
    [ "--local-address=${cfg.localAddress}:${toString cfg.port}"
      (optionalString cfg.tcpOnly "--tcp-only")
      "--resolvers-list=${resolverListFile}"
      "--resolver-name=${cfg.resolverName}"
    ];
in

{
  ##### interface

  options = {

    services.dnscrypt-proxy = {

      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Enable dnscrypt-proxy.
          The proxy relays regular DNS queries to a DNSCrypt enabled
          upstream resolver.
          The traffic between the client and the upstream resolver is
          encrypted and authenticated, which may mitigate the risk of MITM
          attacks and third-party snooping (assuming the upstream is
          trustworthy).
        '';
      };

      localAddress = mkOption {
        default = "127.0.0.1";
        type = types.string;
        description = ''
          Listen for DNS queries on this address.
        '';
      };

      port = mkOption {
        default = 53;
        type = types.int;
        description = ''
          Listen on this port.
        '';
      };

      resolverName = mkOption {
        default = "opendns";
        type = types.string;
        description = ''
          The name of the upstream DNSCrypt resolver to use. See
          <literal>${resolverListFile}</literal> for alternative resolvers
          (e.g., if you are concerned about logging and/or server
          location).
        '';
      };

      tcpOnly = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Force sending encrypted DNS queries to the upstream resolver
          over TCP instead of UDP (on port 443).
          Enabling this option may help circumvent filtering, but should
          not be used otherwise.
        '';
      };

    };

  };

  ##### implementation

  config = mkIf cfg.enable {

    ### AppArmor profile

    security.apparmor.profiles = mkIf apparmorEnabled [
      (pkgs.writeText "apparmor-dnscrypt-proxy" ''

        ${dnscrypt-proxy}/bin/dnscrypt-proxy {

          /dev/null rw,
          /dev/urandom r,

          /etc/passwd r,
          /etc/group r,
          ${config.environment.etc."nsswitch.conf".source} r,

          ${pkgs.glibc}/lib/*.so mr,
          ${pkgs.tzdata}/share/zoneinfo/** r,

          network inet stream,
          network inet6 stream,
          network inet dgram,
          network inet6 dgram,

          ${pkgs.gcc.cc}/lib/libssp.so.* mr,
          ${pkgs.libsodium}/lib/libsodium.so.* mr,
          ${pkgs.systemd}/lib/libsystemd.so.* mr,
          ${pkgs.xz}/lib/liblzma.so.* mr,
          ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
          ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,

          ${resolverListFile} r,
        }
      '')
    ];

    users.extraUsers.dnscrypt-proxy = {
      uid = config.ids.uids.dnscrypt-proxy;
      description = "dnscrypt-proxy daemon user";
    };
    users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;

    ## derived from upstream dnscrypt-proxy.socket
    systemd.sockets.dnscrypt-proxy = {
      description = "dnscrypt-proxy listening socket";

      socketConfig = {
        ListenStream = "${cfg.localAddress}:${toString cfg.port}";
        ListenDatagram = "${cfg.localAddress}:${toString cfg.port}";
      };

      wantedBy = [ "sockets.target" ];
    };

    # derived from upstream dnscrypt-proxy.service
    systemd.services.dnscrypt-proxy = {
      description = "dnscrypt-proxy daemon";
      after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
      requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";
      serviceConfig = {
        Type = "simple";
        ## note: NonBlocking is required for socket activation to work
        NonBlocking = "true";
        ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
        User = "dnscrypt-proxy";
        Group = "dnscrypt-proxy";
        PrivateTmp = true;
        PrivateDevices = true;
      };
    };

  };
}
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`{ config, lib, pkgs, ... }:`
			`with lib;`

			`let`
			`apparmorEnabled = config.security.apparmor.enable;`
			`dnscrypt-proxy = pkgs.dnscrypt-proxy;`
			`cfg = config.services.dnscrypt-proxy;`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";`
dnscrypt-proxy: minor superficial improvements - Use upstream description and explicitly set platforms = all - Coding conventions fix 2014-11-21 15:42:11 +01:00			`daemonArgs =`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`[ "--local-address=${cfg.localAddress}:${toString cfg.port}"`
dnscrypt-proxy: minor superficial improvements - Use upstream description and explicitly set platforms = all - Coding conventions fix 2014-11-21 15:42:11 +01:00			`(optionalString cfg.tcpOnly "--tcp-only")`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`"--resolvers-list=${resolverListFile}"`
dnscrypt-proxy: minor superficial improvements - Use upstream description and explicitly set platforms = all - Coding conventions fix 2014-11-21 15:42:11 +01:00			`"--resolver-name=${cfg.resolverName}"`
			`];`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`in`

			`{`
			`##### interface`

			`options = {`

			`services.dnscrypt-proxy = {`

			`enable = mkOption {`
			`default = false;`
			`type = types.bool;`
			`description = ''`
			`Enable dnscrypt-proxy.`
			`The proxy relays regular DNS queries to a DNSCrypt enabled`
			`upstream resolver.`
			`The traffic between the client and the upstream resolver is`
			`encrypted and authenticated, which may mitigate the risk of MITM`
			`attacks and third-party snooping (assuming the upstream is`
			`trustworthy).`
			`'';`
			`};`

			`localAddress = mkOption {`
			`default = "127.0.0.1";`
			`type = types.string;`
			`description = ''`
			`Listen for DNS queries on this address.`
			`'';`
			`};`

			`port = mkOption {`
			`default = 53;`
			`type = types.int;`
			`description = ''`
			`Listen on this port.`
			`'';`
			`};`

			`resolverName = mkOption {`
			`default = "opendns";`
			`type = types.string;`
			`description = ''`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`The name of the upstream DNSCrypt resolver to use. See`
			`<literal>${resolverListFile}</literal> for alternative resolvers`
			`(e.g., if you are concerned about logging and/or server`
			`location).`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`'';`
			`};`

			`tcpOnly = mkOption {`
			`default = false;`
			`type = types.bool;`
			`description = ''`
			`Force sending encrypted DNS queries to the upstream resolver`
			`over TCP instead of UDP (on port 443).`
			`Enabling this option may help circumvent filtering, but should`
			`not be used otherwise.`
			`'';`
			`};`

			`};`

			`};`

			`##### implementation`

			`config = mkIf cfg.enable {`

			`### AppArmor profile`

			`security.apparmor.profiles = mkIf apparmorEnabled [`
			`(pkgs.writeText "apparmor-dnscrypt-proxy" ''`

dnscrypt-proxy service: update AppArmor profile This patch fixes the AppArmor profile path clause and adds (currently ignored) network rules. The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy, but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink to bin), which permitted the service to run unconfined. Adding the network rules has no effect other than improving correctness, as the version of AppArmor in the NixOS kernel fails to enforce network rules. 2015-01-09 13:57:04 +01:00			`${dnscrypt-proxy}/bin/dnscrypt-proxy {`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00
			`/dev/null rw,`
			`/dev/urandom r,`

nixos: permit dnscrypt-proxy service to read basic user/group info If nscd is not running, dnscrypt-proxy crashes without read access to /etc/{password,group,nsswitch.conf}. 2015-02-23 18:02:12 +01:00			`/etc/passwd r,`
			`/etc/group r,`
			`${config.environment.etc."nsswitch.conf".source} r,`

Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`${pkgs.glibc}/lib/*.so mr,`
			`${pkgs.tzdata}/share/zoneinfo/** r,`

nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`network inet stream,`
			`network inet6 stream,`
			`network inet dgram,`
			`network inet6 dgram,`

rename occurrences of gcc.gcc to gcc.cc 2015-01-15 05:44:00 +01:00			`${pkgs.gcc.cc}/lib/libssp.so.* mr,`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`${pkgs.libsodium}/lib/libsodium.so.* mr,`
nixos: implement socket-activation for dnscrypt-proxy The socket definition is derived from upstream with the exception that it does not depend on network.target, as this creates a cycle between basic.target and sockets.target. The apparmor profile has been updated to account for additional runtime dependencies introduced by enabling systemd support. 2015-03-07 19:13:12 +01:00			`${pkgs.systemd}/lib/libsystemd.so.* mr,`
			`${pkgs.xz}/lib/liblzma.so.* mr,`
			`${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,`
			`${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00
			`${resolverListFile} r,`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`}`
			`'')`
			`];`

nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`users.extraUsers.dnscrypt-proxy = {`
			`uid = config.ids.uids.dnscrypt-proxy;`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`description = "dnscrypt-proxy daemon user";`
			`};`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00
nixos: implement socket-activation for dnscrypt-proxy The socket definition is derived from upstream with the exception that it does not depend on network.target, as this creates a cycle between basic.target and sockets.target. The apparmor profile has been updated to account for additional runtime dependencies introduced by enabling systemd support. 2015-03-07 19:13:12 +01:00			`## derived from upstream dnscrypt-proxy.socket`
			`systemd.sockets.dnscrypt-proxy = {`
			`description = "dnscrypt-proxy listening socket";`

			`socketConfig = {`
			`ListenStream = "${cfg.localAddress}:${toString cfg.port}";`
			`ListenDatagram = "${cfg.localAddress}:${toString cfg.port}";`
			`};`

			`wantedBy = [ "sockets.target" ];`
			`};`

			`# derived from upstream dnscrypt-proxy.service`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`systemd.services.dnscrypt-proxy = {`
			`description = "dnscrypt-proxy daemon";`
			`after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";`
nixos: implement socket-activation for dnscrypt-proxy The socket definition is derived from upstream with the exception that it does not depend on network.target, as this creates a cycle between basic.target and sockets.target. The apparmor profile has been updated to account for additional runtime dependencies introduced by enabling systemd support. 2015-03-07 19:13:12 +01:00			`requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`serviceConfig = {`
nixos: implement socket-activation for dnscrypt-proxy The socket definition is derived from upstream with the exception that it does not depend on network.target, as this creates a cycle between basic.target and sockets.target. The apparmor profile has been updated to account for additional runtime dependencies introduced by enabling systemd support. 2015-03-07 19:13:12 +01:00			`Type = "simple";`
			`## note: NonBlocking is required for socket activation to work`
			`NonBlocking = "true";`
dnscrypt-proxy service: update AppArmor profile This patch fixes the AppArmor profile path clause and adds (currently ignored) network rules. The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy, but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink to bin), which permitted the service to run unconfined. Adding the network rules has no effect other than improving correctness, as the version of AppArmor in the NixOS kernel fails to enforce network rules. 2015-01-09 13:57:04 +01:00			`ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";`
nixos: additional hardening for dnscrypt-proxy - Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space 2015-03-15 22:19:48 +01:00			`User = "dnscrypt-proxy";`
			`Group = "dnscrypt-proxy";`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
Add dnscrypt-proxy service The dnscrypt-proxy service relays regular DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, which may mitigate the risk of MITM attacks and third-party snooping (assuming a trustworthy upstream). Though dnscrypt-proxy can run as a standalone DNS client, the recommended setup is to use it as a forwarder for a caching DNS client. To use dnscrypt-proxy as a forwarder for dnsmasq, do ```nix { # ... networking.nameservers = [ "127.0.0.1" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localAddress = "127.0.0.1"; services.dnscrypt-proxy.port = 40; services.dnsmasq.enable = true; services.dnsmasq.extraConfig = '' no-resolv server=127.0.0.1#40 listen-address=127.0.0.1 ''; # ... } ``` 2014-11-11 20:12:28 +01:00			`};`
			`};`

			`};`
			`}`