extraConfig -> settings

service.nix

@@ -20,23 +20,37 @@ let
   '';
 
   dataDir = "/var/lib/privoxy";
-  configFile = pkgs.writeText "config.ini" ''
-    [General]
-    ProxAddr  = http://${cfgPrivoxy.listenAddress}
-    FrontPort = ${toString cfg.frontPort}
-    RearPort  = ${toString cfg.rearPort}
-    CACert    = ${dataDir}/ca.crt
-    Certdir   = /tmp
-    LogLevel  = ${cfg.logLevel}
- 
-    [TLS NoVerify]
-    ${concatStringsSep "\n" cfg.noVerify}
 
-    [TLS Passthru]
+  # make attributes only a default
-    ${concatStringsSep "\n" cfg.passthru}
+  mkDefaultAttrs = mapAttrs (n: v: mkDefault v);
 
-    ${cfg.extraConfig}
+  # INI format with sections that may also contains a list
-  '';
+  toSpecialINI = with lib; {
+    mkSectionName ? (name: escape [ "[" "]" ] name),
+    mkKeyValue    ? generators.mkKeyValueDefault {} "="
+  }: attrsOfAttrs:
+    let
+        # map function to string for each key val
+        mapAttrsToStringsSep = sep: mapFn: attrs:
+          concatStringsSep sep (mapAttrsToList mapFn attrs);
+        stripPriority = val:
+          if val ? priority then val.content else val;
+        mkSectionVal = val:
+          if isList val
+          then concatMapStringsSep "\n" toString val
+          else generators.toKeyValue
+               { inherit mkKeyValue; } val;
+        # handle both list and attributes
+        mkSection = sectName: sectValues: ''
+          [${mkSectionName sectName}]
+          ${mkSectionVal (stripPriority sectValues)}
+        '';
+    in
+      # map input to ini sections
+      mapAttrsToStringsSep "\n" mkSection attrsOfAttrs;
+
+  configFile = pkgs.writeText "config.ini"
+    (toSpecialINI {} cfg.settings);
   
   python = pkgs.python3.withPackages (p: [ p.urllib3 ]);
 
@@ -118,15 +132,19 @@ in
         example = "The level of logging of privoxy-tls";
       };
 
-      extraConfig = mkOption {
+      settings = mkOption {
-        type = types.lines;
+        type = types.attrs;
-        default = "";
+        default = { };
-        example = ''
+        example = literalExample ''
-          [Bypass URL]
+          {
-          example.com
+            bypassURL = [ "example.com" ];
+          }
         '';
         description = ''
-          Additional options that will be appended to the configuration file.
+          Privoxy-TLS settings. Use this option to configure not exposed in
+          a NixOS option or to bypass one. See the documentation at
+          <link xlink:href="https://maxwell.ydns.eu/git/rnhmjoj/privoxy-tls"/>
+          for the available options.
         '';
       };
     };
@@ -150,6 +168,20 @@ in
       home  = dataDir;
     };
 
+    # default configuration
+    services.privoxy.tls-wrapper.settings = mkDefaultAttrs {
+      general = {
+        proxAddr  = "http://${cfgPrivoxy.listenAddress}";
+        frontPort = cfg.frontPort;
+        rearPort  = cfg.rearPort;
+        caCert    = "${dataDir}/ca.crt";
+        certdir   = "/tmp";
+        logLevel  = cfg.logLevel;
+      };
+      noVerify = cfg.noVerify;
+      passthru = cfg.passthru;
+    };
+
     systemd.services.privoxy-tls = {
       description = "Privoxy TLS proxy wrapper.";
       wantedBy    = [ "multi-user.target" ];