feat: sops on dnscrypt
This commit is contained in:
parent
e9133714ad
commit
debe0477d9
3 changed files with 14 additions and 8 deletions
|
@ -13,6 +13,7 @@
|
||||||
nixpkgs-fmt
|
nixpkgs-fmt
|
||||||
nil
|
nil
|
||||||
gh
|
gh
|
||||||
|
sops
|
||||||
];
|
];
|
||||||
|
|
||||||
programs.mtr.enable = true;
|
programs.mtr.enable = true;
|
||||||
|
|
|
@ -13,18 +13,22 @@
|
||||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
dhcpcd.extraConfig = "nohook resolv.conf";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
config.users.users.dnscrypt.isSystemUser = true;
|
||||||
|
config.users.users.dnscrypt.group = "dnscrypt";
|
||||||
|
config.users.groups.dnscrypt = { };
|
||||||
|
|
||||||
# configure secret for forwarding rules
|
# configure secret for forwarding rules
|
||||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
|
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
|
||||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440";
|
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444";
|
||||||
|
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path = "/run/dnscrypt-forwarding-rules.txt";
|
||||||
|
|
||||||
# Restart dnscrypt when secret changes
|
# Restart dnscrypt when secret changes
|
||||||
config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ];
|
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
|
||||||
|
|
||||||
config.services.dnscrypt-proxy2 = {
|
config.services.dnscrypt-proxy2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
require_dnssec = true;
|
require_dnssec = true;
|
||||||
|
|
||||||
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
|
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
|
||||||
|
|
||||||
server_names = [ "NextDNS-f6fe35" ];
|
server_names = [ "NextDNS-f6fe35" ];
|
||||||
|
|
|
@ -12,18 +12,19 @@
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-label/nixos";
|
{
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-label/boot";
|
{
|
||||||
|
device = "/dev/disk/by-label/boot";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/b"; }
|
[{ device = "/dev/sda2"; }];
|
||||||
];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
|
Reference in a new issue