From 5b86c92de00318b45085e4abcadc84260d91bc01 Mon Sep 17 00:00:00 2001
From: schererleander <leander@schererleander.de>
Date: Mon, 16 Mar 2026 00:21:08 +0100
Subject: feat(dns): replace deprecated claudflared proxy-nds with
 dnscrypt-proxy

---
 modules/services/dns.nix | 39 ++++++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 15 deletions(-)

(limited to 'modules')

diff --git a/modules/services/dns.nix b/modules/services/dns.nix
index 856ddaa..53347ad 100644
--- a/modules/services/dns.nix
+++ b/modules/services/dns.nix
@@ -36,8 +36,24 @@
 
   flake.modules.darwin.dns =
     { pkgs, lib, ... }:
+    let
+      dnscryptToml = pkgs.writeText "dnscrypt-proxy.toml" ''
+        listen_addresses = ['127.0.0.1:53']
+        # The exact names of the servers as defined in the public-resolvers list
+        server_names = ['mullvad-doh', 'quad9-doh-ip4-filter-pri']
+
+        [sources]
+          [sources.'public-resolvers']
+          urls = [
+            'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 
+            'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'
+          ]
+          cache_file = '/var/tmp/public-resolvers.md'
+          minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+      '';
+    in
     {
-      environment.systemPackages = [ pkgs.cloudflared ];
+      environment.systemPackages = [ pkgs.dnscrypt-proxy ];
 
       networking = {
         dns = [ "127.0.0.1" ];
@@ -47,25 +63,18 @@
         ];
       };
 
-      launchd.daemons.cloudflared-dns = {
+      launchd.daemons.dnscrypt-proxy = {
         serviceConfig = {
-          Label = "com.cloudflare.cloudflared-dns";
+          Label = "com.dnscrypt.proxy";
           ProgramArguments = [
-            "${pkgs.cloudflared}/bin/cloudflared"
-            "proxy-dns"
-            "--upstream"
-            "https://dns.mullvad.net/dns-query"
-            "--upstream"
-            "https://dns.quad9.net/dns-query"
-            "--port"
-            "53"
-            "--address"
-            "127.0.0.1"
+            "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy"
+            "-config"
+            "${dnscryptToml}"
           ];
           RunAtLoad = true;
           KeepAlive = true;
-          StandardOutPath = "/var/log/cloudflared-dns.log";
-          StandardErrorPath = "/var/log/cloudflared-dns.log";
+          StandardOutPath = "/var/log/dnscrypt-proxy.log";
+          StandardErrorPath = "/var/log/dnscrypt-proxy.log";
         };
       };
     };
-- 
cgit v1.3.1