network/nss-tls: Added (dns over https).

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>

network/nss-tls/README

@@ -0,0 +1,23 @@
+nss-tls (DNS-over-HTTPS resolver)
+
+nss-tls is an alternative, encrypted name resolving library for Linux
+distributions with glibc which uses DNS-over-HTTPS. The glibc name
+resolver can be configured through nsswitch.conf(5) to use nss-tls
+instead of the DNS resolver, or fall back to DNS when nss-tls fails.
+
+This way, all applications that use the standard resolver API
+(getaddrinfo(), gethostbyname(), etc'), are transparently
+migrated from DNS to encrypted means of name resolving, with
+zero application-side changes and minimal resource consumption
+footprint. However, nss-tls does not deal with applications that use
+their own, built-in DNS resolver.
+
+See README_SBo.txt for instructions on setting things up, once the
+package is installed. It won't "just work", you really do have to
+configure it.
+
+The default servers in the config file are provided by Google, Quad9,
+and Cloudflare. If you'd like to change these, there is a list of
+public DoH servers here:
+
+https://zenodo.org/records/4923371

network/nss-tls/README_SBo.txt

@@ -0,0 +1,64 @@
+Slackware-specific nss-tls HOWTO
+--------------------------------
+
+1. Make sure /etc/nss-tls.conf has at least one DNS-over-HTTPS server URL
+   listed. The default config file has 3, so you shouldn't need to
+   change it unless you don't trust the default servers (one of which
+   belongs to Google). Although it's possible to use hostnames in the
+   config file, I highly recommend using IP addresses.
+
+2. Add this code to your /etc/rc.d/rc.local:
+
+   [ -x /etc/rc.d/rc.nss-tlsd ] && /etc/rc.d/rc.nss-tlsd start
+
+3. Make sure /etc/rc.d/rc.nss-tlsd is executable (it is, by default).
+
+4. Manually start the daemon with the command: /etc/rc.d/rc.nss-tlsd start
+   Or, you could reboot instead.
+
+   At this point, you should be able to use the tlslookup(1) tool to
+   do some test lookups. Try "tlslookup www.slackware.com". You should
+   get output similar to:
+
+   $ tlslookup www.slackware.com
+   23.218.93.137
+   23.218.93.171
+   2600:1402:9800:d::b833:2ac7
+   2600:1402:9800:d::b833:2acd
+
+5. Edit /etc/nsswitch.conf and find the line that reads "hosts: files dns".
+   Replace the "dns" with "tls", so the line looks like:
+
+   hosts: files tls
+
+   Now, try "ping www.slackware.com". If this works, you should be
+   able to use normal clients (web browsers, mail, etc). nss-tls
+   transparently replaces the DNS resolver... but not everything
+   will work. In particular, git, curl, and alpine (the mail client)
+   are known not to work in this configuration. To support these
+   applications, see the next step.
+
+6. To keep regular DNS as a fallback option, change the line in
+   /etc/nss-tls.conf again, so it looks like:
+
+   hosts: files tls dns
+
+   This allows applications that don't work with nss-tls to use regular
+   DNS instead. Notably, git won't work without fallback DNS.
+
+7. Optional: users can run their own instances of the daemon, with
+   caching support. Run the command /usr/bin/nss-tlsd-user from
+   your startup scripts (~/.bash_profile for console logins, or
+   whatever your desktop environment uses if you use GUI login).
+
+   This isn't really required, though it can provide some extra
+   security on multi-user systems. If you're the only person who uses
+   your Slackware box, you probably don't need this.
+
+Running a server
+----------------
+
+nss-tls is just the client side of DNS-over-HTTPS. If you want to run
+a server, look into unbound (on SBo). In future Slackware versions,
+you may be able to use Slackware's bind for this (the version in 15.0
+doesn't support it, but the one in -current should).

network/nss-tls/doinst.sh

@@ -0,0 +1,12 @@
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+    rm $NEW
+  fi
+}
+
+config etc/nss-tls.conf.new
+config etc/default/nss-tls.new

