initial import

dnscrypt-proxy/PKGBUILD

@@ -0,0 +1,138 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+
+_xsecretboxver=1.0.2
+_crypto_commit=eec23a3978adcfd26c29f4153eaa3e3d9b2cc53a
+_servicever=1.0.0
+
+pkgname=dnscrypt-proxy
+pkgver=2.0.44
+pkgrel=3
+pkgdesc="A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTP"
+arch=('i686' 'x86_64')
+url="https://dnscrypt.info"
+license=('ISC')
+depends=('glibc')
+optdepends=('python-urllib3: for generate-domains-blacklist')
+makedepends=('gcc-go')
+install="${pkgname}.install"
+backup=("etc/${pkgname}/${pkgname}.toml"
+        "etc/${pkgname}/blacklist.txt"
+        "etc/${pkgname}/cloaking-rules.txt"
+        "etc/${pkgname}/forwarding-rules.txt"
+        "etc/${pkgname}/ip-blacklist.txt"
+        "etc/${pkgname}/whitelist.txt")
+source=("${pkgname}-${pkgver}.tar.gz::https://github.com/dnscrypt/${pkgname}/archive/${pkgver}.tar.gz"
+        "xsecretbox-${_xsecretboxver}.tar.gz::https://github.com/jedisct1/xsecretbox/archive/refs/tags/${_xsecretboxver}.tar.gz"
+        "crypto-${_crypto_commit}.tar.gz::https://github.com/golang/crypto/archive/${_crypto_commit}.tar.gz"
+        "service-${_servicever}.tar.gz::https://github.com/kardianos/service/archive/refs/tags/v${_servicever}.tar.gz"
+        'dnscrypt-proxy.confd'
+        'dnscrypt-proxy.initd'
+        'config-privacy.patch'
+        'remove-go-systemd-support.patch'
+        'fix-textflag.h.patch'
+        'dnscrypt-proxy.run')
+sha512sums=('009e2b669c1d6f6cd6b41f5e04d08735587f420dacdea8d422a3c12a62614c1ce1963deebca3af1f956070abd9ff5df9182cb27e31fa0fac8a95478739445801'
+            '90a3f0fc6719e91bcc8aaa2edb484659584a76b83292f91740bb01459e9327b1814f60e8bd415e07ece4efa2b9e03eda6b9052598e6628f00ff9c8ab82e5fd8a'
+            '225d2a1c05854c57ee1aac5a9faeb38c79b7878343c7e500c2d23e83a5d2b30f0871ca77fe0b2fcee795045e18e56fb4f2e851a1d81f9d5941a73f45f9afa20e'
+            '4884ab4c69d140d12e2c49ab21dba74647fb8ee8b11a7294b8ec1806768a2fc2976012e8f00bb5be235b009883cb72ec89ea036e18226827a3985ca18a8d91da'
+            '486ccc01e988cc082d1e0f943361ee96c71a8cf2f4b93e4f74e3885701c34b1fcba0ae522fce28d1102ec5818d39f0e6d092229d4793c402cbcde1ee06e30cf2'
+            'b29918d9909bf8d409c108ca70830a7bfd1f7b03c5d0fa5340a779a8ae552b2a09faf16252371b015f7e50c8bc8535614fbed68503bc53b07b79ce100d506b1a'
+            'e395df8ee71ebcc1eeccb653c0410bf0f4ce9d3c8c25681f727ba68f210b7ead7efd216635a0b925268ae667cc744b348eea6835927fa74bc377ab0e8f7a9d28'
+            'b67cfca61d38eb6458a5c4bcea42ec4abe25cc5c5fde8bfee8fc34c5d8585a1553184e84f20bfef0812593a3a0497f7b2eca338b079d2a59ba08ed741aefe13d'
+            '4aa24244196a0c67216a10c1696910978a5dbeb1d4218dd8c4fe7d84e5ccd32dda109267ee2129cda3749be41110667f19f1b6626ffac67355f08e61f2a2e52f'
+            '5fc2e1433193a3c7aef80275716fac626dcad491caebd3b8f950f7e361c39d0caf099317610208b95fc636e6965d91c74be2599b20aac98d59ed6cbe9f9879ce')
+
+export GOOS=linux
+case "$CARCH" in
+  x86_64) export GOARCH=amd64 ;;
+  i686) export GOARCH=386 GO386=387 ;;
+esac
+
+# create a fake go path directory and pushd into it
+# $1 real directory
+# $2 gopath directory
+_fake_gopath_pushd() {
+  install -d -m755 "/build/go/src/${2%/*}"
+  rm -rf "/build/go/src/$2" || true
+  ln -rsT "$1" "/build/go/src/$2"
+  pushd "/build/go/src/$2" >/dev/null
+}
+
+_fake_gopath_popd() {
+  popd >/dev/null
+}
+
+prepare() {
+  cd "$pkgname-$pkgver"
+  # remove support for unsafe and dangerous for privacy protocols
+  patch -Np1 -i $srcdir/config-privacy.patch
+  # fix textflag.h in i686
+  patch -Np1 -i $srcdir/fix-textflag.h.patch
+
+  # remove systemD
+  rm -v dnscrypt-proxy/systemd_linux.go || true
+  rm -v dnscrypt-proxy/service_linux.go || true
+  patch -Np1 -i $srcdir/remove-go-systemd-support.patch
+
+  # use crypto eec23a3978adcfd26c29f4153eaa3e3d9b2cc53a
+  rm -rf vendor/golang.org/x/crypto || true
+  mv -T $srcdir/crypto-${_crypto_commit} vendor/golang.org/x/crypto
+
+  # use xsecretbox 1.0.2
+  rm -rv vendor/github.com/jedisct1/xsecretbox || true
+  mv -T $srcdir/xsecretbox-${_xsecretboxver} vendor/github.com/jedisct1/xsecretbox
+
+  # use service 1.0.0
+  rm -rf vendor/github.com/kardianos/service || true
+  mv -T $srcdir/service-${_servicever} vendor/github.com/kardianos/service
+
+  # copy go packages from vendor
+  msg2 "Building golang.org"
+  _fake_gopath_pushd "$srcdir/$pkgname-$pkgver/vendor/golang.org" golang.org
+  _fake_gopath_popd
+
+  msg2 "Building github.com"
+  _fake_gopath_pushd "$srcdir/$pkgname-$pkgver/vendor/github.com" github.com
+  _fake_gopath_popd
+
+  msg2 "Building gopkg.in"
+  _fake_gopath_pushd "$srcdir/$pkgname-$pkgver/vendor/gopkg.in" gopkg.in
+  _fake_gopath_popd
+}
+
+build() {
+  cd $pkgname-$pkgver/$pkgname
+  export CGO_CPPFLAGS="${CPPFLAGS}"
+  export CGO_CFLAGS="${CFLAGS}"
+  export CGO_CXXFLAGS="${CXXFLAGS}"
+  export CGO_LDFLAGS="${LDFLAGS}"
+  export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+
+  go build
+}
+
+package() {
+  local _config
+  cd $pkgname-$pkgver
+  # executable
+  install -vDm 755 "${pkgname}/${pkgname}" "${pkgdir}/usr/sbin/${pkgname}"
+  # config files
+  install -vDm 644 "${pkgname}/example-${pkgname}.toml" "${pkgdir}/etc/${pkgname}/${pkgname}.toml"
+  for _config in {{blacklist,ip-blacklist},{cloaking,forwarding}-rules,whitelist}.txt; do
+    install -vDm 644 "${pkgname}/example-${_config}" "${pkgdir}/etc/${pkgname}/${_config}"
+  done
+  # utils
+  install -vDm 644 utils/generate-domains-blacklists/*.{conf,txt} \
+          -t "${pkgdir}/usr/share/${pkgname}/utils/generate-domains-blacklists"
+  install -vDm 755 utils/generate-domains-blacklists/generate-domains-blacklist.py \
+          "${pkgdir}/usr/bin/generate-domains-blacklist"
+  # OpenRC and runit
+  install -Dm644 "$srcdir"/dnscrypt-proxy.confd "$pkgdir"/etc/conf.d/dnscrypt-proxy
+  install -Dm755 "$srcdir"/dnscrypt-proxy.initd "$pkgdir"/etc/init.d/dnscrypt-proxy
+  install -Dm755 "$srcdir/${pkgname}.run" "${pkgdir}/etc/sv/${pkgname}/run"
+  # license
+  install -vDm 644 LICENSE "$pkgdir/usr/share/licenses/${pkgname}/LICENSE"
+  # docs
+  install -vDm 644 {ChangeLog,README.md} -t "${pkgdir}/usr/share/doc/${pkgname}"
+}

