community/dnscrypt-proxy upgrade to 2.0.10

update to 2.0.10 r1
move setcap to APKBUILD
patch default config log and configuration file locations

4 files changed, 504 insertions, 44 deletions

diff --git a/community/dnscrypt-proxy/APKBUILD b/community/dnscrypt-proxy/APKBUILD
index bbd7c28947..c79dc3cd2e 100644
--- a/community/dnscrypt-proxy/APKBUILD
+++ b/community/dnscrypt-proxy/APKBUILD
@@ -1,71 +1,61 @@
-# Contributor: Francesco Colista <fcolista@alpinelinux.org>
-# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
+# Contributor: Ian Bashford <ianbashford@gmail.com>
+# Maintainer: Ian Bashford <ianbashford@gmail.com>
 pkgname=dnscrypt-proxy
 pkgver=2.0.10
-pkgrel=0
+pkgrel=1
 pkgdesc="A tool for securing communications between a client and a DNS resolver"
 url="https://dnscrypt.info"
 arch="all"
-license="custom"
+license="ISC"
 depends="ca-certificates"
-makedepends="libsodium-dev ldns-dev go"
+makedepends="libcap go"
 install="$pkgname.pre-install"
-options="!check" #upstream does not provide check/test
 pkgusers=dnscrypt
 pkggroups=dnscrypt
-subpackages="$pkgname-doc $pkgname-setup::noarch"
+subpackages="$pkgname-setup::noarch"
 source="$pkgname-$pkgver.tar.gz::https://github.com/jedisct1/$pkgname/archive/$pkgver.tar.gz
 	$pkgname.initd
 	$pkgname.confd
 	$pkgname.setup
+	config-full-paths.patch
 	"
 builddir="$srcdir"/$pkgname-$pkgver
+options="!check"
 
 prepare() {
-	default_prepare
 	cd "$builddir"
 	export GOPATH=$(pwd)
-	ln -sfv vendor src
+	ln -sf vendor src
+	default_prepare
 }
 
 build() {
-	cd "$builddir"/$pkgname
-	go build -ldflags="-s -w" -v
+	cd "$builddir"/"$pkgname"
+	GOPATH="$builddir" go build -ldflags="-s -w" -v
 }
 
 package() {
-	cd "$builddir"/$pkgname
-	mkdir -p "$pkgdir"/var/log/$pkgname
-	mkdir -p "$pkgdir"/var/empty
-	mkdir -p $pkgdir/usr/share/licenses/$pkgname
-    install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
+	cd "$builddir"/"$pkgname"
+	mkdir -p "$pkgdir"/etc/"$pkgname"
+	mkdir -p "$pkgdir"/var/log/"$pkgname"
+	mkdir -p "$pkgdir"/usr/share/"$pkgname"
+	install -m755 -D dnscrypt-proxy "$pkgdir"/usr/bin/dnscrypt-proxy
+	setcap cap_net_bind_service=+ep "$pkgdir"/usr/bin/dnscrypt-proxy
+	install -vDm 644 "dnscrypt-proxy.toml" "${pkgdir}/etc/${pkgname}/dnscrypt-proxy.toml"
+	install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
 	install -m644 -D "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname
-	install -m755 -D $pkgname "$pkgdir"/usr/bin/$pkgname
-	install -vDm 644 "example-${pkgname}.toml" \
-		"${pkgdir}/etc/${pkgname}/${pkgname}.toml"
-	install -vDm 644 "example-blacklist.txt" \
-		"${pkgdir}/etc/${pkgname}/example-blacklist.txt"
-	install -vDm 644 "example-cloaking-rules.txt" \
-		"${pkgdir}/etc/${pkgname}/example-cloaking-rules.txt"
-	install -vDm 644 "example-forwarding-rules.txt" \
-		"${pkgdir}/etc/${pkgname}/example-forwarding-rules.txt"
-	install -vDm 644 "example-whitelist.txt" \
-		"${pkgdir}/etc/${pkgname}/example-whitelist.txt"
-	chown dnscrypt "$pkgdir"/var/log/$pkgname
-	chown dnscrypt "$pkgdir"/var/empty
-	chown dnscrypt "$pkgdir"/etc/$pkgname
-	install -m 644 ../LICENSE $pkgdir/usr/share/licenses/$pkgname
+	for i in example-*;do install -m644 -D "$i" "$pkgdir"/usr/share/"$pkgname"/"$i"; done
 }
 
 setup() {
-	pkgdesc="Script for setting up DNSCrypt Proxy"
+	pkgdesc="Script for setting up dnscrypt proxy"
 	depends="sed wget $pkgname"
 
-	mkdir -p "$subpkgdir"/sbin
-	install -m755 -D "$srcdir"/$pkgname.setup "$subpkgdir"/sbin/setup-dnscrypt
+	install -m755 -D "$srcdir"/$pkgname.setup "$subpkgdir"/usr/sbin/setup-dnscrypt
 }
 
 sha512sums="b28bbce986bace9c4ee1acfe5b372b9f847d5a0a199b085ead31813ad697753b6a25cead72a90a1967bd473bb4bcb591a384765b2de9af817af0dde3d33dcb58  dnscrypt-proxy-2.0.10.tar.gz
-219fbd61ef75d6ef2cf5ac71b1a7090fb8620136d6c97f67318eb8daf72fa68449c37a3e4a88638e49a0c6193c31d2e69bf1a42e78529375d546d1f210f98e4d  dnscrypt-proxy.initd
-44a2d792aa80a048ea6bdb4a79c1e436bcad3610a28a963ebed5c0e77a8b2a733c45311a66268fc4026d1c4c9b1f222813aeeea9c619832bbcb7c227542b65a8  dnscrypt-proxy.confd
-66dd43d84117a0151ae41f34d82b716760382a5a491424bf6418228ffd21f0dfbc88e34cc5074e11f97f006335d97b85367bb9ab1d96747a48e893c022ad52d0  dnscrypt-proxy.setup"
+e0a72d39d47dc24b889d08beedbd9fdf21615f42fbab79980debdfd2c3feaa83dc3f776351f7dd13533cc85905ce4e01812e4ff8a80a9ccc0b21e9db7d6cb232  dnscrypt-proxy.initd
+c001ae39da1b2db71764cab568f9ed18e4de0cea3d1a4e7bd6dd01a5668b81a888ea9eef99de6beac08857ad7f8eb1a32d730e946ac3563e4dcfa27147e35052  dnscrypt-proxy.confd
+66dd43d84117a0151ae41f34d82b716760382a5a491424bf6418228ffd21f0dfbc88e34cc5074e11f97f006335d97b85367bb9ab1d96747a48e893c022ad52d0  dnscrypt-proxy.setup
+5c5bb0b331c8394018ce82519c133b26b067e426325d9250f05f6281d472c1669deb0d237fbc8c9e1aca1c0311a1c9ece0583afed97bba676af96dd50997145d  config-full-paths.patch"
diff --git a/community/dnscrypt-proxy/config-full-paths.patch b/community/dnscrypt-proxy/config-full-paths.patch
new file mode 100644
index 0000000000..d1def7ffba
--- /dev/null
+++ b/community/dnscrypt-proxy/config-full-paths.patch
@@ -0,0 +1,471 @@
+diff --git a/./dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
+new file mode 100644
+index 0000000..347ada5
+--- /dev/null
++++ b/dnscrypt-proxy/dnscrypt-proxy.toml
+@@ -0,0 +1,465 @@
++
++##############################################
++#                                            #
++#        dnscrypt-proxy configuration        #
++#                                            #
++##############################################
++
++## This is an example configuration file.
++## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
++##
++## Online documentation is available here: https://dnscrypt.info/doc
++
++
++
++##################################
++#         Global settings        #
++##################################
++
++## List of servers to use
++##
++## Servers from the "public-resolvers" source (see down below) can
++## be viewed here: https://dnscrypt.info/public-servers
++##
++## If this line is commented, all registered servers matching the require_* filters
++## will be used.
++##
++## The proxy will automatically pick the fastest, working servers from the list.
++## Remove the leading # first to enable this; lines starting with # are ignored.
++
++# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
++
++
++## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
++## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
++
++listen_addresses = ['127.0.0.1:53', '[::1]:53']
++
++
++## Maximum number of simultaneous client connections to accept
++
++max_clients = 250
++
++
++## Require servers (from static + remote sources) to satisfy specific properties
++
++# Use servers reachable over IPv4
++ipv4_servers = true
++
++# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
++ipv6_servers = false
++
++# Use servers implementing the DNSCrypt protocol
++dnscrypt_servers = true
++
++# Use servers implementing the DNS-over-HTTPS protocol
++doh_servers = true
++
++
++## Require servers defined by remote sources to satisfy specific properties
++
++# Server must support DNS security extensions (DNSSEC)
++require_dnssec = false
++
++# Server must not log user queries (declarative)
++require_nolog = true
++
++# Server must not enforce its own blacklist (for parental control, ads blocking...)
++require_nofilter = true
++
++
++
++## Always use TCP to connect to upstream servers
++
++force_tcp = false
++
++
++## How long a DNS query will wait for a response, in milliseconds
++
++timeout = 2500
++
++
++## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
++
++keepalive = 30
++
++
++## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
++
++# lb_strategy = 'p2'
++
++
++## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
++
++# log_level = 2
++
++
++## log file for the application
++
++# log_file = '/var/log/dnscrypt-proxy.log'
++
++
++## Use the system logger (syslog on Unix, Event Log on Windows)
++
++# use_syslog = true
++
++
++## Delay, in minutes, after which certificates are reloaded
++
++cert_refresh_delay = 240
++
++
++## DNSCrypt: Create a new, unique key for every single DNS query
++## This may improve privacy but can also have a significant impact on CPU usage
++## Only enable if you don't have a lot of network load
++
++# dnscrypt_ephemeral_keys = false
++
++
++## DoH: Disable TLS session tickets - increases privacy but also latency
++
++# tls_disable_session_tickets = false
++
++
++## DoH: Use a specific cipher suite instead of the server preference
++## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
++## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
++## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
++## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
++##
++## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
++## the following suite improves performance.
++## This may also help on Intel CPUs running 32-bit operating systems.
++##
++## Keep tls_cipher_suite empty if you have issues fetching sources or
++## connecting to some DoH servers. Google and Cloudflare are fine with it.
++
++# tls_cipher_suite = [52392, 49199]
++
++
++## Fallback resolver
++## This is a normal, non-encrypted DNS resolver, that will be only used
++## for one-shot queries when retrieving the initial resolvers list, and
++## only if the system DNS configuration doesn't work.
++## No user application queries will ever be leaked through this resolver,
++## and it will not be used after IP addresses of resolvers URLs have been found.
++## It will never be used if lists have already been cached, and if stamps
++## don't include host names without IP addresses.
++## It will not be used if the configured system DNS works.
++## A resolver supporting DNSSEC is recommended. This may become mandatory.
++##
++## People in China may need to use 114.114.114.114:53 here.
++## Other popular options include 8.8.8.8 and 1.1.1.1.
++
++fallback_resolver = '9.9.9.9:53'
++
++
++## Never try to use the system DNS settings; unconditionally use the
++## fallback resolver.
++
++ignore_system_dns = false
++
++
++## Automatic log files rotation
++
++# Maximum log files size in MB
++log_files_max_size = 10
++
++# How long to keep backup files, in days
++log_files_max_age = 7
++
++# Maximum log files backups to keep (or 0 to keep all backups)
++log_files_max_backups = 1
++
++
++
++#########################
++#        Filters        #
++#########################
++
++## Immediately respond to IPv6-related queries with an empty response
++## This makes things faster when there is no IPv6 connectivity, but can
++## also cause reliability issues with some stub resolvers. In
++## particular, enabling this on macOS is not recommended.
++
++block_ipv6 = false
++
++
++
++##################################################################################
++#        Route queries for specific domains to a dedicated set of servers        #
++##################################################################################
++
++## Example map entries (one entry per line):
++## example.com 9.9.9.9
++## example.net 9.9.9.9,8.8.8.8,1.1.1.1
++
++# forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
++
++
++
++###############################
++#        Cloaking rules       #
++###############################
++
++## Cloaking returns a predefined address for a specific name.
++## In addition to acting as a HOSTS file, it can also return the IP address
++## of a different name. It will also do CNAME flattening.
++##
++## Example map entries (one entry per line)
++## example.com     10.1.1.1
++## www.google.com  forcesafesearch.google.com
++
++# cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
++
++
++
++###########################
++#        DNS cache        #
++###########################
++
++## Enable a DNS cache to reduce latency and outgoing traffic
++
++cache = true
++
++
++## Cache size
++
++cache_size = 512
++
++
++## Minimum TTL for cached entries
++
++cache_min_ttl = 600
++
++
++## Maximum TTL for cached entries
++
++cache_max_ttl = 86400
++
++
++## TTL for negatively cached entries
++
++cache_neg_ttl = 60
++
++
++
++###############################
++#        Query logging        #
++###############################
++
++## Log client queries to a file
++
++[query_log]
++
++  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
++
++  # file = '/var/log/query.log'
++
++
++  ## Query log format (currently supported: tsv and ltsv)
++
++  format = 'tsv'
++
++
++  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
++
++  # ignored_qtypes = ['DNSKEY', 'NS']
++
++
++
++############################################
++#        Suspicious queries logging        #
++############################################
++
++## Log queries for nonexistent zones
++## These queries can reveal the presence of malware, broken/obsolete applications,
++## and devices signaling their presence to 3rd parties.
++
++[nx_log]
++
++  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
++
++  # file = '/var/log/nx.log'
++
++
++  ## Query log format (currently supported: tsv and ltsv)
++
++  format = 'tsv'
++
++
++
++######################################################
++#        Pattern-based blocking (blacklists)        #
++######################################################
++
++## Blacklists are made of one pattern per line. Example of valid patterns:
++##
++##   example.com
++##   =example.com
++##   *sex*
++##   ads.*
++##   ads*.example.*
++##   ads*.example[0-9]*.com
++##
++## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
++## A script to build blacklists from public feeds can be found in the
++## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
++
++[blacklist]
++
++  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
++
++  # blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt'
++
++
++  ## Optional path to a file logging blocked queries
++
++  # log_file = '/var/log/blocked.log'
++
++
++  ## Optional log format: tsv or ltsv (default: tsv)
++
++  # log_format = 'tsv'
++
++
++
++###########################################################
++#        Pattern-based IP blocking (IP blacklists)        #
++###########################################################
++
++## IP blacklists are made of one pattern per line. Example of valid patterns:
++##
++##   127.*
++##   fe80:abcd:*
++##   192.168.1.4
++
++[ip_blacklist]
++
++  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
++
++  # blacklist_file = '/etc/dnscrypt-proxy/ip-blacklist.txt'
++
++
++  ## Optional path to a file logging blocked queries
++
++  # log_file = '/var/log/ip-blocked.log'
++
++
++  ## Optional log format: tsv or ltsv (default: tsv)
++
++  # log_format = 'tsv'
++
++
++
++######################################################
++#   Pattern-based whitelisting (blacklists bypass)   #
++######################################################
++
++## Whitelists support the same patterns as blacklists
++## If a name matches a whitelist entry, the corresponding session
++## will bypass names and IP filters.
++##
++## Time-based rules are also supported to make some websites only accessible at specific times of the day.
++
++[whitelist]
++
++  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
++
++  # whitelist_file = '/etc/dnscrypt-proxy/whitelist.txt'
++
++
++  ## Optional path to a file logging whitelisted queries
++
++  # log_file = '/var/log/whitelisted.log'
++
++
++  ## Optional log format: tsv or ltsv (default: tsv)
++
++  # log_format = 'tsv'
++
++
++
++##########################################
++#        Time access restrictions        #
++##########################################
++
++## One or more weekly schedules can be defined here.
++## Patterns in the name-based blocklist can optionally be followed with @schedule_name
++## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
++##
++## For example, the following rule in a blacklist file:
++## *.youtube.* @time-to-sleep
++## would block access to YouTube only during the days, and period of the days
++## define by the 'time-to-sleep' schedule.
++##
++## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
++## {after= '9:00', before='18:00'} matches 9:00-18:00
++
++[schedules]
++
++  # [schedules.'time-to-sleep']
++  # mon = [{after='21:00', before='7:00'}]
++  # tue = [{after='21:00', before='7:00'}]
++  # wed = [{after='21:00', before='7:00'}]
++  # thu = [{after='21:00', before='7:00'}]
++  # fri = [{after='23:00', before='7:00'}]
++  # sat = [{after='23:00', before='7:00'}]
++  # sun = [{after='21:00', before='7:00'}]
++
++  # [schedules.'work']
++  # mon = [{after='9:00', before='18:00'}]
++  # tue = [{after='9:00', before='18:00'}]
++  # wed = [{after='9:00', before='18:00'}]
++  # thu = [{after='9:00', before='18:00'}]
++  # fri = [{after='9:00', before='17:00'}]
++
++
++
++#########################
++#        Servers        #
++#########################
++
++## Remote lists of available servers
++## Multiple sources can be used simultaneously, but every source
++## requires a dedicated cache file.
++##
++## Refer to the documentation for URLs of public sources.
++##
++## A prefix can be prepended to server names in order to
++## avoid collisions if different sources share the same for
++## different servers. In that case, names listed in `server_names`
++## must include the prefixes.
++##
++## If the `urls` property is missing, cache files and valid signatures
++## must be already present; This doesn't prevent these cache files from
++## expiring after `refresh_delay` hours.
++
++[sources]
++
++  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
++
++  [sources.'public-resolvers']
++  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
++  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
++  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
++  refresh_delay = 72
++  prefix = ''
++
++  ## Another example source, with resolvers censoring some websites not appropriate for children
++  ## This is a subset of the `public-resolvers` list, so enabling both is useless
++
++  #  [sources.'parental-control']
++  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
++  #  cache_file = '/var/cache/dnscrypt-proxy/parental-control.md'
++  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
++
++
++
++## Optional, local, static list of additional servers
++## Mostly useful for testing your own servers.
++
++[static]
++
++  # [static.'google']
++  # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
diff --git a/community/dnscrypt-proxy/dnscrypt-proxy.confd b/community/dnscrypt-proxy/dnscrypt-proxy.confd
index 070ba95d9a..a1dc6a6904 100644
--- a/community/dnscrypt-proxy/dnscrypt-proxy.confd
+++ b/community/dnscrypt-proxy/dnscrypt-proxy.confd
@@ -1,4 +1,4 @@
-#DNSCRYPT_OPTS="--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml"
+#DNSCRYPT_OPTS="-config /etc/dnscrypt-proxy/dnscrypt-proxy.toml"
 #DNSCRYPT_USER="dnscrypt"
 #DNSCRYPT_GROUP="dnscrypt"
 
diff --git a/community/dnscrypt-proxy/dnscrypt-proxy.initd b/community/dnscrypt-proxy/dnscrypt-proxy.initd
index bd6c1070a1..626b15737e 100644
--- a/community/dnscrypt-proxy/dnscrypt-proxy.initd
+++ b/community/dnscrypt-proxy/dnscrypt-proxy.initd
@@ -3,10 +3,10 @@
 # Distributed under the terms of the GNU General Public License v2
 
 command="/usr/bin/dnscrypt-proxy"
-command_args="${DNSCRYPT_OPTS:---config /etc/dnscrypt-proxy/dnscrypt-proxy.toml}"
+command_args="${DNSCRYPT_OPTS:--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml}"
 command_user="${DNSCRYPT_USER:-dnscrypt}:${DNSCRYPT_GROUP:-dnscrypt}"
-pidfile="/run/${SVCNAME}.pid"
-start_stop_daemon_args="--background --make-pidfile"
+pidfile="/run/${RC_SVCNAME}.pid"
+command_background="yes"
 
 depend() {
 	use net logger
@@ -15,7 +15,6 @@ depend() {
 
 start_pre() {
 	checkpath -q -d -m 0775 -o "${command_user}" \
-		/var/cache/"${SVCNAME}" \
-		/var/log/"${SVCNAME}"
-	setcap cap_net_bind_service=+ep "${command}"
+		/var/cache/"${RC_SVCNAME}" \
+		/var/log/"${RC_SVCNAME}"
 }