Merge master into staging-next

rec {

  /* `overrideDerivation drv f` takes a derivation (i.e., the result

  /**

    `overrideDerivation drv f` takes a derivation (i.e., the result

    of a call to the builtin function `derivation`) and returns a new

    derivation in which the attributes of the original are overridden

    according to the function `f`.  The function `f` is called with

    You should in general prefer `drv.overrideAttrs` over this function;

    see the nixpkgs manual for more information on overriding.

     Example:

    # Inputs

    `drv`

    : 1\. Function argument

    `f`

    : 2\. Function argument

    # Type

    ```

    overrideDerivation :: Derivation -> ( Derivation -> AttrSet ) -> Derivation

    ```

    # Examples

    :::{.example}

    ## `lib.customisation.overrideDerivation` usage example

    ```nix

    mySed = overrideDerivation pkgs.gnused (oldAttrs: {

      name = "sed-4.2.2-pre";

      src = fetchurl {

      };

      patches = [];

    });

    ```

     Type:

       overrideDerivation :: Derivation -> ( Derivation -> AttrSet ) -> Derivation

    :::

  */

  overrideDerivation = drv: f:

    let

      });

  /* `makeOverridable` takes a function from attribute set to attribute set and

  /**

    `makeOverridable` takes a function from attribute set to attribute set and

    injects `override` attribute which can be used to override arguments of

    the function.

    Please refer to  documentation on [`<pkg>.overrideDerivation`](#sec-pkg-overrideDerivation) to learn about `overrideDerivation` and caveats

    related to its use.

     Example:

    # Inputs

    `f`

    : 1\. Function argument

    # Type

    ```

    makeOverridable :: (AttrSet -> a) -> AttrSet -> a

    ```

    # Examples

    :::{.example}

    ## `lib.customisation.makeOverridable` usage example

    ```nix

    nix-repl> x = {a, b}: { result = a + b; }

    nix-repl> y = lib.makeOverridable x { a = 1; b = 2; }

    nix-repl> y.override { a = 10; }

    { override = «lambda»; overrideDerivation = «lambda»; result = 12; }

    ```

     Type:

       makeOverridable :: (AttrSet -> a) -> AttrSet -> a

    :::

  */

  makeOverridable = f:

    let

      else result);

  /* Call the package function in the file `fn` with the required

  /**

    Call the package function in the file `fn` with the required

    arguments automatically.  The function is called with the

    arguments `args`, but any missing arguments are obtained from

    `autoArgs`.  This function is intended to be partially

    <!-- TODO: Apply "Example:" tag to the examples above -->

    Type:

    # Inputs

    `autoArgs`

    : 1\. Function argument

    `fn`

    : 2\. Function argument

    `args`

    : 3\. Function argument

    # Type

    ```

    callPackageWith :: AttrSet -> ((AttrSet -> a) | Path) -> AttrSet -> a

    ```

  */

  callPackageWith = autoArgs: fn: args:

    let

       else abort "lib.customisation.callPackageWith: ${error}";

  /* Like callPackage, but for a function that returns an attribute

  /**

    Like callPackage, but for a function that returns an attribute

    set of derivations. The override function is added to the

    individual attributes.

     Type:

    # Inputs

    `autoArgs`

    : 1\. Function argument

    `fn`

    : 2\. Function argument

    `args`

    : 3\. Function argument

    # Type

    ```

    callPackagesWith :: AttrSet -> ((AttrSet -> AttrSet) | Path) -> AttrSet -> AttrSet

    ```

  */

  callPackagesWith = autoArgs: fn: args:

    let

      else mapAttrs mkAttrOverridable pkgs;

  /* Add attributes to each output of a derivation without changing

  /**

    Add attributes to each output of a derivation without changing

    the derivation itself and check a given condition when evaluating.

     Type:

    # Inputs

    `condition`

    : 1\. Function argument

    `passthru`

    : 2\. Function argument

    `drv`

    : 3\. Function argument

    # Type

    ```

    extendDerivation :: Bool -> Any -> Derivation -> Derivation

    ```

  */

  extendDerivation = condition: passthru: drv:

    let

      outPath = assert condition; drv.outPath;

    };

  /* Strip a derivation of all non-essential attributes, returning

  /**

    Strip a derivation of all non-essential attributes, returning

    only those needed by hydra-eval-jobs. Also strictly evaluate the

    result to ensure that there are no thunks kept alive to prevent

    garbage collection.

     Type:

    # Inputs

    `drv`

    : 1\. Function argument

    # Type

    ```

    hydraJob :: (Derivation | Null) -> (Derivation | Null)

    ```

  */

  hydraJob = drv:

    let

        };

    in self;

  /* backward compatibility with old uncurried form; deprecated */

  /**

    backward compatibility with old uncurried form; deprecated

    # Inputs

    `splicePackages`

    : 1\. Function argument

    `newScope`

    : 2\. Function argument

    `otherSplices`

    : 3\. Function argument

    `keep`

    : 4\. Function argument

    `extra`

    : 5\. Function argument

    `f`

    : 6\. Function argument

  */

  makeScopeWithSplicing =

    splicePackages: newScope: otherSplices: keep: extra: f:

    makeScopeWithSplicing'

    { inherit splicePackages newScope; }

    { inherit otherSplices keep extra f; };

  /* Like makeScope, but aims to support cross compilation. It's still ugly, but

  /**

    Like makeScope, but aims to support cross compilation. It's still ugly, but

    hopefully it helps a little bit.

     Type:

    # Type

    ```

    makeScopeWithSplicing' ::

      { splicePackages :: Splice -> AttrSet

      , newScope :: AttrSet -> ((AttrSet -> a) | Path) -> AttrSet -> a

      , pkgsHostTarget :: AttrSet

      , pkgsTargetTarget :: AttrSet

      }

    ```

  */

  makeScopeWithSplicing' =

    { splicePackages

    name = "Florentin Eckl";

  };

  eclairevoyant = {

    email = "contactmeongithubinstead@proton.me";

    github = "eclairevoyant";

    githubId = 848000;

    name = "éclairevoyant";

  };

  eymeric = {

    name = "Eymeric Dechelette";

    email = "hatchchcien@protonmail.com";

    email = "hatchchien@protonmail.com";

    github = "hatch01";

    githubId = 42416805;

  };

    githubId = 1667473;

    name = "Jethro Kuan";

  };

  jetpackjackson = {

    email = "baileyannew@tutanota.com";

    github = "JetpackJackson";

    githubId = 88674707;

    name = "Bailey Watkins";

  };

  jevy = {

    email = "jevin@quickjack.ca";

    github = "jevy";

    githubId = 950799;

    name = "Tomasz Czyż";

  };

  spitulax = {

    name = "Bintang Adiputra Pratama";

    email = "bintangadiputrapratama@gmail.com";

    github = "spitulax";

    githubId = 96517350;

    keys = [{

      fingerprint = "652F FAAD 5CB8 AF1D 3F96  9521 929E D6C4 0414 D3F5";

    }];

  };

  spoonbaker = {

    github = "Spoonbaker";

    githubId = 47164123;

- [Guix](https://guix.gnu.org), a functional package manager inspired by Nix. Available as [services.guix](#opt-services.guix.enable).

- [PhotonVision](https://photonvision.org/), a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition.

- [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable)

- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).

- [pretalx](https://github.com/pretalx/pretalx), a conference planning tool. Available as [services.pretalx](#opt-services.pretalx.enable).

- [dnsproxy](https://github.com/AdguardTeam/dnsproxy), a simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support. Available as [services.dnsproxy](#opt-services.dnsproxy.enable).

- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.

- [ollama](https://ollama.ai), server for running large language models locally.

  ./services/networking/dnscrypt-wrapper.nix

  ./services/networking/dnsdist.nix

  ./services/networking/dnsmasq.nix

  ./services/networking/dnsproxy.nix

  ./services/networking/doh-proxy-rust.nix

  ./services/networking/ejabberd.nix

  ./services/networking/envoy.nix

  ./services/video/go2rtc/default.nix

  ./services/video/frigate.nix

  ./services/video/mirakurun.nix

  ./services/video/photonvision.nix

  ./services/video/replay-sorcery.nix

  ./services/video/mediamtx.nix

  ./services/video/unifi-video.nix

{ config, lib, pkgs, ... }:

let

  inherit (lib)

    escapeShellArgs

    getExe

    lists

    literalExpression

    maintainers

    mdDoc

    mkEnableOption

    mkIf

    mkOption

    mkPackageOption

    types;

  cfg = config.services.dnsproxy;

  yaml = pkgs.formats.yaml { };

  configFile = yaml.generate "config.yaml" cfg.settings;

  finalFlags = (lists.optional (cfg.settings != { }) "--config-path=${configFile}") ++ cfg.flags;

in

{

  options.services.dnsproxy = {

    enable = mkEnableOption (lib.mdDoc "dnsproxy");

    package = mkPackageOption pkgs "dnsproxy" { };

    settings = mkOption {

      type = yaml.type;

      default = { };

      example = literalExpression ''

        {

          bootstrap = [

            "8.8.8.8:53"

          ];

          listen-addrs = [

            "0.0.0.0"

          ];

          listen-ports = [

            53

          ];

          upstream = [

            "1.1.1.1:53"

          ];

        }

      '';

      description = mdDoc ''

        Contents of the `config.yaml` config file.

        The `--config-path` argument will only be passed if this set is not empty.

        See <https://github.com/AdguardTeam/dnsproxy/blob/master/config.yaml.dist>.

      '';

    };

    flags = mkOption {

      type = types.listOf types.str;

      default = [ ];

      example = [ "--upstream=1.1.1.1:53" ];

      description = lib.mdDoc ''

        A list of extra command-line flags to pass to dnsproxy. For details on the

        available options, see <https://github.com/AdguardTeam/dnsproxy#usage>.

        Keep in mind that options passed through command-line flags override

        config options.

      '';

    };

  };

  config = mkIf cfg.enable {

    systemd.services.dnsproxy = {

      description = "Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support";

      after = [ "network.target" "nss-lookup.target" ];

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

        ExecStart = "${getExe cfg.package} ${escapeShellArgs finalFlags}";

        Restart = "always";

        RestartSec = 10;

        DynamicUser = true;

        AmbientCapabilities = "CAP_NET_BIND_SERVICE";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        ProtectClock = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        RemoveIPC = true;

        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallErrorNumber = "EPERM";

        SystemCallFilter = [ "@system-service" "~@privileged @resources" ];

      };

    };

  };

  meta.maintainers = with maintainers; [ diogotcorreia ];

}