nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Working DNS proxy over HTTPS

Browse Source
This commit is contained in:
nostoromo root 2020-06-22 11:10:36 -07:00
parent 51fcf8609b
commit 318579ff8a
3 changed files with 73 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
config/fudo/secure-dns-proxy.nix Normal file
View File

@ -0,0 +1,62 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.fudo.secure-dns-proxy;
in {
options.fudo.secure-dns-proxy = {
enable = mkEnableOption "Enable a DNS server using an encrypted upstream source.";
port = mkOption {
type = types.port;
description = "Port on which to listen for DNS queries.";
default = 53;
};
upstream-dns = mkOption {
type = with types; listOf str;
description = ''
The upstream DNS services to use, in a format useable by dnsproxy.
See: https://github.com/AdguardTeam/dnsproxy
'';
default = ["https://cloudflare-dns.com/dns-query"];
};
bootstrap-dns = mkOption {
type = types.str;
description = "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary.";
default = "1.1.1.1";
};
listen-ips = mkOption {
type = with types; listOf str;
description = "A list of local IP addresses on which to listen.";
default = ["0.0.0.0"];
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
dnsproxy
];
systemd.services.secure-dns-proxy = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "DNS Proxy for secure DNS lookups";
serviceConfig = let
upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns;
upstream-line = concatStringsSep " " upstreams;
listen-line = concatStringsSep " "
(map (listen: "-l ${listen}") cfg.listen-ips);
cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${toString cfg.port} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}";
in {
ExecStart = cmd;
};
};
};
}

3
config/local.nix
View File

@ -18,8 +18,9 @@ with lib;
./fudo/node-exporter.nix ./fudo/node-exporter.nix
./fudo/postgres.nix ./fudo/postgres.nix
./fudo/prometheus.nix ./fudo/prometheus.nix
./fudo/system.nix ./fudo/secure-dns-proxy.nix
./fudo/slynk.nix ./fudo/slynk.nix
./fudo/system.nix
./fudo/webmail.nix ./fudo/webmail.nix
../fudo/profiles ../fudo/profiles

13
hosts/nostromo.nix
View File

@ -102,10 +102,15 @@ in {
]; ];
}; };
# secure-dns = { secure-dns-proxy = {
# enable = true; enable = true;
# port = 9053; port = 3535;
# }; upstream-dns = [
"https://cloudflare-dns.com/dns-query"
# "https://dns.adguard.com/dns-query"
];
bootstrap-dns = "1.1.1.1";
};
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [