-{ lib, ... }:
-with lib;
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}:
{
networking = {
- networkmanager.dns = mkForce "none";
- nameservers = [ "127.0.0.1" "::1" ];
+ networkmanager.dns = lib.mkForce "none";
+ nameservers = [
+ "127.0.0.1"
+ "::1"
+ ];
#resolvconf.enable = lib.mkForce false;
resolvconf.useLocalResolver = true;
dhcpcd.extraConfig = "nohook resolv.conf";
};
- services.resolved.enable = false;
# Create a user for matching egress on it in the firewall
systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
};
timeout = 5000;
use_syslog = true;
+ blocked_names = {
+ blocked_names_file = pkgs.writeText "dnscrypt-proxy2-blocked_names_file" ''
+ *.local
+ *.sp
+ '';
+ #log_file = 'dnscrypt-blacklist-domains.log'
+ #log_format = 'tsv'
+ };
};
};
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain output-net {
+ meta l4proto { udp, tcp } th dport domain skuid ${config.users.users.dnscrypt-proxy2.name} counter accept comment "dnscrypt-proxy2: DNS"
+ }
+ }
+ '';
}
sourcephile / git / julm / julm-nix.git / blobdiff