dnscrypt-proxy/config-privacy.patch

@@ -0,0 +1,250 @@
+diff --git a/dnscrypt-proxy/example-blacklist.txt b/dnscrypt-proxy/example-blacklist.txt
+index a63e1e89..94031b83 100644
+--- a/dnscrypt-proxy/example-blacklist.txt
++++ b/dnscrypt-proxy/example-blacklist.txt
+@@ -34,5 +34,5 @@ eth0.me
+ 
+ ## Time-based rules
+ 
+-# *.youtube.*  @time-to-sleep
+-# facebook.com @work
++# invidious.namazso.eu @time-to-sleep
++# *.hyperbola.info @work
+diff --git a/dnscrypt-proxy/example-cloaking-rules.txt b/dnscrypt-proxy/example-cloaking-rules.txt
+index 7f98c2e3..8f85eeb4 100644
+--- a/dnscrypt-proxy/example-cloaking-rules.txt
++++ b/dnscrypt-proxy/example-cloaking-rules.txt
+@@ -2,27 +2,9 @@
+ #        Cloaking rules        #
+ ################################
+ 
+-# The following example rules force "safe" (without adult content) search
+-# results from Google, Bing and YouTube.
+-#
+ # This has to be enabled with the `cloaking_rules` parameter in the main
+ # configuration file
+ 
+-
+-www.google.*             forcesafesearch.google.com
+-
+-www.bing.com             strict.bing.com
+-
+-yandex.ru                familysearch.yandex.ru       # inline comments are allowed after a pound sign
+-
+-=duckduckgo.com          safe.duckduckgo.com
+-
+-www.youtube.com          restrictmoderate.youtube.com
+-m.youtube.com            restrictmoderate.youtube.com
+-youtubei.googleapis.com  restrictmoderate.youtube.com
+-youtube.googleapis.com   restrictmoderate.youtube.com
+-www.youtube-nocookie.com restrictmoderate.youtube.com
+-
+ # Multiple IP entries for the same name are supported.
+ # In the following example, the same name maps both to IPv4 and IPv6 addresses:
+ 
+diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml
+index ec40441c..cadadc97 100644
+--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
++++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
+@@ -29,7 +29,7 @@
+ ##
+ ## Remove the leading # first to enable this; lines starting with # are ignored.
+ 
+-# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
++# server_names = ['cs-ch', 'd0wn-is-ns2', 'ibksturm', 'securedns']
+ 
+ 
+ ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
+@@ -146,7 +146,7 @@ keepalive = 30
+ ## This file is different from other log files, and will not be
+ ## automatically rotated by the application.
+ 
+-# log_file = 'dnscrypt-proxy.log'
++# log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
+ 
+ 
+ ## When using a log file, only keep logs from the most recent launch.
+@@ -156,7 +156,7 @@ keepalive = 30
+ 
+ ## Use the system logger (syslog on Unix, Event Log on Windows)
+ 
+-# use_syslog = true
++use_syslog = true
+ 
+ 
+ ## Delay, in minutes, after which certificates are reloaded
+@@ -189,7 +189,7 @@ cert_refresh_delay = 240
+ ## This may also help on Intel CPUs running 32-bit operating systems.
+ ##
+ ## Keep tls_cipher_suite empty if you have issues fetching sources or
+-## connecting to some DoH servers. Google and Cloudflare are fine with it.
++## connecting to some DoH servers.
+ 
+ # tls_cipher_suite = [52392, 49199]
+ 
+@@ -206,11 +206,10 @@ cert_refresh_delay = 240
+ ## Resolvers supporting DNSSEC are recommended.
+ ##
+ ## People in China may need to use 114.114.114.114:53 here.
+-## Other popular options include 8.8.8.8 and 1.1.1.1.
+ ##
+ ## If more than one resolver is specified, they will be tried in sequence.
+ 
+-fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
++fallback_resolvers = ['84.200.69.80:53', '212.129.46.32:53', '66.70.228.164:53', '172.104.136.243:53', '112.109.84.76:53']
+ 
+ 
+ ## Always use the fallback resolver before the system DNS settings.
+@@ -236,7 +235,7 @@ netprobe_timeout = 60
+ ## On other operating systems, the connection will be initialized
+ ## but nothing will be sent at all.
+ 
+-netprobe_address = '9.9.9.9:53'
++# netprobe_address = '84.200.69.80:53'
+ 
+ 
+ ## Offline mode - Do not use any remote encrypted servers.
+@@ -310,7 +309,7 @@ reject_ttl = 600
+ 
+ ## See the `example-forwarding-rules.txt` file for an example
+ 
+-# forwarding_rules = 'forwarding-rules.txt'
++# forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
+ 
+ 
+ 
+@@ -324,7 +323,7 @@ reject_ttl = 600
+ ##
+ ## See the `example-cloaking-rules.txt` file for an example
+ 
+-# cloaking_rules = 'cloaking-rules.txt'
++# cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'
+ 
+ ## TTL used when serving entries in cloaking-rules.txt
+ 
+@@ -408,7 +407,7 @@ cache_neg_max_ttl = 600
+   ## Path to the query log file (absolute, or relative to the same directory as the config file)
+   ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)
+ 
+-  # file = 'query.log'
++  # file = '/var/log/dnscrypt-proxy/query.log'
+ 
+ 
+   ## Query log format (currently supported: tsv and ltsv)
+@@ -434,7 +433,7 @@ cache_neg_max_ttl = 600
+ 
+   ## Path to the query log file (absolute, or relative to the same directory as the config file)
+ 
+-  # file = 'nx.log'
++  # file = '/var/log/dnscrypt-proxy/nx.log'
+ 
+ 
+   ## Query log format (currently supported: tsv and ltsv)
+@@ -469,7 +468,7 @@ cache_neg_max_ttl = 600
+ 
+   ## Optional path to a file logging blocked queries
+ 
+-  # log_file = 'blocked.log'
++  # log_file = '/var/log/dnscrypt-proxy/blocked.log'
+ 
+ 
+   ## Optional log format: tsv or ltsv (default: tsv)
+@@ -497,7 +496,7 @@ cache_neg_max_ttl = 600
+ 
+   ## Optional path to a file logging blocked queries
+ 
+-  # log_file = 'ip-blocked.log'
++  # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log'
+ 
+ 
+   ## Optional log format: tsv or ltsv (default: tsv)
+@@ -525,7 +524,7 @@ cache_neg_max_ttl = 600
+ 
+   ## Optional path to a file logging whitelisted queries
+ 
+-  # log_file = 'whitelisted.log'
++  # log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
+ 
+ 
+   ## Optional log format: tsv or ltsv (default: tsv)
+@@ -543,8 +542,8 @@ cache_neg_max_ttl = 600
+ ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+ ##
+ ## For example, the following rule in a blacklist file:
+-## *.youtube.* @time-to-sleep
+-## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
++## invidious.namazso.eu @time-to-sleep
++## would block access to Invidious instance only during the times defined by the 'time-to-sleep' schedule.
+ ##
+ ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
+ ## {after= '9:00', before='18:00'} matches 9:00-18:00
+@@ -590,40 +589,15 @@ cache_neg_max_ttl = 600
+ 
+ [sources]
+ 
+-  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
++  ## This list is maintained by Jesús E. < heckyel [at] hyperbola [dot] info >
+ 
+-  [sources.'public-resolvers']
+-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+-  cache_file = 'public-resolvers.md'
+-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+-  prefix = ''
+-
+-  ## Anonymized DNS relays
+-
+-  [sources.'relays']
+-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
+-  cache_file = 'relays.md'
+-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
++  [sources.'extra-resolvers']
++  urls = ['https://git.sr.ht/~heckyel/resolvers-list/blob/master/extra-resolvers.md']
++  cache_file = '/var/cache/dnscrypt-proxy/extra-resolvers.md'
++  minisign_key = 'RWQIrgNLO4JgxhKU+K5L+z8Y0YTDZv68NZQ5hOAoBT1/admHrfLt9Eyl'
+   refresh_delay = 72
+   prefix = ''
+ 
+-  ## Quad9 over DNSCrypt - https://quad9.net/
+-
+-  # [sources.quad9-resolvers]
+-  # urls = ['https://www.quad9.net/quad9-resolvers.md']
+-  # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+-  # cache_file = 'quad9-resolvers.md'
+-  # prefix = 'quad9-'
+-
+-  ## Another example source, with resolvers censoring some websites not appropriate for children
+-  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+-
+-  #  [sources.'parental-control']
+-  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
+-  #  cache_file = 'parental-control.md'
+-  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+-
+-
+ 
+ #########################################
+ #        Servers with known bugs        #
+diff --git a/dnscrypt-proxy/example-forwarding-rules.txt b/dnscrypt-proxy/example-forwarding-rules.txt
+index 97a4859e..bf274292 100644
+--- a/dnscrypt-proxy/example-forwarding-rules.txt
++++ b/dnscrypt-proxy/example-forwarding-rules.txt
+@@ -20,5 +20,5 @@
+ # internal        192.168.1.1
+ # localdomain     192.168.1.1
+ 
+-## Forward queries for example.com and *.example.com to 9.9.9.9 and 8.8.8.8
+-# example.com     9.9.9.9,8.8.8.8
++## Forward queries for example.com and *.example.com to 127.0.0.1 and 0.0.0.0
++# example.com     127.0.0.1,0.0.0.0
+diff --git a/dnscrypt-proxy/example-whitelist.txt b/dnscrypt-proxy/example-whitelist.txt
+index 66190784..ca3dc0ca 100644
+--- a/dnscrypt-proxy/example-whitelist.txt
++++ b/dnscrypt-proxy/example-whitelist.txt
+@@ -21,5 +21,5 @@ tracker.debian.org
+ 
+ ## Time-based rules
+ 
+-# *.youtube.*  @time-to-play
+-# facebook.com @play
++# invidious.namazso.eu  @time-to-play
++# *.hyperbola.info @play

