inxi: add to essentials
[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix
index 3e7ef697bf8ee5f6dbe73ddf1d14025753952a56..4212f79d19bee92ab148c0aed7f0fd294fc3a5d1 100644 (file)
@@ -1,61 +1,68 @@
-{ config, pkgs, lib, ... }:
+{ lib, config, ... }:
 {
-networking = {
-  networkmanager.dns = "none";
-  nameservers = [ "127.0.0.1" "::1" ];
-  #resolvconf.enable = lib.mkForce false;
-  resolvconf.useLocalResolver = true;
-  dhcpcd.extraConfig = "nohook resolv.conf";
-};
+  networking = {
+    networkmanager.dns = lib.mkForce "none";
+    nameservers = [ "127.0.0.1" "::1" ];
+    #resolvconf.enable = lib.mkForce false;
+    resolvconf.useLocalResolver = true;
+    dhcpcd.extraConfig = "nohook resolv.conf";
+  };
 
-# Create a user for matching egress on it in the firewall
-systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
-users.users.dnscrypt-proxy2 = {
-  isSystemUser = true;
-  group = "dnscrypt-proxy2";
-};
-users.groups.dnscrypt-proxy2 = {};
-services.dnscrypt-proxy2 = {
-  enable = true;
-  # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
-  upstreamDefaults = true;
-  settings = {
-    cache = true;
-    disabled_server_names = [
-      "cloudflare"
-    ];
-    dnscrypt_servers = true;
-    doh_servers = true;
-    fallback_resolvers = [
-      "9.9.9.9:53" # Quad9
-      "8.8.8.8:53" # Google
-    ];
-    force_tcp = false;
-    ignore_system_dns = true;
-    ipv4_servers = true;
-    ipv6_servers = true;
-    log_level = 2;
-    #proxy = "socks5://127.0.0.1:9050";
-    max_clients = 250;
-    netprobe_timeout = 60;
-    query_log = {
-      file = "/dev/stdout";
-      format = "tsv";
-      ignored_qtypes = [];
-    };
-    require_dnssec = true;
-    require_nofilter = true;
-    require_nolog = true;
-    sources.public-resolvers = {
-      urls = [
-        "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-        "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+  # Create a user for matching egress on it in the firewall
+  systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
+  users.users.dnscrypt-proxy2 = {
+    isSystemUser = true;
+    group = "dnscrypt-proxy2";
+  };
+  users.groups.dnscrypt-proxy2 = { };
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    upstreamDefaults = true;
+    settings = {
+      cache = true;
+      disabled_server_names = [
+        "cloudflare"
+      ];
+      dnscrypt_servers = true;
+      doh_servers = true;
+      fallback_resolvers = [
+        "9.9.9.9:53" # Quad9
+        "8.8.8.8:53" # Google
       ];
-      cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
-      minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      force_tcp = false;
+      ignore_system_dns = true;
+      ipv4_servers = true;
+      ipv6_servers = true;
+      log_level = 2;
+      #proxy = "socks5://127.0.0.1:9050";
+      max_clients = 250;
+      netprobe_timeout = 60;
+      query_log = {
+        file = "/dev/stdout";
+        format = "tsv";
+        ignored_qtypes = [ ];
+      };
+      require_dnssec = true;
+      require_nofilter = true;
+      require_nolog = true;
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+      timeout = 5000;
+      use_syslog = true;
     };
-    timeout = 5000;
-    use_syslog = true;
   };
-};
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain output-net {
+        meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
+      }
+    }
+  '';
 }