nix: update the dnscrypt-proxy module

2023-12-09 21:44:46 +01:00 · 2023-12-09 21:44:46 +01:00 · 0b780ea269
commit 0b780ea269
parent 10243fe4eb
1 changed files with 60 additions and 52 deletions
--- a/nix/modules/dnscrypt.nix
+++ b/nix/modules/dnscrypt.nix
@ -4,6 +4,50 @@
  ...
 }: let
  usr = "dnscrypt-proxy";
  listenAddresses = [
    "127.0.0.1:53"
    "[::1]:53"
  ];
  disabledServerNames = [
    "google-ipv6"
    "cloudflare"
    "cloudflare-ipv6"
    "cisco"
    "cisco-ipv6"
    "cisco-familyshield"
    "cisco-familyshield-ipv6"
    "yandex"
    "apple"
    "doh.dns.apple.com"
    "ffmuc.net"
    # "dnswarden-uncensor-dc",
    # "dnswarden-uncensor-dc-swiss",
    # "techsaviours.org-dnscrypt",
    "dns.watch"
    "pryv8boi"
    "dct-at1"
    "dct-ru1"
    "dct-de1"
    # "dnscrypt.be",
    # "meganerd",
    "scaleway-ams"
    "scaleway-fr"
    "dnscrypt.pl"
    "acsacsar-ams-ipv4"
    "dnscrypt.uk-ipv4"
    "adguard-dns-unfiltered"
    "dnscry.pt-vienna-ipv4"
  ];
  bootstrapResolvers = [
    "9.9.9.9:53"
    "84.200.69.80:53"
    "84.200.70.40:53"
    "185.38.27.139:53"
    "130.226.161.34:53"
    # "[2a01:3a0:53:53::]:53"
    # "[2001:67c:28a4::]:53"
    # "[2001:1608:10:25::1c04:b12f]:53"
  ];
 in {
  sops.secrets = {
    dnscrypt-proxy-forwardingRules = {
@ -18,10 +62,7 @@ in {
    # don't go from scratch.
    upstreamDefaults = true;
    settings = {
-      listen_addresses = [
+      listen_addresses = listenAddresses;
        "127.0.0.1:53"
        "[::1]:53"
      ];
      ipv4_servers = true;
      ipv6_servers = false;
      dnscrypt_servers = true;
@ -30,35 +71,7 @@ in {
      require_dnssec = true;
      require_nolog = true;
      require_nofilter = true;
-      disabled_server_names = [
+      disabled_server_names = disabledServerNames;
        "google-ipv6"
        "cloudflare"
        "cloudflare-ipv6"
        "cisco"
        "cisco-ipv6"
        "cisco-familyshield"
        "cisco-familyshield-ipv6"
        "yandex"
        "apple"
        "doh.dns.apple.com"
        "ffmuc.net"
        # "dnswarden-uncensor-dc",
        # "dnswarden-uncensor-dc-swiss",
        # "techsaviours.org-dnscrypt",
        "dns.watch"
        "pryv8boi"
        "dct-at1"
        "dct-ru1"
        "dct-de1"
        # "dnscrypt.be",
        # "meganerd",
        "scaleway-ams"
        "scaleway-fr"
        "dnscrypt.pl"
        "acsacsar-ams-ipv4"
        "dnscrypt.uk-ipv4"
        "adguard-dns-unfiltered"
      ];
      http3 = true;
      timeout = 1000;
      keepalive = 30;
@ -67,16 +80,7 @@ in {
      log_level = 2;
      use_syslog = true;
      cert_refresh_delay = 60;
-      bootstrap_resolvers = [
+      bootstrap_resolvers = bootstrapResolvers;
        "9.9.9.9:53"
        "84.200.69.80:53"
        "84.200.70.40:53"
        "185.38.27.139:53"
        "130.226.161.34:53"
        # "[2a01:3a0:53:53::]:53"
        # "[2001:67c:28a4::]:53"
        # "[2001:1608:10:25::1c04:b12f]:53"
      ];
      ignore_system_dns = true;
      # never timeout;
      netprobe_timeout = -1;
@ -123,15 +127,19 @@ in {
    };
  };
-  systemd.services.dnscrypt-proxy2.serviceConfig = {
+  systemd.services.dnscrypt-proxy2 = {
-    StateDirectory = usr;
+    after = ["sops-nix.service"];
-    WorkingDirectory = "/";
+    wants = ["coredns.service"];
-    # StartLimitIntervalSec = 5;
+    serviceConfig = {
-    StartLimitBurst = 10;
+      StateDirectory = usr;
-    Restart = "always";
+      WorkingDirectory = "/";
-    RestartSec = 7;
+      # StartLimitIntervalSec = 5;
-    User = usr;
+      StartLimitBurst = 10;
-    Group = usr;
+      Restart = "always";
      RestartSec = 7;
      User = usr;
      Group = usr;
    };
  };
  users.users.dnscrypt-proxy = {