]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/dnscrypt-proxy.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
+user/updatability(nixos-unstable): pin latest
[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy.nix
1 {
2 pkgs,
3 lib,
4 config,
5 ...
6 }:
7 {
8 networking = {
9 networkmanager.dns = lib.mkForce "none";
10 nameservers = [
11 "127.0.0.1"
12 "::1"
13 ];
14 #resolvconf.enable = lib.mkForce false;
15 resolvconf.useLocalResolver = true;
16 dhcpcd.extraConfig = "nohook resolv.conf";
17 };
18
19 # Create a user for matching egress on it in the firewall
20 systemd.services.dnscrypt-proxy.serviceConfig.User = "dnscrypt-proxy";
21 users.users.dnscrypt-proxy = {
22 isSystemUser = true;
23 group = "dnscrypt-proxy";
24 };
25 users.groups.dnscrypt-proxy = { };
26 services.dnscrypt-proxy = {
27 enable = true;
28 # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
29 upstreamDefaults = true;
30 settings = {
31 bootstrap_resolvers = [
32 "9.9.9.9:53" # Quad9
33 "8.8.8.8:53" # Google
34 ];
35 cache = true;
36 cloaking_rules =
37 # ExplanationNote: DNSSEC does not work for NTP servers
38 # on machine with a clock set too far in the past.
39 pkgs.writeText "dnscrypt-proxy-cloaking_rules" ''
40 0.nixos.pool.ntp.org 77.104.162.218
41 0.nixos.pool.ntp.org 129.250.35.250
42 0.nixos.pool.ntp.org 176.58.109.199
43 0.nixos.pool.ntp.org 213.210.39.123
44 1.nixos.pool.ntp.org 192.33.214.57
45 1.nixos.pool.ntp.org 31.3.135.232
46 1.nixos.pool.ntp.org 212.25.15.128
47 1.nixos.pool.ntp.org 109.233.182.115
48 2.nixos.pool.ntp.org 195.58.34.161
49 2.nixos.pool.ntp.org 81.0.208.219
50 2.nixos.pool.ntp.org 81.200.57.13
51 2.nixos.pool.ntp.org 188.124.59.142
52 2.nixos.pool.ntp.org 2606:4700:f1::123
53 2.nixos.pool.ntp.org 2001:470:6f:483::101
54 2.nixos.pool.ntp.org 2001:67c:d74:66::71be
55 2.nixos.pool.ntp.org 2001:718:801:230::8c
56 3.nixos.pool.ntp.org 88.198.200.96
57 3.nixos.pool.ntp.org 78.47.168.188
58 3.nixos.pool.ntp.org 62.128.1.18
59 3.nixos.pool.ntp.org 80.153.195.191
60
61 mail.sourcephile.fr mermet.sp
62 mail.autogeree.net mermet.sp
63 losurdo.sourcephile.fr 88.140.48.201
64 '';
65 disabled_server_names = [
66 "cloudflare"
67 ];
68 dnscrypt_servers = true;
69 doh_servers = true;
70 fallback_resolvers = [
71 "9.9.9.9:53" # Quad9
72 "8.8.8.8:53" # Google
73 ];
74 force_tcp = false;
75 forwarding_rules = pkgs.writeText "dnscrypt-proxy-forwarding_rules" "";
76 ignore_system_dns = true;
77 ipv4_servers = true;
78 ipv6_servers = true;
79 log_level = 2;
80 #proxy = "socks5://127.0.0.1:9050";
81 max_clients = 250;
82 netprobe_timeout = 60;
83 query_log = {
84 file = "/dev/stdout";
85 format = "tsv";
86 ignored_qtypes = [ ];
87 };
88 require_dnssec = true;
89 require_nofilter = true;
90 require_nolog = true;
91 sources.public-resolvers = {
92 urls = [
93 "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
94 "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
95 ];
96 cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
97 minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
98 };
99 timeout = 5000;
100 use_syslog = true;
101 blocked_names = {
102 blocked_names_file = pkgs.writeText "dnscrypt-proxy-blocked_names_file" ''
103 *.local
104 *.sp
105 '';
106 #log_file = 'dnscrypt-blacklist-domains.log'
107 #log_format = 'tsv'
108 };
109 };
110 };
111 networking.nftables.ruleset = ''
112 table inet filter {
113 chain output-net {
114 meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy.name} counter accept comment "dnscrypt-proxy: DNS"
115 tcp dport https skuid ${config.users.users.dnscrypt-proxy.name} counter accept comment "dnscrypt-proxy: DNS over HTTPS"
116 }
117 }
118 '';
119 }
julm's NixOS and home-manager configs