diff options
author | Michele Guerini Rocco <rnhmjoj@users.noreply.github.com> | 2023-08-08 10:34:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-08 10:34:27 +0200 |
commit | ccc33bd3d70cfd8fec50576a626173c296ebee60 (patch) | |
tree | 60fb692664a26871e9bf2cfc97188e612b3623ab /nixos | |
parent | 8f1e7a5db59fe2bebec0690f64e1cf5b247539e4 (diff) | |
parent | 4cd4b1b166d7ac2e8135f70e9456fa9babd356f1 (diff) |
Merge pull request #245852 from rnhmjoj/pr-fix-dnscrypt
dnscrypt-wrapper fixes
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-wrapper.nix | 21 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/dnscrypt-wrapper/default.nix | 14 |
3 files changed, 14 insertions, 23 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index 082e0195093ef..741f054cd88be 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -71,9 +71,9 @@ let if ! keyValid; then echo "certificate soon to become invalid; backing up old cert" mkdir -p oldkeys - mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key - mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt - systemctl restart dnscrypt-wrapper + mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key" + mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt" + kill "$(pidof -s dnscrypt-wrapper)" fi ''; @@ -222,17 +222,6 @@ in { }; users.groups.dnscrypt-wrapper = { }; - security.polkit.extraConfig = '' - // Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service - polkit.addRule(function(action, subject) { - if (action.id == "org.freedesktop.systemd1.manage-units" && - action.lookup("unit") == "dnscrypt-wrapper.service" && - subject.user == "dnscrypt-wrapper") { - return polkit.Result.YES; - } - }); - ''; - systemd.services.dnscrypt-wrapper = { description = "dnscrypt-wrapper daemon"; after = [ "network.target" ]; @@ -242,7 +231,7 @@ in { serviceConfig = { User = "dnscrypt-wrapper"; WorkingDirectory = dataDir; - Restart = "on-failure"; + Restart = "always"; ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; }; @@ -255,7 +244,7 @@ in { requires = [ "dnscrypt-wrapper.service" ]; description = "Rotates DNSCrypt wrapper keys if soon to expire"; - path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ]; script = rotateKeys; serviceConfig.User = "dnscrypt-wrapper"; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 351193789dac8..06d63b4f2d07e 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -217,7 +217,7 @@ in { disable-installer-tools = handleTest ./disable-installer-tools.nix {}; discourse = handleTest ./discourse.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; - dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {}; + dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper; dnsdist = handleTest ./dnsdist.nix {}; doas = handleTest ./doas.nix {}; docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {}; diff --git a/nixos/tests/dnscrypt-wrapper/default.nix b/nixos/tests/dnscrypt-wrapper/default.nix index 1bdd064e1130c..1c05376e097b3 100644 --- a/nixos/tests/dnscrypt-wrapper/default.nix +++ b/nixos/tests/dnscrypt-wrapper/default.nix @@ -1,4 +1,6 @@ -import ../make-test-python.nix ({ pkgs, ... }: { +{ lib, pkgs, ... }: + +{ name = "dnscrypt-wrapper"; meta = with pkgs.lib.maintainers; { maintainers = [ rnhmjoj ]; @@ -50,23 +52,23 @@ import ../make-test-python.nix ({ pkgs, ... }: { server.wait_for_unit("dnscrypt-wrapper") server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key") server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt") + almost_expiration = server.succeed("date --date '4days 23 hours 56min'").strip() with subtest("The client can connect to the server"): server.wait_for_unit("tinydns") client.wait_for_unit("dnscrypt-proxy2") - assert "1.2.3.4" in client.succeed( + assert "1.2.3.4" in client.wait_until_succeeds( "host it.works" ), "The IP address of 'it.works' does not match 1.2.3.4" with subtest("The server rotates the ephemeral keys"): # advance time by a little less than 5 days - server.succeed("date -s \"$(date --date '4 days 6 hours')\"") - client.succeed("date -s \"$(date --date '4 days 6 hours')\"") + server.succeed(f"date -s '{almost_expiration}'") + client.succeed(f"date -s '{almost_expiration}'") server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys") with subtest("The client can still connect to the server"): server.wait_for_unit("dnscrypt-wrapper") client.succeed("host it.works") ''; -}) - +} |