network/nss-tls/nss-tls.SlackBuild

@@ -0,0 +1,120 @@
+#!/bin/bash
+
+# Slackware build script for nss-tls
+
+# Written by B. Watson (urchlay@slackware.uk)
+
+# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details.
+
+# Notes:
+
+# Building with --buildtype=debug makes the daemon write HTTP request
+# and response headers to its stdout. This isn't very useful, so this
+# script doesn't support it.
+
+# It would be nice if the daemon would log to syslog, or had some
+# runtime-configurable verbose/debug options.
+
+# I wish git would work with this. If it would, it'd be possible
+# to use 'hosts: files tls' in nsswitch.conf (curl and alpine still
+# wouldn't work, but there are decent workarounds for those).
+
+# By default, when the daemon runs as root, it switches UID/GID to
+# daemon/daemon. This seems fine to me. It would be possible to
+# reserve a UID/GID and build with -Duser=<blah> -Dgroup=<blah>, if
+# there were any real need for it.
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PRGNAM=nss-tls
+VERSION=${VERSION:-1.1}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+PKGTYPE=${PKGTYPE:-tgz}
+
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) ARCH=i586 ;;
+    arm*) ARCH=arm ;;
+       *) ARCH=$( uname -m ) ;;
+  esac
+fi
+
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+  echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
+  exit 0
+fi
+
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i586" ]; then
+  SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "i686" ]; then
+  SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
+else
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+fi
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+chown -R root:root .
+find -L .  -perm /111 -a \! -perm 755 -a -exec chmod 755 {} + -o \
+        \! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} +
+
+# This patch makes the client and server agree on the per-user socket path.
+patch -p1 < $CWD/per_user_dir.diff
+
+mkdir build
+cd build
+  CFLAGS="$SLKCFLAGS" \
+  CXXFLAGS="$SLKCFLAGS" \
+  meson .. \
+    --buildtype=release \
+    --infodir=/usr/info \
+    --libdir=/usr/lib${LIBDIRSUFFIX} \
+    --localstatedir=/var \
+    --mandir=/usr/man \
+    --prefix=/usr \
+    --sysconfdir=/etc \
+    -Dstrip=true
+  "${NINJA:=ninja}"
+  DESTDIR=$PKG $NINJA install
+cd ..
+
+gzip -9 $PKG/usr/man/man*/*
+rm -f $PKG/etc/nss-tls.conf
+cat $CWD/nss-tls.conf > $PKG/etc/nss-tls.conf.new
+
+install -D -m0755 -oroot -groot $CWD/nss-tlsd-user.sh $PKG/usr/bin/nss-tlsd-user
+
+mkdir -p $PKG/etc/rc.d $PKG/etc/default
+cat $CWD/rc.nss-tlsd > $PKG/etc/rc.d/rc.nss-tlsd
+cat $CWD/nss-tlsd.default > $PKG/etc/default/nss-tlsd.new
+chmod 755 $PKG/etc/rc.d/rc.nss-tlsd
+
+PKGDOC=$PKG/usr/doc/$PRGNAM-$VERSION
+mkdir -p $PKGDOC
+cp -a AUTHORS COPYING README* $PKGDOC
+cat $CWD/README_SBo.txt > $PKGDOC/README_SBo.txt
+cat $CWD/$PRGNAM.SlackBuild > $PKGDOC/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE

network/nss-tls/nss-tls.conf

@@ -0,0 +1,27 @@
+# nss-tls.conf - config for nss-tlsd daemon, part of nss-tls SBo package.
+
+# The only setting here is 'resolvers=', which must be a comma-separated
+# list of one or more DNS-over-HTTPS server URLs. Although it's possible
+# to use hostnames, it's better to use IP addresses in the URLs.
+
+# There's a list of public DoH servers found by port-scanning, here:
+# https://zenodo.org/records/4923371
+
+# Or, you could run your own (with unbound).
+
+# Do not remove this line:
+[global]
+
+# Google, DNS9, Cloudflare. These are the default servers from Debian's
+# nss-tls package.
+resolvers=https://9.9.9.9/dns-query,https://1.1.1.1/dns-query,https://8.8.8.8/dns-query
+
+# AdGuards's default (ad/tracker blocking, but no content filtering) servers.
+# These can be IPv6, too. See https://adguard-dns.io/en/public-dns.html
+# resolvers=https://94.140.14.14/dns-query,https://94.140.15.15/dns-query
+
+# AdGuards's non-filtering servers
+# resolvers=https://94.140.14.140/dns-query,https://94.140.15.141/dns-query
+
+# AdGuards's "family protection" content-filtering server
+# resolvers=https://94.140.14.15/dns-query,https://94.140.15.16/dns-query

network/nss-tls/nss-tls.info

@@ -0,0 +1,10 @@
+PRGNAM="nss-tls"
+VERSION="1.1"
+HOMEPAGE="https://github.com/dimkr/nss-tls/"
+DOWNLOAD="https://github.com/dimkr/nss-tls/archive/1.1/nss-tls-1.1.tar.gz"
+MD5SUM="a9e8c63856bf63ad2d1bedf46a01a48d"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+REQUIRES=""
+MAINTAINER="B. Watson"
+EMAIL="urchlay@slackware.uk"

network/nss-tls/nss-tlsd-user.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Launch a per-user nss-tlsd process, with caching.
+# Part of the SBo nss-tls build, by B. Watson, WTFPL licensed.
+# Other distributions use systemd to launch this when a user logs
+# in, we have to have users launch it from e.g. .bash_profile. This
+# wrapper script simplifies the setup.
+
+# Note that launching the user daemon isn't required, but since the
+# system daemon doesn't do caching for security reasons, the user
+# daemon might help performance a bit.
+
+# Using setsid --fork here prevents this script from hanging around
+# waiting for nss-tlsd to exit.
+
+if [ -x /usr/sbin/nss-tlsd ]; then
+  [ -e ~/.cache/nss-tlsd.sock ] || setsid --fork /usr/sbin/nss-tlsd -c &>/dev/null &
+fi
+
+exit 0