dnscrypt-proxy/dnscrypt-proxy.confd

@@ -0,0 +1,3 @@
+#DNSCRYPT_PROXY_OPTS="-config /etc/dnscrypt-proxy/dnscrypt-proxy.toml"
+#DNSCRYPT_PROXY_USER="dnscrypt"
+#DNSCRYPT_PROXY_GROUP="dnscrypt"

dnscrypt-proxy/dnscrypt-proxy.initd

@@ -0,0 +1,25 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Foundation
+# Copyright 2017-2019 Hyperbola Project
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/sbin/dnscrypt-proxy"
+command_args="${DNSCRYPT_PROXY_OPTS:--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml}"
+command_background="yes"
+command_user="${DNSCRYPT_PROXY_USER:-dnscrypt}:${DNSCRYPT_PROXY_GROUP:-dnscrypt}"
+pidfile="/run/dnscrypt-proxy.pid"
+
+depend() {
+	use net logger
+	provide dns
+}
+
+start_pre() {
+	# Allow binding to 127.0.0.1:53 as non-root user
+	if [ $(uname -s) = "Linux" ]; then
+		/sbin/setcap 'cap_net_bind_service=+ep' /usr/sbin/dnscrypt-proxy
+	fi
+
+	checkpath -q -d -m 0755 -o "${command_user}" /var/cache/dnscrypt-proxy
+	checkpath -q -d -m 0755 -o "${command_user}" /var/log/dnscrypt-proxy
+}

dnscrypt-proxy/dnscrypt-proxy.install

@@ -0,0 +1,34 @@
+post_install() {
+	if ! getent group dnscrypt &>/dev/null; then
+		groupadd -r dnscrypt >/dev/null
+	fi
+	if ! getent passwd dnscrypt &>/dev/null; then
+		useradd -r -g dnscrypt -G adm -d /dev/null -s /bin/nologin dnscrypt >/dev/null
+	fi
+	if ! groups dnscrypt | grep adm &>/dev/null; then
+		gpasswd -a dnscrypt adm >/dev/null
+	fi
+	dnscrypt_shell=$(getent passwd dnscrypt | cut -d: -f7)
+	if [ "$dnscrypt_shell" != '/bin/nologin' ]; then
+		chsh -s /bin/nologin dnscrypt &>/dev/null
+	fi
+	echo '>>> DNSCrypt, add next line inside of /etc/dhcpcd.conf'
+	echo '>>> static domain_name_servers=127.0.0.1::1'
+}
+
+post_upgrade() {
+	post_install
+	if (( $(vercmp $2 2.0.0-1) < 0 )); then
+		echo '>>> The configuration file(s) and setup of DNSCrypt has changed considerably since version 1.x.'
+		echo '>>> Please refer to https://dnscrypt.info/doc for help!'
+	fi
+}
+
+post_remove() {
+	if getent passwd dnscrypt &>/dev/null; then
+		userdel dnscrypt >/dev/null
+	fi
+	if getent group dnscrypt &>/dev/null; then
+		groupdel dnscrypt >/dev/null
+	fi
+}

