]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/dnscrypt-proxy2.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
kubo: improve config
[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix
1 {
2 pkgs,
3 lib,
4 config,
5 ...
6 }:
7 {
8 networking = {
9 networkmanager.dns = lib.mkForce "none";
10 nameservers = [
11 "127.0.0.1"
12 "::1"
13 ];
14 #resolvconf.enable = lib.mkForce false;
15 resolvconf.useLocalResolver = true;
16 dhcpcd.extraConfig = "nohook resolv.conf";
17 };
18
19 # Create a user for matching egress on it in the firewall
20 systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
21 users.users.dnscrypt-proxy2 = {
22 isSystemUser = true;
23 group = "dnscrypt-proxy2";
24 };
25 users.groups.dnscrypt-proxy2 = { };
26 services.dnscrypt-proxy2 = {
27 enable = true;
28 # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
29 upstreamDefaults = true;
30 settings = {
31 bootstrap_resolvers = [
32 "9.9.9.9:53" # Quad9
33 "8.8.8.8:53" # Google
34 ];
35 cache = true;
36 cloaking_rules =
37 # ExplanationNote: DNSSEC does not work for NTP servers
38 # on machine with a clock set to far in the past.
39 pkgs.writeText "dnscrypt-proxy2-cloaking_rules" ''
40 0.nixos.pool.ntp.org 77.104.162.218
41 0.nixos.pool.ntp.org 129.250.35.250
42 0.nixos.pool.ntp.org 176.58.109.199
43 0.nixos.pool.ntp.org 213.210.39.123
44 1.nixos.pool.ntp.org 192.33.214.57
45 1.nixos.pool.ntp.org 31.3.135.232
46 1.nixos.pool.ntp.org 212.25.15.128
47 1.nixos.pool.ntp.org 109.233.182.115
48 2.nixos.pool.ntp.org 195.58.34.161
49 2.nixos.pool.ntp.org 81.0.208.219
50 2.nixos.pool.ntp.org 81.200.57.13
51 2.nixos.pool.ntp.org 188.124.59.142
52 2.nixos.pool.ntp.org 2606:4700:f1::123
53 2.nixos.pool.ntp.org 2001:470:6f:483::101
54 2.nixos.pool.ntp.org 2001:67c:d74:66::71be
55 2.nixos.pool.ntp.org 2001:718:801:230::8c
56 3.nixos.pool.ntp.org 88.198.200.96
57 3.nixos.pool.ntp.org 78.47.168.188
58 3.nixos.pool.ntp.org 62.128.1.18
59 3.nixos.pool.ntp.org 80.153.195.191
60 '';
61 disabled_server_names = [
62 "cloudflare"
63 ];
64 dnscrypt_servers = true;
65 doh_servers = true;
66 fallback_resolvers = [
67 "9.9.9.9:53" # Quad9
68 "8.8.8.8:53" # Google
69 ];
70 force_tcp = false;
71 forwarding_rules = pkgs.writeText "dnscrypt-proxy2-forwarding_rules" '''';
72 ignore_system_dns = true;
73 ipv4_servers = true;
74 ipv6_servers = true;
75 log_level = 2;
76 #proxy = "socks5://127.0.0.1:9050";
77 max_clients = 250;
78 netprobe_timeout = 60;
79 query_log = {
80 file = "/dev/stdout";
81 format = "tsv";
82 ignored_qtypes = [ ];
83 };
84 require_dnssec = true;
85 require_nofilter = true;
86 require_nolog = true;
87 sources.public-resolvers = {
88 urls = [
89 "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
90 "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
91 ];
92 cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
93 minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
94 };
95 timeout = 5000;
96 use_syslog = true;
97 blocked_names = {
98 blocked_names_file = pkgs.writeText "dnscrypt-proxy2-blocked_names_file" ''
99 *.local
100 *.sp
101 '';
102 #log_file = 'dnscrypt-blacklist-domains.log'
103 #log_format = 'tsv'
104 };
105 };
106 };
107 networking.nftables.ruleset = ''
108 table inet filter {
109 chain output-net {
110 meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
111 tcp dport https skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS over HTTPS"
112 }
113 }
114 '';
115 }
julm's NixOS and home-manager configs