nix-config-tn/nixos/hosts/common/optional/dnscrypt-proxy2.nix

# Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2
{ inputs
, outputs
, pkgs
, config
, ...
}: {
  # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
  config.services.resolved.enable = false;

  # Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
  # causing a risk of no dns if service fails.
  config.networking = {
    nameservers = [ "10.8.10.1" ]; # TODO make varible IP

    dhcpcd.extraConfig = "nohook resolv.conf";
  };

  # configure secret for forwarding rules
  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file

  # Restart dnscrypt when secret changes
  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];

  config.services.dnscrypt-proxy2 = {
    enable = true;
    settings = {
      require_dnssec = true;
      forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;

      server_names = [ "NextDNS-f6fe35" ];

      static = {
        "NextDNS-f6fe35" = {
          stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
        };
      };
    };
  };
}
feat: initial commit 2024-03-13 22:55:17 +11:00			`# Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2`
chore: initial format 2024-03-18 20:26:02 +11:00			`{ inputs`
			`, outputs`
			`, pkgs`
			`, config`
			`, ...`
chore: inital pre-commit tidy 2024-03-18 08:04:32 +11:00			`}: {`
feat: initial commit 2024-03-13 22:55:17 +11:00			`# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf`
fix: setting up sops 2024-03-16 23:46:36 +11:00			`config.services.resolved.enable = false;`

			`# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt`
			`# causing a risk of no dns if service fails.`
			`config.networking = {`
chore: initial format 2024-03-18 20:26:02 +11:00			`nameservers = [ "10.8.10.1" ]; # TODO make varible IP`
fix: setting up sops 2024-03-16 23:46:36 +11:00
feat: initial commit 2024-03-13 22:55:17 +11:00			`dhcpcd.extraConfig = "nohook resolv.conf";`
			`};`

fix: setting up sops 2024-03-16 23:46:36 +11:00			`# configure secret for forwarding rules`
			`config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;`
feat: cleanup 2024-03-17 07:25:35 +11:00			`config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file`
fix: setting up sops 2024-03-16 23:46:36 +11:00
			`# Restart dnscrypt when secret changes`
chore: initial format 2024-03-18 20:26:02 +11:00			`config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];`
fix: setting up sops 2024-03-16 23:46:36 +11:00
			`config.services.dnscrypt-proxy2 = {`
feat: initial commit 2024-03-13 22:55:17 +11:00			`enable = true;`
			`settings = {`
fix: setting up sops 2024-03-16 23:46:36 +11:00			`require_dnssec = true;`
			`forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;`

chore: initial format 2024-03-18 20:26:02 +11:00			`server_names = [ "NextDNS-f6fe35" ];`
fix: setting up sops 2024-03-16 23:46:36 +11:00
			`static = {`
			`"NextDNS-f6fe35" = {`
			`stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";`
feat: initial commit 2024-03-13 22:55:17 +11:00			`};`
fix: setting up sops 2024-03-16 23:46:36 +11:00			`};`
feat: initial commit 2024-03-13 22:55:17 +11:00			`};`
			`};`
			`}`