dnscrypt-proxy service: expose option to use ephemeral keys

Some users may wish to improve their privacy by using per-query key pairs, which makes it more difficult for upstream resolvers to track users across IP addresses.
2016-03-17 14:34:56 +01:00 · 2016-03-17 14:34:56 +01:00 · 12877098cb
commit 12877098cb
parent cdef1cdd38
1 changed files with 12 additions and 0 deletions
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -10,6 +10,7 @@ let
  daemonArgs =
    [ "--local-address=${localAddress}"
      (optionalString cfg.tcpOnly "--tcp-only")
+      (optionalString cfg.ephemeralKeys "-E")
    ]
    ++ resolverArgs;
  resolverArgs = if (cfg.customResolver != null)
@ -116,6 +117,17 @@ in
          TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
        '';
      };
+      ephemeralKeys = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Compute a new key pair for every query.  Enabling this option
+          increases CPU usage, but makes it more difficult for the upstream
+          resolver to track your usage of their service across IP addresses.
+          The default is to re-use the public key pair for all queries, making
+          tracking trivial.
+        '';
+      };
    };
  };