dnscrypt-proxy/dnscrypt-proxy.run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml 2>&1

dnscrypt-proxy/fix-textflag.h.patch

@@ -0,0 +1,172 @@
+diff --git a/vendor/golang.org/x/net/internal/socket/rawconn.go b/vendor/golang.org/x/net/internal/socket/rawconn.go
+index b07b8900..0c6bbc68 100644
+--- a/vendor/golang.org/x/net/internal/socket/rawconn.go
++++ b/vendor/golang.org/x/net/internal/socket/rawconn.go
+@@ -7,7 +7,6 @@
+ import (
+ 	"errors"
+ 	"net"
+-	"os"
+ 	"syscall"
+ )
+ 
+@@ -42,23 +41,22 @@ func NewConn(c net.Conn) (*Conn, error) {
+ 
+ func (o *Option) get(c *Conn, b []byte) (int, error) {
+ 	var operr error
+-	var n int
+ 	fn := func(s uintptr) {
+-		n, operr = getsockopt(s, o.Level, o.Name, b)
++		return
+ 	}
+ 	if err := c.c.Control(fn); err != nil {
+ 		return 0, err
+ 	}
+-	return n, os.NewSyscallError("getsockopt", operr)
++	return 0, operr
+ }
+ 
+ func (o *Option) set(c *Conn, b []byte) error {
+ 	var operr error
+ 	fn := func(s uintptr) {
+-		operr = setsockopt(s, o.Level, o.Name, b)
++		return
+ 	}
+ 	if err := c.c.Control(fn); err != nil {
+ 		return err
+ 	}
+-	return os.NewSyscallError("setsockopt", operr)
++	return operr
+ }
+diff --git a/vendor/golang.org/x/net/internal/socket/rawconn_mmsg.go b/vendor/golang.org/x/net/internal/socket/rawconn_mmsg.go
+index d01fc4c7..c7ec17f3 100644
+--- a/vendor/golang.org/x/net/internal/socket/rawconn_mmsg.go
++++ b/vendor/golang.org/x/net/internal/socket/rawconn_mmsg.go
+@@ -27,7 +27,6 @@ func (c *Conn) recvMsgs(ms []Message, flags int) (int, error) {
+ 	var operr error
+ 	var n int
+ 	fn := func(s uintptr) bool {
+-		n, operr = recvmmsg(s, hs, flags)
+ 		if operr == syscall.EAGAIN {
+ 			return false
+ 		}
+@@ -60,7 +59,6 @@ func (c *Conn) sendMsgs(ms []Message, flags int) (int, error) {
+ 	var operr error
+ 	var n int
+ 	fn := func(s uintptr) bool {
+-		n, operr = sendmmsg(s, hs, flags)
+ 		if operr == syscall.EAGAIN {
+ 			return false
+ 		}
+diff --git a/vendor/golang.org/x/net/internal/socket/rawconn_msg.go b/vendor/golang.org/x/net/internal/socket/rawconn_msg.go
+index d5ae3f8e..3b64621c 100644
+--- a/vendor/golang.org/x/net/internal/socket/rawconn_msg.go
++++ b/vendor/golang.org/x/net/internal/socket/rawconn_msg.go
+@@ -23,7 +23,6 @@ func (c *Conn) recvMsg(m *Message, flags int) error {
+ 	var operr error
+ 	var n int
+ 	fn := func(s uintptr) bool {
+-		n, operr = recvmsg(s, &h, flags)
+ 		if operr == syscall.EAGAIN {
+ 			return false
+ 		}
+@@ -60,7 +59,6 @@ func (c *Conn) sendMsg(m *Message, flags int) error {
+ 	var operr error
+ 	var n int
+ 	fn := func(s uintptr) bool {
+-		n, operr = sendmsg(s, &h, flags)
+ 		if operr == syscall.EAGAIN {
+ 			return false
+ 		}
+diff --git a/vendor/golang.org/x/net/internal/socket/sys.go b/vendor/golang.org/x/net/internal/socket/sys.go
+index ee492ba8..7e8cf2b7 100644
+--- a/vendor/golang.org/x/net/internal/socket/sys.go
++++ b/vendor/golang.org/x/net/internal/socket/sys.go
+@@ -25,7 +25,7 @@ func init() {
