nixos/profiles/dnscrypt-proxy2.nix

   1 { lib, config, ... }:
   2 let inherit (config) users; in
   3 with lib;
   4 {
   5   networking = {
   6     networkmanager.dns = mkForce "none";
   7     nameservers = [ "127.0.0.1" "::1" ];
   8     #resolvconf.enable = lib.mkForce false;
   9     resolvconf.useLocalResolver = true;
  10     dhcpcd.extraConfig = "nohook resolv.conf";
  11   };
  12   services.resolved.enable = false;
  13
  14   # Create a user for matching egress on it in the firewall
  15   systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
  16   users.users.dnscrypt-proxy2 = {
  17     isSystemUser = true;
  18     group = "dnscrypt-proxy2";
  19   };
  20   users.groups.dnscrypt-proxy2 = { };
  21   services.dnscrypt-proxy2 = {
  22     enable = true;
  23     # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
  24     upstreamDefaults = true;
  25     settings = {
  26       cache = true;
  27       disabled_server_names = [
  28         "cloudflare"
  29       ];
  30       dnscrypt_servers = true;
  31       doh_servers = true;
  32       fallback_resolvers = [
  33         "9.9.9.9:53" # Quad9
  34         "8.8.8.8:53" # Google
  35       ];
  36       force_tcp = false;
  37       ignore_system_dns = true;
  38       ipv4_servers = true;
  39       ipv6_servers = true;
  40       log_level = 2;
  41       #proxy = "socks5://127.0.0.1:9050";
  42       max_clients = 250;
  43       netprobe_timeout = 60;
  44       query_log = {
  45         file = "/dev/stdout";
  46         format = "tsv";
  47         ignored_qtypes = [ ];
  48       };
  49       require_dnssec = true;
  50       require_nofilter = true;
  51       require_nolog = true;
  52       sources.public-resolvers = {
  53         urls = [
  54           "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
  55           "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
  56         ];
  57         cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
  58         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
  59       };
  60       timeout = 5000;
  61       use_syslog = true;
  62     };
  63   };
  64   networking.nftables.ruleset = ''
  65     table inet filter {
  66       chain output-net {
  67         meta l4proto { udp, tcp } th dport domain skuid ${users.users.dnscrypt-proxy2.name} counter accept comment "DHCP"
  68       }
  69     }
  70   '';
  71 }