wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

nix: update the dnscrypt-proxy module

Browse Source
This commit is contained in:
surtur 2023-12-09 21:44:46 +01:00
parent 10243fe4eb
commit 0b780ea269
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 60 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
nix/modules/dnscrypt.nix
View File

@ -4,33 +4,11 @@
... ...
}: let }: let
usr = "dnscrypt-proxy"; usr = "dnscrypt-proxy";
in { listenAddresses = [
sops.secrets = {
dnscrypt-proxy-forwardingRules = {
sopsFile = ../secrets/dnscrypt-proxy.yaml;
owner = usr;
group = usr;
};
};
services.dnscrypt-proxy2 = {
enable = true;
# don't go from scratch.
upstreamDefaults = true;
settings = {
listen_addresses = [
"127.0.0.1:53" "127.0.0.1:53"
"[::1]:53" "[::1]:53"
]; ];
ipv4_servers = true; disabledServerNames = [
ipv6_servers = false;
dnscrypt_servers = true;
doh_servers = true;
odoh_servers = false;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
disabled_server_names = [
"google-ipv6" "google-ipv6"
"cloudflare" "cloudflare"
"cloudflare-ipv6" "cloudflare-ipv6"
@ -58,16 +36,9 @@ in {
"acsacsar-ams-ipv4" "acsacsar-ams-ipv4"
"dnscrypt.uk-ipv4" "dnscrypt.uk-ipv4"
"adguard-dns-unfiltered" "adguard-dns-unfiltered"
"dnscry.pt-vienna-ipv4"
]; ];
http3 = true; bootstrapResolvers = [
timeout = 1000;
keepalive = 30;
lb_strategy = "p7";
lb_estimator = true;
log_level = 2;
use_syslog = true;
cert_refresh_delay = 60;
bootstrap_resolvers = [
"9.9.9.9:53" "9.9.9.9:53"
"84.200.69.80:53" "84.200.69.80:53"
"84.200.70.40:53" "84.200.70.40:53"
@ -77,6 +48,39 @@ in {
# "[2001:67c:28a4::]:53" # "[2001:67c:28a4::]:53"
# "[2001:1608:10:25::1c04:b12f]:53" # "[2001:1608:10:25::1c04:b12f]:53"
]; ];
in {
sops.secrets = {
dnscrypt-proxy-forwardingRules = {
sopsFile = ../secrets/dnscrypt-proxy.yaml;
owner = usr;
group = usr;
};
};
services.dnscrypt-proxy2 = {
enable = true;
# don't go from scratch.
upstreamDefaults = true;
settings = {
listen_addresses = listenAddresses;
ipv4_servers = true;
ipv6_servers = false;
dnscrypt_servers = true;
doh_servers = true;
odoh_servers = false;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
disabled_server_names = disabledServerNames;
http3 = true;
timeout = 1000;
keepalive = 30;
lb_strategy = "p7";
lb_estimator = true;
log_level = 2;
use_syslog = true;
cert_refresh_delay = 60;
bootstrap_resolvers = bootstrapResolvers;
ignore_system_dns = true; ignore_system_dns = true;
# never timeout; # never timeout;
netprobe_timeout = -1; netprobe_timeout = -1;
@ -123,7 +127,10 @@ in {
}; };
}; };
systemd.services.dnscrypt-proxy2.serviceConfig = { systemd.services.dnscrypt-proxy2 = {
after = ["sops-nix.service"];
wants = ["coredns.service"];
serviceConfig = {
StateDirectory = usr; StateDirectory = usr;
WorkingDirectory = "/"; WorkingDirectory = "/";
# StartLimitIntervalSec = 5; # StartLimitIntervalSec = 5;
@ -133,6 +140,7 @@ in {
User = usr; User = usr;
Group = usr; Group = usr;
}; };
};
users.users.dnscrypt-proxy = { users.users.dnscrypt-proxy = {
group = usr; group = usr;