+ 	} else {
+ 		NativeEndian = binary.BigEndian
+ 	}
+-	kernelAlign = probeProtocolStack()
++	return
+ }
+ 
+ func roundup(l int) int {
+diff --git a/vendor/golang.org/x/net/internal/socket/sys_linux_386.go b/vendor/golang.org/x/net/internal/socket/sys_linux_386.go
+index 235b2cc0..36de2c38 100644
+--- a/vendor/golang.org/x/net/internal/socket/sys_linux_386.go
++++ b/vendor/golang.org/x/net/internal/socket/sys_linux_386.go
+@@ -4,52 +4,7 @@
+ 
+ package socket
+ 
+-import (
+-	"syscall"
+-	"unsafe"
+-)
+-
+-func probeProtocolStack() int { return 4 }
+-
+ const (
+-	sysSETSOCKOPT = 0xe
+-	sysGETSOCKOPT = 0xf
+-	sysSENDMSG    = 0x10
+-	sysRECVMSG    = 0x11
+-	sysRECVMMSG   = 0x13
+-	sysSENDMMSG   = 0x14
++        sysRECVMMSG = 0x13
++        sysSENDMMSG = 0x10
+ )
+-
+-func socketcall(call, a0, a1, a2, a3, a4, a5 uintptr) (uintptr, syscall.Errno)
+-func rawsocketcall(call, a0, a1, a2, a3, a4, a5 uintptr) (uintptr, syscall.Errno)
+-
+-func getsockopt(s uintptr, level, name int, b []byte) (int, error) {
+-	l := uint32(len(b))
+-	_, errno := socketcall(sysGETSOCKOPT, s, uintptr(level), uintptr(name), uintptr(unsafe.Pointer(&b[0])), uintptr(unsafe.Pointer(&l)), 0)
+-	return int(l), errnoErr(errno)
+-}
+-
+-func setsockopt(s uintptr, level, name int, b []byte) error {
+-	_, errno := socketcall(sysSETSOCKOPT, s, uintptr(level), uintptr(name), uintptr(unsafe.Pointer(&b[0])), uintptr(len(b)), 0)
+-	return errnoErr(errno)
+-}
+-
+-func recvmsg(s uintptr, h *msghdr, flags int) (int, error) {
+-	n, errno := socketcall(sysRECVMSG, s, uintptr(unsafe.Pointer(h)), uintptr(flags), 0, 0, 0)
+-	return int(n), errnoErr(errno)
+-}
+-
+-func sendmsg(s uintptr, h *msghdr, flags int) (int, error) {
+-	n, errno := socketcall(sysSENDMSG, s, uintptr(unsafe.Pointer(h)), uintptr(flags), 0, 0, 0)
+-	return int(n), errnoErr(errno)
+-}
+-
+-func recvmmsg(s uintptr, hs []mmsghdr, flags int) (int, error) {
+-	n, errno := socketcall(sysRECVMMSG, s, uintptr(unsafe.Pointer(&hs[0])), uintptr(len(hs)), uintptr(flags), 0, 0)
+-	return int(n), errnoErr(errno)
+-}
+-
+-func sendmmsg(s uintptr, hs []mmsghdr, flags int) (int, error) {
+-	n, errno := socketcall(sysSENDMMSG, s, uintptr(unsafe.Pointer(&hs[0])), uintptr(len(hs)), uintptr(flags), 0, 0)
+-	return int(n), errnoErr(errno)
+-}
+diff --git a/vendor/golang.org/x/net/internal/socket/sys_linux_386.s b/vendor/golang.org/x/net/internal/socket/sys_linux_386.s
+index 93e7d75e..5b68771a 100644
+--- a/vendor/golang.org/x/net/internal/socket/sys_linux_386.s
++++ b/vendor/golang.org/x/net/internal/socket/sys_linux_386.s
+@@ -2,10 +2,10 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-#include "textflag.h"
++//#include "textflag.h"
+ 
+-TEXT	·socketcall(SB),NOSPLIT,$0-36
+-	JMP	syscall·socketcall(SB)
++//TEXT	·socketcall(SB),NOSPLIT,$0-36
++//	JMP	syscall·socketcall(SB)
+ 
+-TEXT	·rawsocketcall(SB),NOSPLIT,$0-36
+-	JMP	syscall·rawsocketcall(SB)
++//TEXT	·rawsocketcall(SB),NOSPLIT,$0-36
++//	JMP	syscall·rawsocketcall(SB)

dnscrypt-proxy/remove-go-systemd-support.patch

@@ -0,0 +1,97 @@
+diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go
+index 2a195719..731a2155 100644
+--- a/dnscrypt-proxy/config.go
++++ b/dnscrypt-proxy/config.go
+@@ -572,9 +572,6 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
+ 		for _, listenAddrStr := range proxy.localDoHListenAddresses {
+ 			proxy.addLocalDoHListener(listenAddrStr)
+ 		}
+-		if err := proxy.addSystemDListeners(); err != nil {
+-			dlog.Fatal(err)
+-		}
+ 	}
+ 	_ = pidfile.Write()
+ 	// if 'userName' is set and we are the parent process drop privilege and exit
+diff --git a/dnscrypt-proxy/main.go b/dnscrypt-proxy/main.go
+index 6f21d083..28fc3cdc 100644
+--- a/dnscrypt-proxy/main.go
++++ b/dnscrypt-proxy/main.go
+@@ -82,7 +82,6 @@ func main() {
+ 	}
+ 
+ 	app.proxy = NewProxy()
+-	_ = ServiceManagerStartNotify()
+ 	if len(*svcFlag) != 0 {
+ 		if svc == nil {
+ 			dlog.Fatal("Built-in service installation is not supported on this platform")
+diff --git a/dnscrypt-proxy/privilege_linux.go b/dnscrypt-proxy/privilege_linux.go
+index 5e73037e..8a525bd4 100644
+--- a/dnscrypt-proxy/privilege_linux.go
++++ b/dnscrypt-proxy/privilege_linux.go
+@@ -47,10 +47,6 @@ func (proxy *Proxy) dropPrivilege(userStr string, fds []*os.File) {
+ 		dlog.Fatal(err)
+ 	}
+ 
+-	if err := ServiceManagerReadyNotify(); err != nil {
+-		dlog.Fatal(err)
+-	}
+-
+ 	args = append(args, "-child")
+ 
+ 	dlog.Notice("Dropping privileges")
+diff --git a/dnscrypt-proxy/proxy.go b/dnscrypt-proxy/proxy.go
+index 24b406f0..07d038ec 100644
+--- a/dnscrypt-proxy/proxy.go
++++ b/dnscrypt-proxy/proxy.go
+@@ -228,11 +228,6 @@ func (proxy *Proxy) StartProxy() {
+ 	}
+ 	if liveServers > 0 {
+ 		dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers)
+-		if !proxy.child {
+-			if err := ServiceManagerReadyNotify(); err != nil {
+-				dlog.Fatal(err)
+-			}
+-		}
+ 	} else if err != nil {
+ 		dlog.Error(err)
+ 		dlog.Notice("dnscrypt-proxy is waiting for at least one server to be reachable")
+diff --git a/go.mod b/go.mod
+index 4ed0460b..2f3c27b5 100644
+--- a/go.mod
++++ b/go.mod
+@@ -5,7 +5,6 @@ go 1.14
+ require (
+ 	github.com/BurntSushi/toml v0.3.1
+ 	github.com/VividCortex/ewma v1.1.1
+-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+ 	github.com/dchest/safefile v0.0.0-20151022103144-855e8d98f185
+ 	github.com/facebookgo/atomicfile v0.0.0-20151019160806-2de1f203e7d5 // indirect
+ 	github.com/facebookgo/pidfile v0.0.0-20150612191647-f242e2999868
+diff --git a/go.sum b/go.sum
+index 0356d8d0..e93150b0 100644
+--- a/go.sum
++++ b/go.sum
+@@ -6,8 +6,6 @@ github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmH
+ github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
+ github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
+ github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
+-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
+-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+ github.com/dchest/safefile v0.0.0-20151022103144-855e8d98f185 h1:3T8ZyTDp5QxTx3NU48JVb2u+75xc040fofcBaN+6jPA=
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index c6e8c437..77a18629 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -8,10 +8,6 @@ github.com/VividCortex/ewma
+ github.com/aead/chacha20/chacha
+ # github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635
+ github.com/aead/poly1305
+-# github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+-## explicit
+-github.com/coreos/go-systemd/activation
+-github.com/coreos/go-systemd/daemon
+ # github.com/davecgh/go-spew v1.1.1
+ github.com/davecgh/go-spew/spew
+ # github.com/dchest/safefile v0.0.0-20151022103144-855e8d98f185