dns/dnscrypt-proxy2: Update to 2.0.10

Main changes in the port:
  - Improve instructions for using dnscrypt-proxy2 together with unbound. [1]
  - Add dnscrypt_proxy_suexec option for users who want to run the daemon as
    root.
  - Move the configuration file from ${PREFIX}/etc/dnscrypt-proxy.toml to
    ${PREFIX}/etc/dnscrypt-proxy/dnscrypt-proxy.toml, because by default
    temporary files will use the path of the config file.
    This fixes a permission issue when fetching the public resolvers list.

Changes:	https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/2.0.10/ChangeLog

PR:		227129 [1]
Submitted by:	egypcio@googlemail.com (maintainer)
Reported by:	erik@nordstroem.no [1]
Differential Revision:	https://reviews.freebsd.org/D15024

5 files changed, 54 insertions, 29 deletions

diff --git a/dns/dnscrypt-proxy2/Makefile b/dns/dnscrypt-proxy2/Makefile
index b7c75da4fb05..7f11fa5c6303 100644
--- a/dns/dnscrypt-proxy2/Makefile
+++ b/dns/dnscrypt-proxy2/Makefile
@@ -1,8 +1,8 @@
 # $FreeBSD$
 
 PORTNAME=	dnscrypt-proxy
-PORTVERSION=	2.0.8
-CATEGORIES=	dns security
+PORTVERSION=	2.0.10
+CATEGORIES=	dns security ipv6
 PKGNAMESUFFIX=	2
 
 MAINTAINER=	egypcio@googlemail.com
@@ -22,6 +22,10 @@ GH_ACCOUNT=	jedisct1
 USERS=		_dnscrypt-proxy
 GROUPS=		_dnscrypt-proxy
 
+PLIST_SUB=	USER="${USERS}" GROUP="${GROUPS}"
+SUB_LIST=	USER="${USERS}" GROUP="${GROUPS}"
+SUB_FILES=	pkg-message
+
 PORTDOCS=	README.*
 PORTEXAMPLES=	example*
 
@@ -36,7 +40,7 @@ do-build:
 		go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME}
 
 do-install:
-	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${LOCALBASE}/sbin
+	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin
 
 do-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
@@ -47,11 +51,13 @@ do-install-EXAMPLES-on:
 	cd ${WRKSRC}/${PORTNAME} && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
 
 post-install:
-	# After install examples because of the priv drop issue with Go
+	${MKDIR} ${STAGEDIR}${ETCDIR}
+	# After 'install' examples because of the priv drop issue with Go.
+	# Keeping original example files.
 	@${REINPLACE_CMD} -e \
 		"s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \
 		${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml
 	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \
-		${STAGEDIR}${LOCALBASE}/etc/${PORTNAME}.toml.sample
+		${STAGEDIR}${ETCDIR}/${PORTNAME}.toml.sample
 
 .include <bsd.port.mk>
diff --git a/dns/dnscrypt-proxy2/distinfo b/dns/dnscrypt-proxy2/distinfo
index 54ac6c050706..4c582acad596 100644
--- a/dns/dnscrypt-proxy2/distinfo
+++ b/dns/dnscrypt-proxy2/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1522496209
-SHA256 (jedisct1-dnscrypt-proxy-2.0.8_GH0.tar.gz) = a99fc2b055618b0578ebe1477769bf9dddff7daa653649bd73f4bcf650bc8d40
-SIZE (jedisct1-dnscrypt-proxy-2.0.8_GH0.tar.gz) = 750606
+TIMESTAMP = 1524007265
+SHA256 (jedisct1-dnscrypt-proxy-2.0.10_GH0.tar.gz) = ec5f68349833b4a501fedc0af3cdbdfd6df2644b3e3e1c43aa86c823ca5a3007
+SIZE (jedisct1-dnscrypt-proxy-2.0.10_GH0.tar.gz) = 2773118
diff --git a/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in b/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
index 36d7ed1be351..77d79cf997d7 100644
--- a/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
+++ b/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
@@ -4,7 +4,7 @@
 #
 # PROVIDE: dnscrypt_proxy
 # REQUIRE: cleanvar SERVERS
-# BEFORE:  dnsmasq local_unbound unbound named
+# BEFORE:  dnsmasq local_unbound named nsmasq pdns unbound
 #
 # Options to configure dnscrypt-proxy via /etc/rc.conf:
 #
@@ -12,10 +12,13 @@
 #				Default: NO
 #
 # dnscrypt_proxy_conf (str)	Config file to use
-#				Default: %%PREFIX%%/etc/dnscrypt-proxy.toml
+#				Default: %%ETCDIR%%/dnscrypt-proxy.toml
+#
+# dnscrypt_proxy_suexec (bool)	Run dnscrypt_proxy as root
+#				Default: NO
 #
 # dnscrypt_proxy_uid (str)	User to run dnscrypt_proxy as
-#				Default: _dnscrypt-proxy
+#				Default: %%USER%%
 
