inputs: { config, lib, ... }: { services.dnscrypt-proxy2 = { enable = true; settings = { # A properly maintained list, in case all servers goes down sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/opennic.md" "https://download.dnscrypt.info/resolvers-list/v3/opennic.md" ]; cache_file = "/var/cache/dnscrypt-proxy/opennic.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; refresh_delay = 72; }; static = { # French servers "ns1.fr.dns.opennic.glue iriseden DoH".stamp = "sdns://AgcAAAAAAAAAAAAPbnMxLmlyaXNlZGVuLmZyCWRucy1xdWVyeQ"; "ns3.fr.dns.opennic.glue iriseden DNSCrypt IPv4".stamp = "sdns://AQcAAAAAAAAAEzYyLjIxMC4xNzcuMTg5OjEwNTMgW8vytBGk6u3kvCpl4q88XjqW-w6JJiJ7QBObcFV7gYAfMi5kbnNjcnlwdC1jZXJ0Lm5zMS5pcmlzZWRlbi5mcg"; "ns3.fr.dns.opennic.glue iriseden DNSCrypt IPv6".stamp = "sdns://AQcAAAAAAAAAHVsyMDAxOmJjODozMmQ3OjMwODo6MjAxXToxMDUzIEUAcwKTPY6tyEQxtfO3rIzEyqN9w7WGPLz7ZsHsx5EGHzIuZG5zY3J5cHQtY2VydC5uczEuaXJpc2VkZW4uZnI"; "ns4.fr.dns.opennic.glue iriseden DNSCrypt IPv4".stamp = "sdns://AQcAAAAAAAAAEjYyLjIxMC4xODAuNzE6MTA1MyBxLWt8kNHoMqM7vKXCkuZ3PnB32c0qV2I3KGQYtlDKSB8yLmRuc2NyeXB0LWNlcnQubnMyLmlyaXNlZGVuLmZy"; "ns4.fr.dns.opennic.glue iriseden DNSCrypt IPv6".stamp = "sdns://AQcAAAAAAAAAHVsyMDAxOmJjODozMmQ3OjMwNzo6MzAxXToxMDUzIJjeEela3WTzMuuZTskr7aOchIg2llSDNRsHfcggITn6HzIuZG5zY3J5cHQtY2VydC5uczIuaXJpc2VkZW4uZnI"; "ns4.fr.dns.opennic.glue iriseden DoH".stamp = "sdns://AgcAAAAAAAAAAAAPbnMyLmlyaXNlZGVuLmV1CWRucy1xdWVyeQ"; "ns8.fr.dns.opennic.glue iriseden DNSCrypt IPv4".stamp = "sdns://AQcAAAAAAAAAETE1MS44MC4yMjIuNzk6NDQzIKnWMjpPJYAJJhl1FQLOIx4fdtned2yHxruyig7_2w5OIDIuZG5zY3J5cHQtY2VydC5vcGVubmljLmkycGQueHl6"; "ns8.fr.dns.opennic.glue iriseden DNSCrypt IPv6".stamp = "sdns://AQcAAAAAAAAAG1syMDAxOjQ3MDoxZjE1OmI4MDo6NTNdOjQ0MyCp1jI6TyWACSYZdRUCziMeH3bZ3ndsh8a7sooO_9sOTiAyLmRuc2NyeXB0LWNlcnQub3Blbm5pYy5pMnBkLnh5eg"; # Deutschland "ns8.he.de.dns.opennic.glue ethservices DoH".stamp = "sdns://AgcAAAAAAAAAAAAcb3Blbm5pYzEuZXRoLXNlcnZpY2VzLmRlOjg1MwA"; "ns21.de.dns.opennic.glue DNSCrypt IPv4".stamp = "sdns://AQcAAAAAAAAAEDc4LjQ3LjI0My4zOjEwNTMgN4CAbUDR-b3uJJMVzfCdL9ivVV7s8wRhifLRPWBfSmQdMi5kbnNjcnlwdC1jZXJ0Lm5zMS5maXNjaGUuaW8"; "ns21.de.dns.opennic.glue DNSCrypt IPv6".stamp = "sdns://AQcAAAAAAAAAHFsyYTAxOjRmODoxYzBjOjgwYzk6OjFdOjEwNTMgcmZXgMxIKLKAtkLUX7t6Lhw7j4-PIqXir5hMytnM-W8dMi5kbnNjcnlwdC1jZXJ0Lm5zMS5maXNjaGUuaW8"; "ns28.de.dns.opennic.glue DoH".stamp = "sdns://AgcAAAAAAAAAAAAVd3d3LmphYmJlci1nZXJtYW55LmRlCWRucy1xdWVyeQ"; "ns29.de.dns.opennic.glue DoH".stamp = "sdns://AgcAAAAAAAAAAAAQd3d3Lm1vcmJpdHplci5kZQlkbnMtcXVlcnk"; "ns31.de.dns.opennic.glue ethservices DoH".stamp = "sdns://AgcAAAAAAAAAAAAcb3Blbm5pYzIuZXRoLXNlcnZpY2VzLmRlOjg1MwA"; }; cloaking_rules = with lib; let inherit (config.networking) hosts; entryToCloak = addr: concatMapStringsSep "\n" (hostname: "${hostname} ${addr}") hosts.${addr}; in builtins.toFile "cloaking-rules.txt" (concatMapStringsSep "\n" entryToCloak (attrNames config.networking.hosts)); }; }; networking.resolvconf.useLocalResolver = lib.mkIf config.services.dnscrypt-proxy2.enable true; # Do not use per-link DNS servers for systemd-resolved services.resolved = { domains = [ "~." ]; dnssec = "false"; }; specialisation.defaultDNS.configuration = { networking.resolvconf.useLocalResolver = lib.mkForce false; services.dnscrypt-proxy2.enable = lib.mkForce false; services.resolved = { domains = lib.mkForce config.networking.search; dnssec = lib.mkForce "true"; }; }; }