net-dns/dnscrypt-proxy: bump to 1.9.5, Sanitize initscripts.

Greatly simplify initscript to allow symlinking of unit files
for openrc. This approach follows upstream recommendation to
use config file instead of command line args.
Also proper systemd unit with socket activation from upstream.
Fixes 588462

Bug: https://bugs.gentoo.org/show_bug.cgi?id=588462
Closes: #5346

net-dns/dnscrypt-proxy/Manifest

@@ -1 +1,2 @@
 DIST dnscrypt-proxy-1.9.4.tar.gz 1660333 SHA256 40543efbcd56033ac03a1edf4581305e8c9bed4579ac55e6279644f07c315307 SHA512 b19103dc39655f199c85ec69daab949d07adc12e64411d2323308afb398e6ac6563bbc17f2e317bfe1e6c95c810487d8d62da3f4c7f7257bdcf837cd0390bfb0 WHIRLPOOL 4e9494c2765ecf9d625f7b44c0f58c40e491e1334a58552111730ecd3b95cba10667b2bfa2b29e291ccfa97a5678bbbc398dd14e888914bfddc6f7e61bac4a3a
+DIST dnscrypt-proxy-1.9.5.tar.bz2 1290573 SHA256 e89f5b9039979ab392302faf369ef7593155d5ea21580402a75bbc46329d1bb6 SHA512 84c0f7587521b3a198292cf20dd71cb592ccf8a9e003abbc62c5ca112f6c5ed27c49b1642cf91f403d52b4147e25f24af540b65cecfcf93814338329097df836 WHIRLPOOL dec0090456a36fcc2b6883c1510c09d7a17459f022b0957eccf5f48272a305f546a760f9fb5c598b3fe86747ff16fac9b6767e3422f999dfca5fb717cd926ea1

net-dns/dnscrypt-proxy/dnscrypt-proxy-1.9.5.ebuild

@@ -0,0 +1,72 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit systemd user
+
+DESCRIPTION="A tool for securing communications between a client and a DNS resolver"
+HOMEPAGE="https://dnscrypt.org"
+SRC_URI="https://download.dnscrypt.org/${PN}/${P}.tar.bz2"
+
+LICENSE="ISC"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="hardened libressl +plugins ssl systemd"
+
+RDEPEND="
+	dev-libs/libsodium
+	net-libs/ldns
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:0= )
+	)
+	systemd? ( sys-apps/systemd )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+pkg_setup() {
+	enewgroup dnscrypt
+	enewuser dnscrypt -1 -1 /var/empty dnscrypt
+}
+
+src_configure() {
+	econf \
+		$(use_enable hardened pie) \
+		$(use_enable plugins) \
+		$(use_enable ssl openssl) \
+		$(use_with systemd)
+}
+
+src_install() {
+	local DOCS=( AUTHORS ChangeLog NEWS README* THANKS *txt )
+
+	default
+
+	newinitd "${FILESDIR}"/${PN}.initd-r1 ${PN}
+	newconfd "${FILESDIR}"/${PN}.confd-r1 ${PN}
+	systemd_newunit "${FILESDIR}"/${PN}.service-r1 ${PN}.service
+	systemd_newunit "${FILESDIR}"/${PN}.socket-r1 ${PN}.socket
+	insinto /etc
+	doins "${FILESDIR}"/${PN}.conf /etc
+}
+
+pkg_preinst() {
+	# ship working default configuration for systemd users
+	if use systemd; then
+		sed -i 's/Daemonize yes/Daemonize no/g' "${D}"/etc/${PN}.conf
+	fi
+}
+
+pkg_postinst() {
+	elog "After starting the service you will need to update your"
+	elog "/etc/resolv.conf and replace your current set of resolvers"
+	elog "with:"
+	elog
+	elog "nameserver 127.0.0.1"
+	elog
+	use systemd && elog "with systemd dnscrypt-proxy ignores LocalAddress setting in the config file"
+	use systemd && elog "edit dnscrypt-proxy.socket if you need to change the defaults"
+	elog
+	elog "Also see https://github.com/jedisct1/dnscrypt-proxy#usage."
+}