 . /etc/rc.subr
 
@@ -26,9 +29,12 @@ procname="%%PREFIX%%/sbin/dnscrypt-proxy"
 
 load_rc_config $name
 
-: ${dnscrypt_proxy_enable:=NO}
-: ${dnscrypt_proxy_conf:=%%PREFIX%%/etc/dnscrypt-proxy.toml}
-: ${dnscrypt_proxy_uid:=_dnscrypt-proxy}
+: ${dnscrypt_proxy_enable:="NO"}
+: ${dnscrypt_proxy_conf:="%%ETCDIR%%/dnscrypt-proxy.toml"}
+: ${dnscrypt_proxy_suexec:="NO"}
+: ${dnscrypt_proxy_uid:="%%USER%%"}
+
+checkyesno dnscrypt_proxy_suexec && dnscrypt_proxy_uid="root"
 
 command="/usr/sbin/daemon"
 command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
diff --git a/dns/dnscrypt-proxy2/pkg-message b/dns/dnscrypt-proxy2/files/pkg-message.in
index 4be749c49cf6..07a3ae5c98f1 100644
--- a/dns/dnscrypt-proxy2/pkg-message
+++ b/dns/dnscrypt-proxy2/files/pkg-message.in
@@ -1,11 +1,10 @@
-=====================================================================
+======================================================================
 Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
 of dropping privileges after binding to a low port on FreeBSD.
 
-By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353
-as the _dnscrypt-proxy user.
-
-It's possible to change back to port 53, but not recommended.
+By default, this port's daemon will listen on port 5353 (TCP/UDP) as the
+%%USER%% user. It's still possible to bind it and listen on port
+53 (TCP/UDP), but it's not recommended.
 
 Below are a few examples on how to redirect local connections from port
 5353 to 53.
@@ -18,6 +17,7 @@ Below are a few examples on how to redirect local connections from port
   ipfw add nat 1 ip from any to 127.0.0.1 via lo0
 
   /etc/rc.conf:
+    firewall_enable="YES"
     firewall_nat_enable="YES"
 
   /etc/sysctl.conf:
@@ -25,16 +25,28 @@ Below are a few examples on how to redirect local connections from port
 
 [pf]
 
+  set skip on lo0
   rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
 
-[unbound]
-
-  server:
-    interface: 127.0.0.1
-    do-not-query-localhost: no
+  /etc/rc.conf:
+    pf_enable="YES"
 
-  forward-zone:
-    name: "."
-    forward-addr: 127.0.0.1@5353
+[unbound]
 
-=====================================================================
+  /etc/rc.conf:
+    local_unbound_enable="YES"
+
+  /var/unbound/unbound.conf:
+    server:
+      interface: 127.0.0.1
+      do-not-query-localhost: no
+
+  /var/unbound/forward.conf:
+    forward-zone:
+      name: "."
+      forward-addr: 127.0.0.1@5353
+
+  If you are using local_unbound, DNSSEC is enabled by default. You should
+  comment the "auto-trust-anchor-file" line or change dnscrypt-proxy to use
+  servers with DNSSEC support only.
+======================================================================
diff --git a/dns/dnscrypt-proxy2/pkg-plist b/dns/dnscrypt-proxy2/pkg-plist
index f9311c96fb21..bb7d29ae14c5 100644
--- a/dns/dnscrypt-proxy2/pkg-plist
+++ b/dns/dnscrypt-proxy2/pkg-plist
@@ -1,2 +1,3 @@
-@sample etc/dnscrypt-proxy.toml.sample
+@dir(%%USER%%,%%GROUP%%) etc/dnscrypt-proxy
+@sample %%ETCDIR%%/dnscrypt-proxy.toml.sample
 sbin/dnscrypt-proxy