public-inbox: disable PR

[julm/julm-nix.git] / nixos / profiles / dnscrypt-proxy2.nix

diff --git a/nixos/profiles/dnscrypt-proxy2.nix b/nixos/profiles/dnscrypt-proxy2.nix
index dbc1e796e3b6c9c767df620a425eaf4a5d09c1ea..4212f79d19bee92ab148c0aed7f0fd294fc3a5d1 100644 (file)
--- a/nixos/profiles/dnscrypt-proxy2.nix
+++ b/nixos/profiles/dnscrypt-proxy2.nix
@@ -1,14 +1,12 @@
-{ lib, ... }:
-with lib;
+{ lib, config, ... }:
 {
   networking = {
-    networkmanager.dns = mkForce "none";
+    networkmanager.dns = lib.mkForce "none";
     nameservers = [ "127.0.0.1" "::1" ];
     #resolvconf.enable = lib.mkForce false;
     resolvconf.useLocalResolver = true;
     dhcpcd.extraConfig = "nohook resolv.conf";
   };
-  services.resolved.enable = false;
 
   # Create a user for matching egress on it in the firewall
   systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
@@ -60,4 +58,11 @@ with lib;
       use_syslog = true;
     };
   };
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain output-net {
+        meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
+      }
+    }
+  '';
 }