network/nss-tls/nss-tlsd.default

@@ -0,0 +1,8 @@
+# Default options for the nss-tlsd daemon:
+#
+# Supported options:
+# -c: cache results. This is really intended for per-user daemons.
+# -r: use a random server, when multiple servers are configured.
+# By default, all the above are disabled.
+
+NSS_TLSD_OPTS=""

network/nss-tls/per_user_dir.diff

@@ -0,0 +1,23 @@
+diff -Naur nss-tls-1.1/nss-tls.c nss-tls-1.1.patched/nss-tls.c
+--- nss-tls-1.1/nss-tls.c	2020-07-16 19:09:59.000000000 -0400
++++ nss-tls-1.1.patched/nss-tls.c	2024-01-17 15:57:03.989437314 -0500
+@@ -68,7 +68,7 @@
+     if (geteuid() == 0)
+         strcpy(sun.sun_path, NSS_TLS_SOCKET_PATH);
+     else {
+-        dir = getenv("XDG_RUNTIME_DIR");
++        dir = getenv("HOME");
+         if (dir) {
+             len = strlen(dir);
+             if (len > sizeof(sun.sun_path) - sizeof("/"NSS_TLS_SOCKET_NAME))
+@@ -77,6 +77,10 @@
+             memcpy(sun.sun_path, dir, len);
+             sun.sun_path[len] = '/';
+             ++len;
++            memcpy(sun.sun_path + len, ".cache", 6);
++				len += 6;
++            sun.sun_path[len] = '/';
++            ++len;
+             strncpy(sun.sun_path + len,
+                     NSS_TLS_SOCKET_NAME,
+                     sizeof(sun.sun_path) - len);

network/nss-tls/rc.nss-tlsd

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# rc.nss-tlsd - by B. Watson (urchlay@slackware.uk). Part of the
+# SlackBuilds.org nss-tlsd package. WTFPL licensed.
+
+DAEMON=/usr/sbin/nss-tlsd
+PIDFILE=/run/nss-tlsd.pid
+
+[ -f /etc/default/nss-tlsd ] && . /etc/default/nss-tlsd
+
+# we try to make sure not only that the PID file exists, but that the
+# PID is actually that of a running nss-tlsd process. the 'cut' stuff
+# is in case the package was upgraded, which results in /proc/<pid>/exe
+# pointing to "/usr/sbin/nss-tlsd (deleted)".
+daemon_is_running() {
+  [ -e "$PIDFILE" ] || return 1
+  [ "$( readlink /proc/$( cat $PIDFILE )/exe 2>/dev/null | cut -d' ' -f1 )" = "$DAEMON" ] || return 1
+  return 0
+}
+
+start_daemon() {
+  if daemon_is_running; then
+    echo "$DAEMON is already running, PID $( cat $PIDFILE )"
+  else
+    echo "Starting $DAEMON"
+    nohup $DAEMON $NSS_TLSD_OPTS >/dev/null 2>&1 &
+    echo "${!}" > $PIDFILE
+  fi
+}
+
+stop_daemon() {
+  if daemon_is_running; then
+    echo "Stopping $DAEMON"
+    kill "$( cat $PIDFILE )"
+    sleep 1
+    kill -9 "$( cat $PIDFILE )" >/dev/null 2>&1
+	 rm -f $PIDFILE
+  else
+    echo "$DAEMON not running"
+  fi
+}
+
+# most rc scripts don't need this: daemons will fail to start as non-root.
+# this one is designed to work either way.
+if [ "$(id -u)" != "0" ]; then
+  echo "$0: must run as root."
+  exit 1
+fi
+
+case "$1" in
+  start|"") start_daemon ;;
+  stop) stop_daemon ;;
+  restart) stop_daemon; sleep 1; start_daemon ;;
+  *) echo "Usage: $0 start|stop|restart" ;;
+esac

network/nss-tls/slack-desc

@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.
+# Line up the first '|' above the ':' following the base package name, and
+# the '|' on the right side marks the last column you can put a character in.
+# You must make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+       |-----handy-ruler------------------------------------------------------|
+nss-tls: nss-tls (DNS-over-HTTPS resolver)
+nss-tls:
+nss-tls: nss-tls is an alternative, encrypted name resolving library for Linux
+nss-tls: distributions with glibc which uses DNS-over-HTTPS. The glibc name
+nss-tls: resolver can be configured through nsswitch.conf(5) to use nss-tls
+nss-tls: instead of the DNS resolver, or fall back to DNS when nss-tls fails.
+nss-tls:
+nss-tls:
+nss-tls:
+nss-tls:
+nss-tls: