forked from mirrors/nixpkgs
dnscrypt-proxy service: expose option to use ephemeral keys
Some users may wish to improve their privacy by using per-query key pairs, which makes it more difficult for upstream resolvers to track users across IP addresses.
This commit is contained in:
parent
cdef1cdd38
commit
12877098cb
|
@ -10,6 +10,7 @@ let
|
|||
daemonArgs =
|
||||
[ "--local-address=${localAddress}"
|
||||
(optionalString cfg.tcpOnly "--tcp-only")
|
||||
(optionalString cfg.ephemeralKeys "-E")
|
||||
]
|
||||
++ resolverArgs;
|
||||
resolverArgs = if (cfg.customResolver != null)
|
||||
|
@ -116,6 +117,17 @@ in
|
|||
TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
|
||||
'';
|
||||
};
|
||||
ephemeralKeys = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Compute a new key pair for every query. Enabling this option
|
||||
increases CPU usage, but makes it more difficult for the upstream
|
||||
resolver to track your usage of their service across IP addresses.
|
||||
The default is to re-use the public key pair for all queries, making
|
||||
tracking trivial.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue