]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/dnscrypt-proxy2.nix
nebula: add to fail2ban.ignoreIP
[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix
1 { lib, ... }:
2 with lib;
3 {
4 networking = {
5 networkmanager.dns = mkForce "none";
6 nameservers = [ "127.0.0.1" "::1" ];
7 #resolvconf.enable = lib.mkForce false;
8 resolvconf.useLocalResolver = true;
9 dhcpcd.extraConfig = "nohook resolv.conf";
10 };
11 services.resolved.enable = false;
12
13 # Create a user for matching egress on it in the firewall
14 systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
15 users.users.dnscrypt-proxy2 = {
16 isSystemUser = true;
17 group = "dnscrypt-proxy2";
18 };
19 users.groups.dnscrypt-proxy2 = { };
20 services.dnscrypt-proxy2 = {
21 enable = true;
22 # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
23 upstreamDefaults = true;
24 settings = {
25 cache = true;
26 disabled_server_names = [
27 "cloudflare"
28 ];
29 dnscrypt_servers = true;
30 doh_servers = true;
31 fallback_resolvers = [
32 "9.9.9.9:53" # Quad9
33 "8.8.8.8:53" # Google
34 ];
35 force_tcp = false;
36 ignore_system_dns = true;
37 ipv4_servers = true;
38 ipv6_servers = true;
39 log_level = 2;
40 #proxy = "socks5://127.0.0.1:9050";
41 max_clients = 250;
42 netprobe_timeout = 60;
43 query_log = {
44 file = "/dev/stdout";
45 format = "tsv";
46 ignored_qtypes = [ ];
47 };
48 require_dnssec = true;
49 require_nofilter = true;
50 require_nolog = true;
51 sources.public-resolvers = {
52 urls = [
53 "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
54 "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
55 ];
56 cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
57 minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
58 };
59 timeout = 5000;
60 use_syslog = true;
61 };
62 };
63 }