-{ config, pkgs, lib, ... }:
+_:
{
-networking = {
- networkmanager.dns = "none";
- nameservers = [ "127.0.0.1" "::1" ];
- #resolvconf.enable = lib.mkForce false;
- resolvconf.useLocalResolver = true;
- dhcpcd.extraConfig = "nohook resolv.conf";
-};
-systemd.services.dnscrypt-proxy2.serviceConfig.StandardOuput = "journal";
-systemd.services.dnscrypt-proxy2.serviceConfig.SystemCallFilter = [ "@sync" ];
-services.dnscrypt-proxy2 = {
- enable = true;
- # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
- # FIXME: uncomment when updating to 21.05
- #upstreamDefaults = true;
- settings = {
- cache = true;
- disabled_server_names = [
- "cloudflare"
- ];
- dnscrypt_servers = true;
- doh_servers = true;
- fallback_resolvers = [
- "9.9.9.9:53" # Quad9
- "8.8.8.8:53" # Google
- ];
- force_tcp = false;
- ignore_system_dns = true;
- ipv4_servers = true;
- ipv6_servers = true;
- log_level = 2;
- #proxy = "socks5://127.0.0.1:9050";
- max_clients = 250;
- netprobe_timeout = 60;
- query_log = {
- file = "/dev/stdout";
- format = "tsv";
- ignored_qtypes = [];
- };
- require_dnssec = true;
- require_nofilter = true;
- require_nolog = true;
- sources.public-resolvers = {
- urls = [
- "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
- "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+ networking = {
+ networkmanager.dns = "none";
+ nameservers = [ "127.0.0.1" "::1" ];
+ #resolvconf.enable = lib.mkForce false;
+ resolvconf.useLocalResolver = true;
+ dhcpcd.extraConfig = "nohook resolv.conf";
+ };
+
+ # Create a user for matching egress on it in the firewall
+ systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
+ users.users.dnscrypt-proxy2 = {
+ isSystemUser = true;
+ group = "dnscrypt-proxy2";
+ };
+ users.groups.dnscrypt-proxy2 = { };
+ services.dnscrypt-proxy2 = {
+ enable = true;
+ # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+ upstreamDefaults = true;
+ settings = {
+ cache = true;
+ disabled_server_names = [
+ "cloudflare"
+ ];
+ dnscrypt_servers = true;
+ doh_servers = true;
+ fallback_resolvers = [
+ "9.9.9.9:53" # Quad9
+ "8.8.8.8:53" # Google
];
- cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
- minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+ force_tcp = false;
+ ignore_system_dns = true;
+ ipv4_servers = true;
+ ipv6_servers = true;
+ log_level = 2;
+ #proxy = "socks5://127.0.0.1:9050";
+ max_clients = 250;
+ netprobe_timeout = 60;
+ query_log = {
+ file = "/dev/stdout";
+ format = "tsv";
+ ignored_qtypes = [ ];
+ };
+ require_dnssec = true;
+ require_nofilter = true;
+ require_nolog = true;
+ sources.public-resolvers = {
+ urls = [
+ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+ ];
+ cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
+ minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+ };
+ timeout = 5000;
+ use_syslog = true;
};
- timeout = 5000;
- use_syslog = true;
};
-};
}