From eca3ef8203d95e1cac1bbb6166dfe317d01564c3 Mon Sep 17 00:00:00 2001
From: MeganerdNL <meganerd@meganerd.nl>
Date: Sun, 30 Jul 2023 13:40:26 +0200
Subject: [PATCH] New package: encrypted-dns

---
 srcpkgs/encrypted-dns/INSTALL                 |  10 +
 .../encrypted-dns/files/encrypted-dns.toml    | 255 ++++++++++++++++++
 srcpkgs/encrypted-dns/files/encrypted-dns/run |   3 +
 .../encrypted-dns/patches/cargo-lock.patch    |  11 +
 srcpkgs/encrypted-dns/template                |  38 +++
 5 files changed, 317 insertions(+)
 create mode 100644 srcpkgs/encrypted-dns/INSTALL
 create mode 100644 srcpkgs/encrypted-dns/files/encrypted-dns.toml
 create mode 100755 srcpkgs/encrypted-dns/files/encrypted-dns/run
 create mode 100644 srcpkgs/encrypted-dns/patches/cargo-lock.patch
 create mode 100644 srcpkgs/encrypted-dns/template

diff --git a/srcpkgs/encrypted-dns/INSTALL b/srcpkgs/encrypted-dns/INSTALL
new file mode 100644
index 000000000000..5dda7e1e618a
--- /dev/null
+++ b/srcpkgs/encrypted-dns/INSTALL
@@ -0,0 +1,10 @@
+case "$ACTION" in
+    post)
+        if [ "$UPDATE" = "yes" ] ; then
+            :
+        else
+            chown _encrypted_dns:_encrypted_dns var/lib/encrypted-dns
+            chmod 750 var/lib/encrypted-dns
+        fi
+        ;;
+esac
diff --git a/srcpkgs/encrypted-dns/files/encrypted-dns.toml b/srcpkgs/encrypted-dns/files/encrypted-dns.toml
new file mode 100644
index 000000000000..063e776b4833
--- /dev/null
+++ b/srcpkgs/encrypted-dns/files/encrypted-dns.toml
@@ -0,0 +1,255 @@
+####################################################
+#                                                  #
+#        Encrypted DNS Server configuration        #
+#                                                  #
+####################################################
+
+
+
+##################################
+#         Global settings        #
+##################################
+
+
+## IP addresses and ports to listen to, as well as their external IP
+## If there is no NAT involved, `local` and `external` can be the same.
+## As many addresses as needed can be configured here, IPv4 and/or IPv6.
+## You should at least change the `external` IP address.
+
+### Example with both IPv4 and IPv6 addresses:
+# listen_addrs = [
+#     { local = "0.0.0.0:443",    external = "198.51.100.1:443" },
+#     { local = "[::]:443",       external = "[2001:db8::1]:443" }
+# ]
+
+listen_addrs = [
+    { local = "0.0.0.0:443",    external = "198.51.100.1:443" }
+]
+
+
+## Upstream DNS server and port
+
+upstream_addr = "9.9.9.9:53"
+
+
+## File name to save the state to
+
+state_file = "/var/lib/encrypted-dns/encrypted-dns.state"
+
+
+## UDP timeout in seconds
+
+udp_timeout = 10
+
+
+## TCP timeout in seconds
+
+tcp_timeout = 10
+
+
+## Maximum active UDP sockets
+
+udp_max_active_connections = 1000
+
+
+## Maximum active TCP connections
+
+tcp_max_active_connections = 250
+
+
+## Optional IP address to connect to upstream servers from.
+## Leave commented/undefined to automatically select it.
+
+# external_addr = "0.0.0.0"
+
+
+## Built-in DNS cache capacity
+
+cache_capacity = 100000
+
+
+## DNS cache: minimum TTL
+
+cache_ttl_min = 3600
+
+
+## DNS cache: max TTL
+
+cache_ttl_max = 86400
+
+
+## DNS cache: error TTL
+
+cache_ttl_error = 600
+
+
+## DNS cache: to avoid bursts of traffic for popular queries when an
+## RRSET expires, hold a TTL received from an upstream server for
+## `client_ttl_holdon` seconds before decreasing it in client responses.
+
+client_ttl_holdon = 60
+
+
+## Run as a background process
+
+daemonize = false
+
+
+## Log file, when running as a background process
+
+# log_file = "/tmp/encrypted-dns.log"
+
+
+## PID file
+
+# pid_file = "/tmp/encrypted-dns.pid"
+
+
+## User name to drop privileges to, when started as root.
+
+user = "_encrypted_dns"
+
+
+## Group name to drop privileges to, when started as root.
+
+group = "_encrypted_dns"
+
+
+## Path to chroot() to, when started as root.
+## The path to the state file is relative to the chroot base.
+
+# chroot = "/var/empty"
+
+
+## Queries sent to that name will return the client IP address.
+## This can be very useful for debugging, or to check that relaying works.
+
+# my_ip = "my.ip"
+
+
+####################################
+#         DNSCrypt settings        #
+####################################
+
+[dnscrypt]
+
+## Provider name (with or without the `2.dnscrypt-cert.` prefix)
+
+provider_name = "secure.dns.test"
+
+
+## Does the server support DNSSEC?
