nixos/dnscrypt-proxy: support updating before nss is up

Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...

nixos/modules/services/networking/dnscrypt-proxy.nix

@@ -266,13 +266,15 @@ in
       requires = [ "init-dnscrypt-proxy-statedir.service" ];
       after = [ "init-dnscrypt-proxy-statedir.service" ];
 
-      path = with pkgs; [ curl minisign ];
+      path = with pkgs; [ curl dnscrypt-proxy minisign ];
       script = ''
         cd ${stateDirectory}
-        curl -fSsL -o dnscrypt-resolvers.csv.tmp \
-          https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
-        curl -fSsL -o dnscrypt-resolvers.csv.minisig.tmp \
-          https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig
+        domain=download.dnscrypt.org
+        get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)"
+        $get -o dnscrypt-resolvers.csv.tmp \
+          https://$domain/dnscrypt-proxy/dnscrypt-resolvers.csv
+        $get -o dnscrypt-resolvers.csv.minisig.tmp \
+          https://$domain/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig
         mv dnscrypt-resolvers.csv.minisig{.tmp,}
         minisign -q -V -p ${upstreamResolverListPubKey} \
           -m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig