nixos/profiles/dnscrypt-proxy2.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   ...
   6 }:
   7 {
   8   networking = {
   9     networkmanager.dns = lib.mkForce "none";
  10     nameservers = [
  11       "127.0.0.1"
  12       "::1"
  13     ];
  14     #resolvconf.enable = lib.mkForce false;
  15     resolvconf.useLocalResolver = true;
  16     dhcpcd.extraConfig = "nohook resolv.conf";
  17   };
  18
  19   # Create a user for matching egress on it in the firewall
  20   systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
  21   users.users.dnscrypt-proxy2 = {
  22     isSystemUser = true;
  23     group = "dnscrypt-proxy2";
  24   };
  25   users.groups.dnscrypt-proxy2 = { };
  26   services.dnscrypt-proxy2 = {
  27     enable = true;
  28     # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
  29     upstreamDefaults = true;
  30     settings = {
  31       cache = true;
  32       disabled_server_names = [
  33         "cloudflare"
  34       ];
  35       dnscrypt_servers = true;
  36       doh_servers = true;
  37       fallback_resolvers = [
  38         "9.9.9.9:53" # Quad9
  39         "8.8.8.8:53" # Google
  40       ];
  41       force_tcp = false;
  42       ignore_system_dns = true;
  43       ipv4_servers = true;
  44       ipv6_servers = true;
  45       log_level = 2;
  46       #proxy = "socks5://127.0.0.1:9050";
  47       max_clients = 250;
  48       netprobe_timeout = 60;
  49       query_log = {
  50         file = "/dev/stdout";
  51         format = "tsv";
  52         ignored_qtypes = [ ];
  53       };
  54       require_dnssec = true;
  55       require_nofilter = true;
  56       require_nolog = true;
  57       sources.public-resolvers = {
  58         urls = [
  59           "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
  60           "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
  61         ];
  62         cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
  63         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
  64       };
  65       timeout = 5000;
  66       use_syslog = true;
  67       blocked_names = {
  68         blocked_names_file = pkgs.writeText "dnscrypt-proxy2-blocked_names_file" ''
  69           *.local
  70           *.sp
  71         '';
  72         #log_file = 'dnscrypt-blacklist-domains.log'
  73         #log_format = 'tsv'
  74       };
  75     };
  76   };
  77   networking.nftables.ruleset = ''
  78     table inet filter {
  79       chain output-net {
  80         meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
  81       }
  82     }
  83   '';
  84 }