+
+dnssec = true
+
+
+## Does the server always returns correct answers (no filtering, including ad blocking)?
+
+no_filters = true
+
+
+## Set to `true` if the server doesn't keep any information that can be used to identify users
+
+no_logs = true
+
+
+## Key cache capacity, per certificate
+
+key_cache_capacity = 10000
+
+
+
+###############################
+#         TLS settings        #
+###############################
+
+[tls]
+
+## Where to proxy TLS connections to (e.g. DoH server)
+
+# upstream_addr = "127.0.0.1:4343"
+
+
+
+#######################################
+#        Server-side filtering        #
+#######################################
+
+[filtering]
+
+## List of domains to block, one per line
+
+# domain_blacklist = "/etc/domain_blacklist.txt"
+
+
+## List of undelegated TLDs
+## This is the list of nonexistent TLDs that queries are frequently observed for,
+## but will never resolve to anything. The server will immediately return a
+## synthesized NXDOMAIN response instead of hitting root servers.
+
+undelegated_list = "/var/lib/encrypted-dns/undelegated.txt"
+
+
+## Ignore A and AAAA queries for unqualified host names.
+
+ignore_unqualified_hostnames = true
+
+
+
+#########################
+#        Metrics        #
+#########################
+
+# [metrics]
+
+# type = "prometheus"
+# listen_addr = "0.0.0.0:9100"
+# path = "/metrics"
+
+
+
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+# Enable relaying support for Anonymized DNS
+
+enabled = false
+
+
+# Allowed upstream ports
+# This is a list of commonly used ports for encrypted DNS services
+
+allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]
+
+
+# Allow all ports >= 1024 in addition to the list above
+
+allow_non_reserved_ports = false
+
+
+# Blacklisted upstream IP addresses
+
+blacklisted_ips = [ ]
+
+
+
+
+################################
+#        Access control        #
+################################
+
+[access_control]
+
+# Enable access control
+
+enabled = false
+
+# Only allow access to client queries including one of these random tokens
+# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as
+# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client.
+# Example: `query_meta = ["token:Y2oHkDJNHz"]`
+
+tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"]
diff --git a/srcpkgs/encrypted-dns/files/encrypted-dns/run b/srcpkgs/encrypted-dns/files/encrypted-dns/run
new file mode 100755
index 000000000000..9bdff1794f55
--- /dev/null
+++ b/srcpkgs/encrypted-dns/files/encrypted-dns/run
@@ -0,0 +1,3 @@
+#!/bin/sh
+exec 2>&1
+exec encrypted-dns -c /etc/encrypted-dns/encrypted-dns.toml
diff --git a/srcpkgs/encrypted-dns/patches/cargo-lock.patch b/srcpkgs/encrypted-dns/patches/cargo-lock.patch
new file mode 100644
index 000000000000..43092c2697e8
--- /dev/null
+++ b/srcpkgs/encrypted-dns/patches/cargo-lock.patch
@@ -0,0 +1,11 @@
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -226,7 +226,7 @@
+ 
+ [[package]]
+ name = "encrypted-dns"
+-version = "0.9.12"
++version = "0.9.13"
+ dependencies = [
+  "anyhow",
+  "byteorder",
diff --git a/srcpkgs/encrypted-dns/template b/srcpkgs/encrypted-dns/template
new file mode 100644
index 000000000000..edaa5d8ec586
--- /dev/null
+++ b/srcpkgs/encrypted-dns/template
@@ -0,0 +1,38 @@
+# Template file for 'encrypted-dns'
+pkgname=encrypted-dns
+version=0.9.13
+revision=1
+build_style=cargo
+makedepends="libsodium-devel"
+short_desc="DNSCrypt v2 server with support for DNSSEC and DoH forwarding"
+maintainer="MeganerdNL <meganerd@meganerd.nl>"
+license="MIT"
+homepage="https://github.com/DNSCrypt/encrypted-dns-server"
+distfiles="https://github.com/DNSCrypt/encrypted-dns-server/archive/refs/tags/${version}.tar.gz"
+checksum=5e4f9143313bf58888c31ec4e220e9fb65b28b60fe5b6aff872f9f2ecb7537d5
+
+system_accounts="_encrypted_dns"
+_encrypted_dns_homedir="/var/lib/encrypted-dns"
+
+conf_files="/etc/encrypted-dns/encrypted-dns.toml"
+
+mutable_files="/var/lib/encrypted-dns/undelegated.txt"
+
+if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
+	XBPS_CROSS_RUSTFLAGS+=" -latomic"
+	makedepends+=" libatomic-devel"
+fi
+
+case "$XBPS_TARGET_MACHINE" in
+	*-musl) makedepends+=" musl-devel libstdc++";;
+esac
+
+post_install() {
+	vlicense LICENSE
+
+	# Install config file and list of undelegated TLDs
+	vinstall ${FILESDIR}/encrypted-dns.toml 0644 etc/encrypted-dns encrypted-dns.toml
+	vinstall undelegated.txt 0644 var/lib/encrypted-dns undelegated.txt
+
+	vsv encrypted-dns
+}