net-dns/dnscrypt-proxy/files/dnscrypt-proxy.conf

@@ -0,0 +1,242 @@
+######################################################
+#                                                    #
+#    Sample configuration file for dnscrypt-proxy    #
+#                                                    #
+######################################################
+
+
+############## Resolver settings ##############
+
+## [CHANGE THIS] Short name of the resolver to use
+## Usually the only thing you need to change in this configuration file.
+## This corresponds to the first column in the dnscrypt-resolvers.csv file.
+## Alternatively, "random" (without quotes) picks a random random resolver
+## accessible over IPv4, that doesn't log and supports DNSSEC.
+
+ResolverName random
+
+
+## Full path to the list of available DNSCrypt resolvers (dnscrypt-resolvers.csv)
+## An up-to-date list is available here:
+## https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
+## and the dnscrypt-update-resolvers.sh script can be used in order to
+## automatically download and verify updates.
+
+ResolversList /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
+
+
+## Manual settings, only for a custom resolver not present in the CSV file
+
+#ProviderName    2.dnscrypt.some.provider.name.tld
+#ProviderKey     0000:1111:2222:3333:4444:5555:6666:7777:8888:9999:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF
+#ResolverAddress 111.222.333.444:56789
+
+
+
+############## Process options ##############
+
+## [NOT AVAILABLE ON WINDOWS] Run the proxy as a background process.
+## Unless you are using systemd, you probably want to change this to "yes"
+## after having verified that the rest of the configuration works as expected.
+
+Daemonize yes
+
+
+## Write the PID number to a file
+
+PidFile /run/dnscrypt-proxy.pid
+
+
+## [NOT AVAILABLE ON WINDOWS] Start the process, bind the required ports, and
+## run the server as a less-privileged system user.
+## The value for this parameter is a user name.
+
+User dnscrypt
+
+
+############## Network/protocol settings ##############
+
+## Local address and port to listen to.
+## A 127.0.0.x address is recommended for local use, but 0.0.0.0 or
+## a specific interface address can be used on a router, or to
+## configure a single machine to act as a DNS proxy for different
+## devices.
+## If the socket is created by systemd, the proxy cannot change the address
+## using this option. You should edit systemd's dnscrypt-proxy.socket file
+## instead.
+
+LocalAddress 127.0.0.1:53
+
+
+## Cache DNS responses to avoid outgoing traffic when the same queries
+## are repeated multiple times in a row.
+
+LocalCache on
+
+
+## Creates a new key pair for every query.
+## This prevents logging servers from correlating client public keys with
+## IP addresses. However, this option implies extra CPU load, and is not
+## very useful with trusted/non-logging servers.
+
+EphemeralKeys off
+
+
+## Maximum number of active requests waiting for a response.
+## Keep it reasonable relative to the expected number of clients.
+
+# MaxActiveRequests 250
+
+
+## This is the maximum payload size allowed when using the UDP protocol.
+## The default is safe, and rarely needs to be changed.
+
+# EDNSPayloadSize 1252
+
+
+## Ignore the time stamps when checking the certificates
+## Do not enable this option ever, unless you know that you need it.
+
+# IgnoreTimestamps no
+
+
+## Do not send queries using UDP. Only use TCP.
+## Even if some resolvers mitigate this, DNS over TCP is almost always slower
+## than UDP and doesn't offer additional security.
+## Only enable this option if UDP doesn't work on your network.
+
+# TCPOnly no
+
+
+## Forward queries for specific zones to one or more non-DNSCrypt resolvers.
+## For instance, this can be used to redirect queries for local domains to
+## the router, or queries for an internal domain to an internal DNS server.
+## Multiple whitespace-delimited zones and IP addresses can be specified.
+## Do not enable this unless you absolutely know you need it.
+## If you see useless queries to these zones, you'd better block them with
+## the BlackList feature instead of sending them in clear text to the router.
+## This uses a plugin that requires dnscrypt-proxy to be compiled with
+## the ldns library.
+
+#Forward domains:"localdomain" to:"192.168.0.1"
+
+
+############## Logging ##############
+
+## Log the received DNS queries to a file, so you can watch in real-time what
+## is happening on the network.
+## The value for this parameter is a full path to the log file.
+## The file name can be prefixed with ltsv: in order to store logs using the
+## LTSV format (ex: ltsv:/tmp/dns-queries.log).
+
+# QueryLogFile /tmp/dns-queries.log
+
+
+## Log file to write server errors and information to.
+## If you use this tool for privacy, keeping logs of any kind is usually not
+## a good idea.
+
+# LogFile /var/log/dnscrypt-proxy.log
+
+
+## Don't log events with priority above this log level after the service has
+## been started up. Default is 6.
+## Valid values are between 0 (critical) to 7 (debug-level messages).
+
+# LogLevel 6
+
+
+## [NOT AVAILABLE ON WINDOWS] Send server logs to the syslog daemon
+## Log entries can optionally be prefixed with a string.
+
+Syslog       on
+# SyslogPrefix dnscrypt
+
+
+
+############## Local filtering ##############
+
+## If your network doesn't support IPv6, chances are that your
+## applications are still constantly trying to resolve IPv6 addresses,
+## causing unnecessary slowdowns.
+## This causes the proxy to immediately reply to IPv6 requests,
+## without having to send a useless request to upstream resolvers, and
+## having to wait for a response.
+## This uses a plugin that requires dnscrypt-proxy to be compiled with
+## the ldns library.
+
+BlockIPv6 no
+
+
+## Want to filter ads, malware, sensitive or inappropriate websites and
+## domain names? This feature can block lists of IP addresses and names
+## matching a list of patterns. The list of rules remains private, and
+## the filtering process directly happens on your own network. In order
+## to filter IP addresses, the list of IPs has to be put into a text
+## file, with one IP address per line. Lists of domain names can also be
+## blocked as well. Put the list into a text file, one domain per line.
+## Domains can include wildcards (*) in order to match patterns. For
+## example *sex* will match any name that contains the sex substring, and
+## ads.* will match anything starting with ads. The Internet has plenty
+## of free feeds of IP addresses and domain names used for malware,
+## phishing and spam that you can use with this feature.
+##
+## This uses a plugin that requires dnscrypt-proxy to be compiled with
+## the ldns library.
+##
+## To enable, uncomment one of the following definitions:
+
+## Block query names matching the rules stored in that file:
+# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt"
+
+## Block responses whose IP addresses match IPs stored in that file:
+# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt"
+
+## Block both domain names and IP addresses:
+# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt"
+
+## Same as the above + log the blocked queries in a file.
+## The log file can be prefixed with ltsv: (ex: ltsv:/tmp/log.txt) in order to
+## store logs using the LTSV format.
+# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" logfile:"/var/log/dnscrypt-blocked.log"
+# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
+# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
+
+
+
+############## User identification ##############
+
+## Use a client public key for identification
+## By default, the client uses a randomized key pair in order to make tracking
+## more difficult. This option does the opposite and uses a static key pair, so
+## that DNS providers can offer premium services to queries signed with a known
+## set of public keys. A client cannot decrypt the received responses without
+## also knowing the secret key.
+## The value for this property is the path to a file containing the secret key,
+## encoded as a hexadecimal string. The corresponding public key is computed
+## automatically.
+
+# ClientKey /etc/dnscrypt-client-secret.key
+
+
+
+############## Monitoring ##############
+
+## Do not actually start the proxy, but check that a valid certificate can be
+## retrieved from the server and that it will remain valid for the specified
+## time period. The process exit code is 0 if a valid certificate can be used,
+## 2 if no valid certificates can be used, 3 if a timeout occurred, and 4 if a
+## currently valid certificate is going to expire before the given margin.
+## Useful in a cron job to monitor your own dnscrypt-servers.
+## The margin is specified in minutes.
+
+# Test 2880
+
+
+
+############## Recursive configuration ##############
+
+## A configuration file can include other configuration files by inserting
+## the `Include` directive anywhere (the full path required, no quotes):
+
+# Include /etc/dnscrypt-proxy-common.conf

net-dns/dnscrypt-proxy/files/dnscrypt-proxy.confd-r1

@@ -0,0 +1 @@
+DNSCRYPT_OPTS="/etc/dnscrypt-proxy.conf"

net-dns/dnscrypt-proxy/files/dnscrypt-proxy.initd-r1

@@ -0,0 +1,11 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/sbin/dnscrypt-proxy"
+command_args="${DNSCRYPT_OPTS}"
+pidfile="/run/${SVCNAME}.pid"
+
+depend() {
+	use net dns logger
+}

net-dns/dnscrypt-proxy/files/dnscrypt-proxy.service-r1

@@ -0,0 +1,18 @@
+[Unit]
+Description=DNSCrypt client proxy
+Documentation=man:dnscrypt-proxy(8)
+Requires=dnscrypt-proxy.socket
+After=network.target
+Before=nss-lookup.target
+
+[Install]
+Also=dnscrypt-proxy.socket
+WantedBy=multi-user.target
+
+[Service]
+Type=simple
+NonBlocking=true
+
+# Edit the configuration file appropriately, or the service will not start.
+# See https://dnscrypt.org for more information.
+ExecStart=/usr/sbin/dnscrypt-proxy /etc/dnscrypt-proxy.conf

net-dns/dnscrypt-proxy/files/dnscrypt-proxy.socket-r1

@@ -0,0 +1,9 @@
+[Unit]
+Description=dnscrypt-proxy listening socket
+
+[Socket]
+ListenStream=127.0.0.53:53
+ListenDatagram=127.0.0.53:53
+
+[Install]
+WantedBy=sockets.target