]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/dnscrypt-proxy2.nix
aubergine: wifi: unhide SSID
[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix
1 { lib, config, ... }:
2 {
3 networking = {
4 networkmanager.dns = lib.mkForce "none";
5 nameservers = [ "127.0.0.1" "::1" ];
6 #resolvconf.enable = lib.mkForce false;
7 resolvconf.useLocalResolver = true;
8 dhcpcd.extraConfig = "nohook resolv.conf";
9 };
10
11 # Create a user for matching egress on it in the firewall
12 systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
13 users.users.dnscrypt-proxy2 = {
14 isSystemUser = true;
15 group = "dnscrypt-proxy2";
16 };
17 users.groups.dnscrypt-proxy2 = { };
18 services.dnscrypt-proxy2 = {
19 enable = true;
20 # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
21 upstreamDefaults = true;
22 settings = {
23 cache = true;
24 disabled_server_names = [
25 "cloudflare"
26 ];
27 dnscrypt_servers = true;
28 doh_servers = true;
29 fallback_resolvers = [
30 "9.9.9.9:53" # Quad9
31 "8.8.8.8:53" # Google
32 ];
33 force_tcp = false;
34 ignore_system_dns = true;
35 ipv4_servers = true;
36 ipv6_servers = true;
37 log_level = 2;
38 #proxy = "socks5://127.0.0.1:9050";
39 max_clients = 250;
40 netprobe_timeout = 60;
41 query_log = {
42 file = "/dev/stdout";
43 format = "tsv";
44 ignored_qtypes = [ ];
45 };
46 require_dnssec = true;
47 require_nofilter = true;
48 require_nolog = true;
49 sources.public-resolvers = {
50 urls = [
51 "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
52 "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
53 ];
54 cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
55 minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
56 };
57 timeout = 5000;
58 use_syslog = true;
59 };
60 };
61 networking.nftables.ruleset = ''
62 table inet filter {
63 chain output-net {
64 meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
65 }
66 }
67 '';
68 }