services/dnscrypt-proxy: init

modules/module-list.nix

@@ -62,6 +62,7 @@
   ./services/chunkwm.nix
   ./services/cachix-agent.nix
   ./services/dnsmasq.nix
+  ./services/dnscrypt-proxy.nix
   ./services/emacs.nix
   ./services/eternal-terminal.nix
   ./services/github-runner

modules/services/dnscrypt-proxy.nix

@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+
+  cfg = config.services.dnscrypt-proxy;
+
+  format = pkgs.formats.toml { };
+
+  configFile = format.generate "dnscrypt-proxy.toml" cfg.settings;
+
+in
+
+{
+  options.services.dnscrypt-proxy = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to enable the dnscrypt-proxy service.";
+    };
+
+    package = mkOption {
+      type = types.path;
+      default = pkgs.dnscrypt-proxy2;
+      defaultText = "pkgs.dnscrypt-proxy2";
+      description = "This option specifies the dnscrypt-proxy package to use";
+    };
+
+    settings = mkOption {
+      type = format.type;
+
+      default = {
+        listen_addresses = [ "127.0.0.1:53" ];
+        doh_servers = true;
+        dnscrypt_servers = true;
+        ipv4_servers = true;
+        ipv6_servers = true;
+        sources.public-resolvers = {
+          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+          refresh_delay = 72;
+          prefix = "";
+          urls = [
+            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+            "https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+          ];
+        };
+      };
+
+      description = ''
+        This option specifies the dnscrypt-proxy settings to use
+
+        More details can be found at https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    launchd.daemons.dnscrypt-proxy = {
+      script = ''
+        ${getExe' cfg.package "dnscrypt-proxy"} -config ${configFile}
+      '';
+      serviceConfig = {
+        RunAtLoad = true;
+        KeepAlive = true;
+      };
+    };
+  };
+
+}

release.nix

@@ -103,6 +103,7 @@ in {
   tests.sockets-nix-daemon = makeTest ./tests/sockets-nix-daemon.nix;
   tests.services-aerospace = makeTest ./tests/services-aerospace.nix;
   tests.services-dnsmasq = makeTest ./tests/services-dnsmasq.nix;
+  tests.services-dnscrypt-proxy = makeTest ./tests/services-dnscrypt-proxy.nix;
   tests.services-eternal-terminal = makeTest ./tests/services-eternal-terminal.nix;
   tests.services-nix-gc = makeTest ./tests/services-nix-gc.nix;
   tests.services-nix-optimise = makeTest ./tests/services-nix-optimise.nix;

tests/services-dnscrypt-proxy.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  dnscrypt-proxy = pkgs.runCommand "dnscrypt-proxy-0.0.0" { } "mkdir $out";
+in
+{
+  services.dnscrypt-proxy.enable = true;
+  services.dnscrypt-proxy.package = dnscrypt-proxy;
+
+  test = ''
+    echo >&2 "checking dnscrypt-proxy service in /Library/LaunchDaemons"
+    grep "org.nixos.dnscrypt-proxy" ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist
+    grep "${dnscrypt-proxy}/bin/dnscrypt-proxy" ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist
+
+    # wait4path is very important, because we need `/nix/store` before run this services
+    grep "/bin/wait4path" ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist
+  '';
+}