blob: 94a8eeba9e234ff1616e7f95bdb6bfc45553b38c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
{
flake.modules.nixos.dns =
{ lib, ... }:
let
servers = [
"194.242.2.2#dns.mullvad.net"
"2a07:e340::2#dns.mullvad.net"
];
fallbackServers = [
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
];
in
{
services.resolved = {
enable = true;
settings = {
Resolve = {
DNS = servers;
FallbackDNS = fallbackServers;
DNSOverTLS = true;
Domains = [ "~." ];
};
};
};
networking = {
nameservers = servers;
networkmanager.dns = lib.mkDefault "systemd-resolved";
};
};
flake.modules.darwin.dns =
{ lib, ... }:
{
services.dnscrypt-proxy = {
enable = true;
settings = {
listen_addresses = [ "127.0.0.1:53" ];
server_names = [
"mullvad-doh"
"quad9-doh-ip4-filter-pri"
];
fallback_resolvers = [
"9.9.9.9:53"
"1.1.1.1:53"
];
ignore_system_dns = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/tmp/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
users.users._dnscrypt-proxy.home = lib.mkForce "/private/var/lib/dnscrypt-proxy";
# Run as root so it can bind privileged port 53
launchd.daemons.dnscrypt-proxy.serviceConfig = {
UserName = lib.mkForce null;
GroupName = lib.mkForce null;
};
networking = {
dns = [ "127.0.0.1" ];
knownNetworkServices = [
"Wi-Fi"
"Thunderbolt Bridge"
];
};
};
}
|
