nix: update the dnscrypt-proxy module

2023-12-09 21:44:46 +01:00 · 2023-12-09 21:44:46 +01:00 · 0b780ea269
commit 0b780ea269
parent 10243fe4eb
1 changed files with 60 additions and 52 deletions
--- a/nix/modules/dnscrypt.nix
+++ b/nix/modules/dnscrypt.nix
@ -4,6 +4,50 @@
  ...
 }: let
  usr = "dnscrypt-proxy";
+  listenAddresses = [
+    "127.0.0.1:53"
+    "[::1]:53"
+  ];
+  disabledServerNames = [
+    "google-ipv6"
+    "cloudflare"
+    "cloudflare-ipv6"
+    "cisco"
+    "cisco-ipv6"
+    "cisco-familyshield"
+    "cisco-familyshield-ipv6"
+    "yandex"
+    "apple"
+    "doh.dns.apple.com"
+    "ffmuc.net"
+    # "dnswarden-uncensor-dc",
+    # "dnswarden-uncensor-dc-swiss",
+    # "techsaviours.org-dnscrypt",
+    "dns.watch"
+    "pryv8boi"
+    "dct-at1"
+    "dct-ru1"
+    "dct-de1"
+    # "dnscrypt.be",
+    # "meganerd",
+    "scaleway-ams"
+    "scaleway-fr"
+    "dnscrypt.pl"
+    "acsacsar-ams-ipv4"
+    "dnscrypt.uk-ipv4"
+    "adguard-dns-unfiltered"
+    "dnscry.pt-vienna-ipv4"
+  ];
+  bootstrapResolvers = [
+    "9.9.9.9:53"
+    "84.200.69.80:53"
+    "84.200.70.40:53"
+    "185.38.27.139:53"
+    "130.226.161.34:53"
+    # "[2a01:3a0:53:53::]:53"
+    # "[2001:67c:28a4::]:53"
+    # "[2001:1608:10:25::1c04:b12f]:53"
+  ];
 in {
  sops.secrets = {
    dnscrypt-proxy-forwardingRules = {
@ -18,10 +62,7 @@ in {
    # don't go from scratch.
    upstreamDefaults = true;
    settings = {
-      listen_addresses = [
-        "127.0.0.1:53"
-        "[::1]:53"
-      ];
+      listen_addresses = listenAddresses;
      ipv4_servers = true;
      ipv6_servers = false;
      dnscrypt_servers = true;
@ -30,35 +71,7 @@ in {
      require_dnssec = true;
      require_nolog = true;
      require_nofilter = true;
-      disabled_server_names = [
-        "google-ipv6"
-        "cloudflare"
-        "cloudflare-ipv6"
-        "cisco"
-        "cisco-ipv6"
-        "cisco-familyshield"
-        "cisco-familyshield-ipv6"
-        "yandex"
-        "apple"
-        "doh.dns.apple.com"
-        "ffmuc.net"
-        # "dnswarden-uncensor-dc",
-        # "dnswarden-uncensor-dc-swiss",
-        # "techsaviours.org-dnscrypt",
-        "dns.watch"
-        "pryv8boi"
-        "dct-at1"
-        "dct-ru1"
-        "dct-de1"
-        # "dnscrypt.be",
-        # "meganerd",
-        "scaleway-ams"
-        "scaleway-fr"
-        "dnscrypt.pl"
-        "acsacsar-ams-ipv4"
-        "dnscrypt.uk-ipv4"
-        "adguard-dns-unfiltered"
-      ];
+      disabled_server_names = disabledServerNames;
      http3 = true;
      timeout = 1000;
      keepalive = 30;
@ -67,16 +80,7 @@ in {
      log_level = 2;
      use_syslog = true;
      cert_refresh_delay = 60;
-      bootstrap_resolvers = [
-        "9.9.9.9:53"
-        "84.200.69.80:53"
-        "84.200.70.40:53"
-        "185.38.27.139:53"
-        "130.226.161.34:53"
-        # "[2a01:3a0:53:53::]:53"
-        # "[2001:67c:28a4::]:53"
-        # "[2001:1608:10:25::1c04:b12f]:53"
-      ];
+      bootstrap_resolvers = bootstrapResolvers;
      ignore_system_dns = true;
      # never timeout;
      netprobe_timeout = -1;
@ -123,15 +127,19 @@ in {
    };
  };

-  systemd.services.dnscrypt-proxy2.serviceConfig = {
-    StateDirectory = usr;
-    WorkingDirectory = "/";
-    # StartLimitIntervalSec = 5;
-    StartLimitBurst = 10;
-    Restart = "always";
-    RestartSec = 7;
-    User = usr;
-    Group = usr;
+  systemd.services.dnscrypt-proxy2 = {
+    after = ["sops-nix.service"];
+    wants = ["coredns.service"];
+    serviceConfig = {
+      StateDirectory = usr;
+      WorkingDirectory = "/";
+      # StartLimitIntervalSec = 5;
+      StartLimitBurst = 10;
+      Restart = "always";
+      RestartSec = 7;
+      User = usr;
+      Group = usr;
+    };
  };

  users.users.dnscrypt-proxy = {