From 318579ff8aa64d9e668ae1fd8edd0da720ac6644 Mon Sep 17 00:00:00 2001
From: nostoromo root <root@nostromo.fudo.org>
Date: Mon, 22 Jun 2020 11:10:36 -0700
Subject: [PATCH] Working DNS proxy over HTTPS

---
 config/fudo/secure-dns-proxy.nix | 62 ++++++++++++++++++++++++++++++++
 config/local.nix                 |  3 +-
 hosts/nostromo.nix               | 13 ++++---
 3 files changed, 73 insertions(+), 5 deletions(-)
 create mode 100644 config/fudo/secure-dns-proxy.nix

diff --git a/config/fudo/secure-dns-proxy.nix b/config/fudo/secure-dns-proxy.nix
new file mode 100644
index 0000000..3f481e1
--- /dev/null
+++ b/config/fudo/secure-dns-proxy.nix
@@ -0,0 +1,62 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+let
+  cfg = config.fudo.secure-dns-proxy;
+
+in {
+  options.fudo.secure-dns-proxy = {
+    enable = mkEnableOption "Enable a DNS server using an encrypted upstream source.";
+
+    port = mkOption {
+      type = types.port;
+      description = "Port on which to listen for DNS queries.";
+      default = 53;
+    };
+
+    upstream-dns = mkOption {
+      type = with types; listOf str;
+      description = ''
+        The upstream DNS services to use, in a format useable by dnsproxy.
+
+        See: https://github.com/AdguardTeam/dnsproxy
+      '';
+      default = ["https://cloudflare-dns.com/dns-query"];
+    };
+
+    bootstrap-dns = mkOption {
+      type = types.str;
+      description = "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary.";
+      default = "1.1.1.1";
+    };
+
+    listen-ips = mkOption {
+      type = with types; listOf str;
+      description = "A list of local IP addresses on which to listen.";
+      default = ["0.0.0.0"];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      dnsproxy
+    ];
+
+    systemd.services.secure-dns-proxy = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "DNS Proxy for secure DNS lookups";
+      serviceConfig = let
+        upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns;
+        upstream-line = concatStringsSep " " upstreams;
+        listen-line = concatStringsSep " "
+          (map (listen: "-l ${listen}") cfg.listen-ips);
+        cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${toString cfg.port} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}";
+
+      in {
+        ExecStart = cmd;
+      };
+    };
+  };
+}
diff --git a/config/local.nix b/config/local.nix
index 975917d..0cc9309 100644
--- a/config/local.nix
+++ b/config/local.nix
@@ -18,8 +18,9 @@ with lib;
     ./fudo/node-exporter.nix
     ./fudo/postgres.nix
     ./fudo/prometheus.nix
-    ./fudo/system.nix
+    ./fudo/secure-dns-proxy.nix
     ./fudo/slynk.nix
+    ./fudo/system.nix
     ./fudo/webmail.nix
 
     ../fudo/profiles
diff --git a/hosts/nostromo.nix b/hosts/nostromo.nix
index 32d2831..96277d3 100644
--- a/hosts/nostromo.nix
+++ b/hosts/nostromo.nix
@@ -102,10 +102,15 @@ in {
       ];
     };
 
-    # secure-dns = {
-    #   enable = true;
-    #   port = 9053;
-    # };
+    secure-dns-proxy = {
+      enable = true;
+      port = 3535;
+      upstream-dns = [
+        "https://cloudflare-dns.com/dns-query"
+        # "https://dns.adguard.com/dns-query"
+      ];
+      bootstrap-dns = "1.1.1.1";
+    };
   };
 
   environment.systemPackages = with pkgs; [