swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-20 12:29:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

nixos/dnscrypt-wrapper: avoid using polkit

Browse source
This commit is contained in:
rnhmjoj 2023-07-21 12:02:00 +02:00
parent f65d93f9f8
commit c7c288fbd5
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
1 changed files with 5 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
nixos/modules/services/networking/dnscrypt-wrapper.nix
View file

@ -71,9 +71,9 @@ let
if ! keyValid; then if ! keyValid; then
echo "certificate soon to become invalid; backing up old cert" echo "certificate soon to become invalid; backing up old cert"
mkdir -p oldkeys mkdir -p oldkeys
mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key"
mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt"
systemctl restart dnscrypt-wrapper kill "$(pidof -s dnscrypt-wrapper)"
fi fi
''; '';
@ -222,17 +222,6 @@ in {
}; };
users.groups.dnscrypt-wrapper = { }; users.groups.dnscrypt-wrapper = { };
security.polkit.extraConfig = ''
// Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "dnscrypt-wrapper.service" &&
subject.user == "dnscrypt-wrapper") {
return polkit.Result.YES;
}
});
'';
systemd.services.dnscrypt-wrapper = { systemd.services.dnscrypt-wrapper = {
description = "dnscrypt-wrapper daemon"; description = "dnscrypt-wrapper daemon";
after = [ "network.target" ]; after = [ "network.target" ];
@ -242,7 +231,7 @@ in {
serviceConfig = { serviceConfig = {
User = "dnscrypt-wrapper"; User = "dnscrypt-wrapper";
WorkingDirectory = dataDir; WorkingDirectory = dataDir;
Restart = "on-failure"; Restart = "always";
ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}";
}; };
@ -255,7 +244,7 @@ in {
requires = [ "dnscrypt-wrapper.service" ]; requires = [ "dnscrypt-wrapper.service" ];
description = "Rotates DNSCrypt wrapper keys if soon to expire"; description = "Rotates DNSCrypt wrapper keys if soon to expire";
path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ];
script = rotateKeys; script = rotateKeys;
serviceConfig.User = "dnscrypt-wrapper"; serviceConfig.User = "dnscrypt-wrapper";
}; };