From 6d08a3883f74bb4da601056ddf8c5c9ed422f442 Mon Sep 17 00:00:00 2001 From: Asmir A Date: Sun, 12 May 2024 15:44:59 +0200 Subject: [PATCH] nixy/dnscrypt2: add separate service for wg netns --- nixy/configuration.nix | 52 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/nixy/configuration.nix b/nixy/configuration.nix index 8fb7b24..c58959a 100644 --- a/nixy/configuration.nix +++ b/nixy/configuration.nix @@ -243,6 +243,58 @@ }; }; + "dnscrypt-proxy2_proton" = { + description = "DNSCrypt-proxy client proton"; + wants = [ + "network-online.target" + "nss-lookup.target" + ]; + before = [ + "nss-lookup.target" + ]; + after = ["wg_proton.service"]; + bindsTo = ["netns@wg.service"]; + serviceConfig = { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CacheDirectory = "dnscrypt-proxy"; + DynamicUser = true; + ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy2.configFile}"; + LockPersonality = true; + LogsDirectory = "dnscrypt-proxy"; + MemoryDenyWriteExecute = true; + NetworkNamespacePath = "/var/run/netns/wg"; + NonBlocking = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "always"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "dnscrypt-proxy"; + StateDirectory = "dnscrypt-proxy"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@chown" + "~@aio" + "~@keyring" + "~@memlock" + "~@setuid" + "~@timer" + ]; + }; + }; }; extraConfig = ''