{ lib, config, ... }:
{
networking = {
networkmanager.dns = lib.mkForce "none";
nameservers = [ "127.0.0.1" "::1" ];
#resolvconf.enable = lib.mkForce false;
resolvconf.useLocalResolver = true;
dhcpcd.extraConfig = "nohook resolv.conf";
};
# Create a user for matching egress on it in the firewall
systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
users.users.dnscrypt-proxy2 = {
isSystemUser = true;
group = "dnscrypt-proxy2";
};
users.groups.dnscrypt-proxy2 = { };
services.dnscrypt-proxy2 = {
enable = true;
# https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
upstreamDefaults = true;
settings = {
cache = true;
disabled_server_names = [
"cloudflare"
];
dnscrypt_servers = true;
doh_servers = true;
fallback_resolvers = [
"9.9.9.9:53" # Quad9
"8.8.8.8:53" # Google
];
force_tcp = false;
ignore_system_dns = true;
ipv4_servers = true;
ipv6_servers = true;
log_level = 2;
#proxy = "socks5://127.0.0.1:9050";
max_clients = 250;
netprobe_timeout = 60;
query_log = {
file = "/dev/stdout";
format = "tsv";
ignored_qtypes = [ ];
};
require_dnssec = true;
require_nofilter = true;
require_nolog = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
timeout = 5000;
use_syslog = true;
};
};
networking.nftables.ruleset = ''
table inet filter {
chain output-net {
meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
}
}
'';
}