Merge pull request #245852 from rnhmjoj/pr-fix-dnscrypt

dnscrypt-wrapper fixes
2023-08-08 10:34:27 +02:00 · 2023-08-08 10:34:27 +02:00 · ccc33bd3d7
parent 8f1e7a5db5 4cd4b1b166
commit ccc33bd3d7
4 changed files with 22 additions and 24 deletions
--- a/nixos/modules/services/networking/dnscrypt-wrapper.nix
+++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix
@ -71,9 +71,9 @@ let
    if ! keyValid; then
      echo "certificate soon to become invalid; backing up old cert"
      mkdir -p oldkeys
-      mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
-      mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
-      systemctl restart dnscrypt-wrapper
+      mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key"
+      mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt"
+      kill "$(pidof -s dnscrypt-wrapper)"
    fi
  '';

@ -222,17 +222,6 @@ in {
    };
    users.groups.dnscrypt-wrapper = { };

-    security.polkit.extraConfig = ''
-      // Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service
-      polkit.addRule(function(action, subject) {
-          if (action.id == "org.freedesktop.systemd1.manage-units" &&
-              action.lookup("unit") == "dnscrypt-wrapper.service" &&
-              subject.user == "dnscrypt-wrapper") {
-              return polkit.Result.YES;
-          }
-        });
-    '';
-
    systemd.services.dnscrypt-wrapper = {
      description = "dnscrypt-wrapper daemon";
      after    = [ "network.target" ];
@ -242,7 +231,7 @@ in {
      serviceConfig = {
        User = "dnscrypt-wrapper";
        WorkingDirectory = dataDir;
-        Restart   = "on-failure";
+        Restart   = "always";
        ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}";
      };

@ -255,7 +244,7 @@ in {
      requires = [ "dnscrypt-wrapper.service" ];
      description = "Rotates DNSCrypt wrapper keys if soon to expire";

-      path   = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ];
+      path   = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ];
      script = rotateKeys;
      serviceConfig.User = "dnscrypt-wrapper";
    };
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -217,7 +217,7 @@ in {
  disable-installer-tools = handleTest ./disable-installer-tools.nix {};
  discourse = handleTest ./discourse.nix {};
  dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};
-  dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {};
+  dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper;
  dnsdist = handleTest ./dnsdist.nix {};
  doas = handleTest ./doas.nix {};
  docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {};
--- a/nixos/tests/dnscrypt-wrapper/default.nix
+++ b/nixos/tests/dnscrypt-wrapper/default.nix
@ -1,4 +1,6 @@
-import ../make-test-python.nix ({ pkgs, ... }: {
+{ lib, pkgs, ... }:
+
+{
  name = "dnscrypt-wrapper";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ rnhmjoj ];
@ -50,23 +52,23 @@ import ../make-test-python.nix ({ pkgs, ... }: {
        server.wait_for_unit("dnscrypt-wrapper")
        server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key")
        server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt")
+        almost_expiration = server.succeed("date --date '4days 23 hours 56min'").strip()

    with subtest("The client can connect to the server"):
        server.wait_for_unit("tinydns")
        client.wait_for_unit("dnscrypt-proxy2")
-        assert "1.2.3.4" in client.succeed(
+        assert "1.2.3.4" in client.wait_until_succeeds(
            "host it.works"
        ), "The IP address of 'it.works' does not match 1.2.3.4"

    with subtest("The server rotates the ephemeral keys"):
        # advance time by a little less than 5 days
-        server.succeed("date -s \"$(date --date '4 days 6 hours')\"")
-        client.succeed("date -s \"$(date --date '4 days 6 hours')\"")
+        server.succeed(f"date -s '{almost_expiration}'")
+        client.succeed(f"date -s '{almost_expiration}'")
        server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys")

    with subtest("The client can still connect to the server"):
        server.wait_for_unit("dnscrypt-wrapper")
        client.succeed("host it.works")
  '';
-})
-
+}
--- a/pkgs/tools/networking/dnscrypt-wrapper/default.nix
+++ b/pkgs/tools/networking/dnscrypt-wrapper/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libsodium, libevent }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libsodium, libevent, nixosTests }:

 stdenv.mkDerivation rec {
  pname = "dnscrypt-wrapper";
@ -13,9 +13,16 @@ stdenv.mkDerivation rec {

  enableParallelBuilding = true;

+  # causes `dnscrypt-wrapper --gen-provider-keypair` to crash
+  hardeningDisable = [ "fortify3" ];
+
  nativeBuildInputs = [ pkg-config autoreconfHook ];
  buildInputs = [ libsodium libevent ];

+  passthru.tests = {
+    inherit (nixosTests) dnscrypt-wrapper;
+  };
+
  meta = with lib; {
    description = "A tool for adding dnscrypt support to any name resolver";
    homepage = "https://dnscrypt.info/";