feat: sops on dnscrypt

This commit is contained in:
truxnell 2024-03-17 00:19:54 +11:00
parent e9133714ad
commit debe0477d9
3 changed files with 14 additions and 8 deletions

View file

@ -13,6 +13,7 @@
nixpkgs-fmt nixpkgs-fmt
nil nil
gh gh
sops
]; ];
programs.mtr.enable = true; programs.mtr.enable = true;

View file

@ -13,18 +13,22 @@
dhcpcd.extraConfig = "nohook resolv.conf"; dhcpcd.extraConfig = "nohook resolv.conf";
}; };
config.users.users.dnscrypt.isSystemUser = true;
config.users.users.dnscrypt.group = "dnscrypt";
config.users.groups.dnscrypt = { };
# configure secret for forwarding rules # configure secret for forwarding rules
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440"; config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444";
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path = "/run/dnscrypt-forwarding-rules.txt";
# Restart dnscrypt when secret changes # Restart dnscrypt when secret changes
config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ]; config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
config.services.dnscrypt-proxy2 = { config.services.dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
require_dnssec = true; require_dnssec = true;
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path; forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
server_names = [ "NextDNS-f6fe35" ]; server_names = [ "NextDNS-f6fe35" ];

View file

@ -12,18 +12,19 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-label/nixos"; {
device = "/dev/disk/by-label/nixos";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-label/boot"; {
device = "/dev/disk/by-label/boot";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/b"; } [{ device = "/dev/sda2"; }];
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's