blob: 0ee8c7a7b842c57afbe416867d726d24c7c8443b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
inputs:
{ config, lib, ... }:
{
services.dnscrypt-proxy2 = {
enable = true;
settings = {
# A properly maintained list, in case all servers goes down
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/opennic.md"
"https://download.dnscrypt.info/resolvers-list/v3/opennic.md"
];
cache_file = "/var/cache/dnscrypt-proxy/opennic.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
refresh_delay = 72;
};
static = {
# French servers
"ns1.fr.dns.opennic.glue iriseden DoH".stamp =
"sdns://AgcAAAAAAAAAAAAPbnMxLmlyaXNlZGVuLmZyCWRucy1xdWVyeQ";
"ns3.fr.dns.opennic.glue iriseden DNSCrypt IPv4".stamp =
"sdns://AQcAAAAAAAAAEzYyLjIxMC4xNzcuMTg5OjEwNTMgW8vytBGk6u3kvCpl4q88XjqW-w6JJiJ7QBObcFV7gYAfMi5kbnNjcnlwdC1jZXJ0Lm5zMS5pcmlzZWRlbi5mcg";
"ns3.fr.dns.opennic.glue iriseden DNSCrypt IPv6".stamp =
"sdns://AQcAAAAAAAAAHVsyMDAxOmJjODozMmQ3OjMwODo6MjAxXToxMDUzIEUAcwKTPY6tyEQxtfO3rIzEyqN9w7WGPLz7ZsHsx5EGHzIuZG5zY3J5cHQtY2VydC5uczEuaXJpc2VkZW4uZnI";
"ns4.fr.dns.opennic.glue iriseden DNSCrypt IPv4".stamp =
"sdns://AQcAAAAAAAAAEjYyLjIxMC4xODAuNzE6MTA1MyBxLWt8kNHoMqM7vKXCkuZ3PnB32c0qV2I3KGQYtlDKSB8yLmRuc2NyeXB0LWNlcnQubnMyLmlyaXNlZGVuLmZy";
"ns4.fr.dns.opennic.glue iriseden DNSCrypt IPv6".stamp =
"sdns://AQcAAAAAAAAAHVsyMDAxOmJjODozMmQ3OjMwNzo6MzAxXToxMDUzIJjeEela3WTzMuuZTskr7aOchIg2llSDNRsHfcggITn6HzIuZG5zY3J5cHQtY2VydC5uczIuaXJpc2VkZW4uZnI";
"ns4.fr.dns.opennic.glue iriseden DoH".stamp =
"sdns://AgcAAAAAAAAAAAAPbnMyLmlyaXNlZGVuLmV1CWRucy1xdWVyeQ";
"ns8.fr.dns.opennic.glue iriseden DNSCrypt IPv4".stamp =
"sdns://AQcAAAAAAAAAETE1MS44MC4yMjIuNzk6NDQzIKnWMjpPJYAJJhl1FQLOIx4fdtned2yHxruyig7_2w5OIDIuZG5zY3J5cHQtY2VydC5vcGVubmljLmkycGQueHl6";
"ns8.fr.dns.opennic.glue iriseden DNSCrypt IPv6".stamp =
"sdns://AQcAAAAAAAAAG1syMDAxOjQ3MDoxZjE1OmI4MDo6NTNdOjQ0MyCp1jI6TyWACSYZdRUCziMeH3bZ3ndsh8a7sooO_9sOTiAyLmRuc2NyeXB0LWNlcnQub3Blbm5pYy5pMnBkLnh5eg";
# Deutschland
"ns8.he.de.dns.opennic.glue ethservices DoH".stamp =
"sdns://AgcAAAAAAAAAAAAcb3Blbm5pYzEuZXRoLXNlcnZpY2VzLmRlOjg1MwA";
"ns21.de.dns.opennic.glue DNSCrypt IPv4".stamp =
"sdns://AQcAAAAAAAAAEDc4LjQ3LjI0My4zOjEwNTMgN4CAbUDR-b3uJJMVzfCdL9ivVV7s8wRhifLRPWBfSmQdMi5kbnNjcnlwdC1jZXJ0Lm5zMS5maXNjaGUuaW8";
"ns21.de.dns.opennic.glue DNSCrypt IPv6".stamp =
"sdns://AQcAAAAAAAAAHFsyYTAxOjRmODoxYzBjOjgwYzk6OjFdOjEwNTMgcmZXgMxIKLKAtkLUX7t6Lhw7j4-PIqXir5hMytnM-W8dMi5kbnNjcnlwdC1jZXJ0Lm5zMS5maXNjaGUuaW8";
"ns28.de.dns.opennic.glue DoH".stamp =
"sdns://AgcAAAAAAAAAAAAVd3d3LmphYmJlci1nZXJtYW55LmRlCWRucy1xdWVyeQ";
"ns29.de.dns.opennic.glue DoH".stamp =
"sdns://AgcAAAAAAAAAAAAQd3d3Lm1vcmJpdHplci5kZQlkbnMtcXVlcnk";
"ns31.de.dns.opennic.glue ethservices DoH".stamp =
"sdns://AgcAAAAAAAAAAAAcb3Blbm5pYzIuZXRoLXNlcnZpY2VzLmRlOjg1MwA";
};
cloaking_rules = with lib;
let
inherit (config.networking) hosts;
entryToCloak = addr:
concatMapStringsSep "\n" (hostname: "${hostname} ${addr}") hosts.${addr};
in
builtins.toFile
"cloaking-rules.txt"
(concatMapStringsSep "\n" entryToCloak (attrNames config.networking.hosts));
};
};
networking.resolvconf.useLocalResolver = lib.mkIf config.services.dnscrypt-proxy2.enable true;
# Do not use per-link DNS servers for systemd-resolved
services.resolved = {
domains = [ "~." ];
dnssec = "false";
};
specialisation.defaultDNS.configuration = {
networking.resolvconf.useLocalResolver = lib.mkForce false;
services.dnscrypt-proxy2.enable = lib.mkForce false;
services.resolved = {
domains = lib.mkForce config.networking.search;
dnssec = lib.mkForce "true";
};
};
}
|
