zfs: add lzop and mbuffer
[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix
index a7a2398022d17cd80b077d8cc845a6ef58903a39..053fe6b87b430410f11d145ceac0fc703b302ad8 100644 (file)
@@ -1,56 +1,61 @@
-{ config, pkgs, lib, ... }:
+_:
 {
-networking = {
-  networkmanager.dns = "none";
-  nameservers = [ "127.0.0.1" "::1" ];
-  #resolvconf.enable = lib.mkForce false;
-  resolvconf.useLocalResolver = true;
-  dhcpcd.extraConfig = "nohook resolv.conf";
-};
-systemd.services.dnscrypt-proxy2.serviceConfig.StandardOuput = "journal";
-systemd.services.dnscrypt-proxy2.serviceConfig.SystemCallFilter = [ "@sync" ];
-services.dnscrypt-proxy2 = {
-  enable = true;
-  # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
-  # FIXME: uncomment when updating to 21.05
-  #upstreamDefaults = true;
-  settings = {
-    cache = true;
-    disabled_server_names = [
-      "cloudflare"
-    ];
-    dnscrypt_servers = true;
-    doh_servers = true;
-    fallback_resolvers = [
-      "9.9.9.9:53" # Quad9
-      "8.8.8.8:53" # Google
-    ];
-    force_tcp = false;
-    ignore_system_dns = true;
-    ipv4_servers = true;
-    ipv6_servers = true;
-    log_level = 2;
-    #proxy = "socks5://127.0.0.1:9050";
-    max_clients = 250;
-    netprobe_timeout = 60;
-    query_log = {
-      file = "/dev/stdout";
-      format = "tsv";
-      ignored_qtypes = [];
-    };
-    require_dnssec = true;
-    require_nofilter = true;
-    require_nolog = true;
-    sources.public-resolvers = {
-      urls = [
-        "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-        "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+  networking = {
+    networkmanager.dns = "none";
+    nameservers = [ "127.0.0.1" "::1" ];
+    #resolvconf.enable = lib.mkForce false;
+    resolvconf.useLocalResolver = true;
+    dhcpcd.extraConfig = "nohook resolv.conf";
+  };
+
+  # Create a user for matching egress on it in the firewall
+  systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
+  users.users.dnscrypt-proxy2 = {
+    isSystemUser = true;
+    group = "dnscrypt-proxy2";
+  };
+  users.groups.dnscrypt-proxy2 = { };
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    upstreamDefaults = true;
+    settings = {
+      cache = true;
+      disabled_server_names = [
+        "cloudflare"
+      ];
+      dnscrypt_servers = true;
+      doh_servers = true;
+      fallback_resolvers = [
+        "9.9.9.9:53" # Quad9
+        "8.8.8.8:53" # Google
       ];
-      cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
-      minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      force_tcp = false;
+      ignore_system_dns = true;
+      ipv4_servers = true;
+      ipv6_servers = true;
+      log_level = 2;
+      #proxy = "socks5://127.0.0.1:9050";
+      max_clients = 250;
+      netprobe_timeout = 60;
+      query_log = {
+        file = "/dev/stdout";
+        format = "tsv";
+        ignored_qtypes = [ ];
+      };
+      require_dnssec = true;
+      require_nofilter = true;
+      require_nolog = true;
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+      timeout = 5000;
+      use_syslog = true;
     };
-    timeout = 5000;
-    use_syslog = true;
   };
-};
 }