nixos/dnscrypt-proxy: replace unimportant options with extraArgs

Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability.  Until
17.09 we'll automatically translate these options into extraArgs
for convenience.

Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
This commit is contained in:
Joachim Fasting 2017-03-10 15:36:13 +01:00
parent 9325c3a616
commit 719813caf6
No known key found for this signature in database
GPG key ID: 7544761007FE4E08

View file

@ -6,8 +6,6 @@ let
stateDirectory = "/var/lib/dnscrypt-proxy";
localAddress = "${cfg.localAddress}:${toString cfg.localPort}";
# The minisign public key used to sign the upstream resolver list.
# This is somewhat more flexible than preloading the key as an
# embedded string.
@ -16,31 +14,36 @@ let
sha256 = "18lnp8qr6ghfc2sd46nn1rhcpr324fqlvgsp4zaigw396cd7vnnh";
};
# Internal flag indicating whether the upstream resolver list is used
# Internal flag indicating whether the upstream resolver list is used.
useUpstreamResolverList = cfg.resolverList == null && cfg.customResolver == null;
# The final local address.
localAddress = "${cfg.localAddress}:${toString cfg.localPort}";
# The final resolvers list path.
resolverList =
if (cfg.resolverList != null)
then cfg.resolverList
else "${stateDirectory}/dnscrypt-resolvers.csv";
resolverArgs = if (cfg.customResolver != null)
then
[ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}"
"--provider-name=${cfg.customResolver.name}"
"--provider-key=${cfg.customResolver.key}"
]
else
[ "--resolvers-list=${resolverList}"
"--resolver-name=${cfg.resolverName}"
];
# Build daemon command line
resolverArgs =
if (cfg.customResolver == null)
then
[ "-L ${resolverList}"
"-R ${cfg.resolverName}"
]
else with cfg.customResolver;
[ "-N ${name}"
"-k ${key}"
"-r ${address}:${toString port}"
];
# The final command line arguments passed to the daemon
daemonArgs =
[ "--local-address=${localAddress}" ]
++ optional cfg.tcpOnly "--tcp-only"
++ optional cfg.ephemeralKeys "-E"
++ resolverArgs;
[ "-a ${localAddress}" ]
++ resolverArgs
++ cfg.extraArgs;
in
{
@ -50,6 +53,9 @@ in
};
options = {
# Before adding another option, consider whether it could
# equally well be passed via extraArgs.
services.dnscrypt-proxy = {
enable = mkOption {
default = false;
@ -131,24 +137,13 @@ in
}; }));
};
tcpOnly = mkOption {
default = false;
type = types.bool;
extraArgs = mkOption {
default = [];
type = types.listOf types.str;
description = ''
Force sending encrypted DNS queries to the upstream resolver over
TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
'';
};
ephemeralKeys = mkOption {
default = false;
type = types.bool;
description = ''
Compute a new key pair for every query. Enabling this option
increases CPU usage, but makes it more difficult for the upstream
resolver to track your usage of their service across IP addresses.
The default is to re-use the public key pair for all queries, making
tracking trivial.
Additional command-line arguments passed verbatim to the daemon.
See <citerefentry><refentrytitle>dnscrypt-proxy</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> for details.
'';
};
};
@ -309,5 +304,19 @@ in
imports = [
(mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ])
(mkChangedOptionModule
[ "services" "dnscrypt-proxy" "tcpOnly" ]
[ "services" "dnscrypt-proxy" "extraArgs" ]
(config:
let val = getAttrFromPath [ "services" "dnscrypt-proxy" "tcpOnly" ] config; in
optional val "-T"))
(mkChangedOptionModule
[ "services" "dnscrypt-proxy" "ephemeralKeys" ]
[ "services" "dnscrypt-proxy" "extraArgs" ]
(config:
let val = getAttrFromPath [ "services" "dnscrypt-proxy" "ephemeralKeys" ] config; in
optional val "-E"))
];
}