profiles/dnscrypt-proxy2.nix

   1 { config, pkgs, lib, ... }:
   2 {
   3 networking = {
   4   networkmanager.dns = "none";
   5   nameservers = [ "127.0.0.1" "::1" ];
   6   #resolvconf.enable = lib.mkForce false;
   7   resolvconf.useLocalResolver = true;
   8   dhcpcd.extraConfig = "nohook resolv.conf";
   9 };
  10 systemd.services.dnscrypt-proxy2.serviceConfig.StandardOuput = "journal";
  11 systemd.services.dnscrypt-proxy2.serviceConfig.SystemCallFilter = [ "@sync" ];
  12 services.dnscrypt-proxy2 = {
  13   enable = true;
  14   # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
  15   # FIXME: uncomment when updating to 21.05
  16   #upstreamDefaults = true;
  17   settings = {
  18     cache = true;
  19     disabled_server_names = [
  20       "cloudflare"
  21     ];
  22     dnscrypt_servers = true;
  23     doh_servers = true;
  24     fallback_resolvers = [
  25       "9.9.9.9:53" # Quad9
  26       "8.8.8.8:53" # Google
  27     ];
  28     force_tcp = false;
  29     ignore_system_dns = true;
  30     ipv4_servers = true;
  31     ipv6_servers = true;
  32     log_level = 2;
  33     #proxy = "socks5://127.0.0.1:9050";
  34     max_clients = 250;
  35     netprobe_timeout = 60;
  36     query_log = {
  37       file = "/dev/stdout";
  38       format = "tsv";
  39       ignored_qtypes = [];
  40     };
  41     require_dnssec = true;
  42     require_nofilter = true;
  43     require_nolog = true;
  44     sources.public-resolvers = {
  45       urls = [
  46         "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
  47         "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
  48       ];
  49       cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
  50       minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
  51     };
  52     timeout = 5000;
  53     use_syslog = true;
  54   };
  55 };
  56 }