From 3fe20560cc33c9f89d4c65f9c72df7901e22ae6f Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Wed, 17 Apr 2024 05:38:53 +0200
Subject: [PATCH] dnscrypt-proxy2: support nftables

---
 hosts/aubergine/networking/nftables.nix |  1 -
 hosts/courge/networking/nftables.nix    |  1 -
 hosts/oignon/networking/nftables.nix    |  1 -
 hosts/patate/networking/nftables.nix    |  1 -
 nixos/profiles/dnscrypt-proxy2.nix      | 10 +++++++++-
 nixpkgs/patches.nix                     |  5 +++++
 6 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/hosts/aubergine/networking/nftables.nix b/hosts/aubergine/networking/nftables.nix
index e66cdda..a53ca5e 100644
--- a/hosts/aubergine/networking/nftables.nix
+++ b/hosts/aubergine/networking/nftables.nix
@@ -38,7 +38,6 @@ in
           udp dport 60000-61000 counter accept comment "Mosh"
           tcp dport { http, https } counter accept comment "HTTP"
           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
           tcp dport git counter accept comment "Git"
           tcp dport 5201 counter accept comment "iperf"
         }
diff --git a/hosts/courge/networking/nftables.nix b/hosts/courge/networking/nftables.nix
index 30927b0..869c5c7 100644
--- a/hosts/courge/networking/nftables.nix
+++ b/hosts/courge/networking/nftables.nix
@@ -48,7 +48,6 @@ in
           tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
           udp dport 60001-60100 counter accept comment "Mosh"
           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
           tcp dport { http, https } counter accept comment "HTTP"
           tcp dport git counter accept comment "Git"
           tcp dport imaps counter accept comment "IMAPS"
diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix
index 8ebec85..1ec0a97 100644
--- a/hosts/oignon/networking/nftables.nix
+++ b/hosts/oignon/networking/nftables.nix
@@ -45,7 +45,6 @@ in
           tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
           udp dport 60001-60100 counter accept comment "Mosh"
           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
           tcp dport { http, https } counter accept comment "HTTP"
           tcp dport git counter accept comment "Git"
           tcp dport imaps counter accept comment "IMAPS"
diff --git a/hosts/patate/networking/nftables.nix b/hosts/patate/networking/nftables.nix
index f891169..01bfd37 100644
--- a/hosts/patate/networking/nftables.nix
+++ b/hosts/patate/networking/nftables.nix
@@ -48,7 +48,6 @@ in
           tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
           udp dport 60001-60100 counter accept comment "Mosh"
           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
           tcp dport { http, https } counter accept comment "HTTP"
           tcp dport git counter accept comment "Git"
           tcp dport imaps counter accept comment "IMAPS"
diff --git a/nixos/profiles/dnscrypt-proxy2.nix b/nixos/profiles/dnscrypt-proxy2.nix
index dbc1e79..14f4e3e 100644
--- a/nixos/profiles/dnscrypt-proxy2.nix
+++ b/nixos/profiles/dnscrypt-proxy2.nix
@@ -1,4 +1,5 @@
-{ lib, ... }:
+{ lib, config, ... }:
+let inherit (config) users; in
 with lib;
 {
   networking = {
@@ -60,4 +61,11 @@ with lib;
       use_syslog = true;
     };
   };
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain output-net {
+        meta l4proto { udp, tcp } th dport domain skuid ${users.users.dnscrypt-proxy2.name} counter accept comment "DHCP"
+      }
+    }
+  '';
 }
diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix
index 950a2fc..2611c0f 100644
--- a/nixpkgs/patches.nix
+++ b/nixpkgs/patches.nix
@@ -9,6 +9,11 @@
     url = "https://github.com/NixOS/nixpkgs/pull/276014.diff";
     sha256 = "sha256-SUftUE++06TqRmK88VxQKiI9NaJs7XtC8I97ScQHF/Y=";
   }
+  {
+    meta.description = "dnscrypt-proxy2";
+    url = "https://github.com/NixOS/nixpkgs/pull/304810.diff";
+    sha256 = "sha256-YGQZibCIKz7YYS1bw2QNtHbJPWWV6nZqWwddWsAFK5Q=";
+  }
   /*
     {
     meta.description = "nixos/syncoid: enable N:N dataset mappings";
-- 
2.47.0