sourcephile.fr: nebula: open HTTP output

[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix

diff --git a/nixos/profiles/dnscrypt-proxy2.nix b/nixos/profiles/dnscrypt-proxy2.nix
index 14f4e3ebb1ec6e7dee813da0c0d0ad36dee888fe..f07f3b71f8d6eb4a9a47f4fc60ea196f68cef239 100644 (file)
--- a/nixos/profiles/dnscrypt-proxy2.nix
+++ b/nixos/profiles/dnscrypt-proxy2.nix
@@ -1,15 +1,20 @@
-{ lib, config, ... }:
-let inherit (config) users; in
-with lib;
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 {
   networking = {
-    networkmanager.dns = mkForce "none";
-    nameservers = [ "127.0.0.1" "::1" ];
+    networkmanager.dns = lib.mkForce "none";
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+    ];
     #resolvconf.enable = lib.mkForce false;
     resolvconf.useLocalResolver = true;
     dhcpcd.extraConfig = "nohook resolv.conf";
   };
-  services.resolved.enable = false;
 
   # Create a user for matching egress on it in the firewall
   systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
@@ -59,12 +64,20 @@ with lib;
       };
       timeout = 5000;
       use_syslog = true;
+      blocked_names = {
+        blocked_names_file = pkgs.writeText "dnscrypt-proxy2-blocked_names_file" ''
+          *.local
+          *.sp
+        '';
+        #log_file = 'dnscrypt-blacklist-domains.log'
+        #log_format = 'tsv'
+      };
     };
   };
   networking.nftables.ruleset = ''
     table inet filter {
       chain output-net {
-        meta l4proto { udp, tcp } th dport domain skuid ${users.users.dnscrypt-proxy2.name} counter accept comment "DHCP"
+        meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
       }
     }
   '';