aboutsummaryrefslogtreecommitdiff
path: root/modules/hosts/dns
diff options
context:
space:
mode:
authorLeander Scherer <leander@schererleander.de>2026-01-08 17:59:25 +0100
committerLeander Scherer <leander@schererleander.de>2026-01-08 19:08:13 +0100
commit8a4e66f3c36fb55e59596ef4be865a96e500df9f (patch)
treec4175979b1b73d93287b30bd2d683fd16c786360 /modules/hosts/dns
parent4f96cf5b2b26f2d5024ec76be3ffb8b9ef351e8c (diff)
feat(dns): setup dns over tls module
Diffstat (limited to 'modules/hosts/dns')
-rw-r--r--modules/hosts/dns/default.nix60
1 files changed, 60 insertions, 0 deletions
diff --git a/modules/hosts/dns/default.nix b/modules/hosts/dns/default.nix
new file mode 100644
index 0000000..8463367
--- /dev/null
+++ b/modules/hosts/dns/default.nix
@@ -0,0 +1,60 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+let
+ inherit (lib) mkOption types mkIf;
+ cfg = config.nx.dns;
+in
+{
+ options.nx.dns = {
+ enable = mkOption {
+ description = "enable DNS-over-TLS using systemd-resolved";
+ type = types.bool;
+ default = false;
+ };
+ servers = mkOption {
+ description = "list of DNS-over-TLS servers to use";
+ type = types.listOf types.str;
+ default = [
+ "1.1.1.1#cloudflare-dns.com"
+ "1.0.0.1#cloudflare-dns.com"
+ "9.9.9.9#dns.quad9.net"
+ "149.112.112.112#dns.quad9.net"
+ ];
+ };
+ fallbackServers = mkOption {
+ description = "fallback DNS servers";
+ type = types.listOf types.str;
+ default = [
+ "8.8.8.8#dns.google"
+ "8.8.4.4#dns.google"
+ ];
+ };
+ };
+
+ config = mkIf cfg.enable {
+ services.resolved = {
+ enable = true;
+ dnssec = "true";
+ dnsovertls = "true";
+ domains = [ "~." ];
+ extraConfig = ''
+ DNSStubListener=yes
+ Cache=yes
+ '';
+ };
+
+ networking = {
+ nameservers = cfg.servers;
+ networkmanager.dns = lib.mkDefault "systemd-resolved";
+ };
+
+ systemd.services.systemd-resolved.environment = {
+ DNS = lib.concatStringsSep " " cfg.servers;
+ FallbackDNS = lib.concatStringsSep " " cfg.fallbackServers;
+ };
+ };
+}
generated by cgit v1.3.1 (git 2.54.0) at 2026-05-30 19:41:18 +0000