nichts/modules/system/os/networking/dns.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  StateDirectory = "dnscrypt-proxy";
  inherit (lib.modules) mkForce;
in {
  networking = {
    networkmanager.dns = mkForce "none";
    nameservers = [
      "127.0.0.1"
      "::1"
    ];
  };

  # See https://wiki.nixos.org/wiki/Encrypted_DNS
  services.dnscrypt-proxy2 = {
    enable = true;
    # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
    settings = {
      sources.public-resolvers = {
        urls = [
          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
        ];
        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
        cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";
      };

      # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
      ipv6_servers = true;

      # Server must support DNS security extensions (DNSSEC)
      require_dnssec = true;

      # Server must not log user queries (declarative)
      require_nolog = true;

      # Server must not enforce its own blocklist (for parental control, ads blocking...)
      require_nofilter = true;

      ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
      ## Note that, like DNSCrypt but unlike other HTTP versions, this uses
      ## UDP and (usually) port 443 instead of TCP.
      http3 = false;

      ## Enable a DNS cache to reduce latency and outgoing traffic.
      cache = true;
    };
  };

  systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
}
feat: schizo networking 2025-05-08 19:51:32 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}: let`
			`StateDirectory = "dnscrypt-proxy";`
			`inherit (lib.modules) mkForce;`
			`in {`
			`networking = {`
			`networkmanager.dns = mkForce "none";`
			`nameservers = [`
			`"127.0.0.1"`
			`"::1"`
			`];`
			`};`

			`# See https://wiki.nixos.org/wiki/Encrypted_DNS`
			`services.dnscrypt-proxy2 = {`
			`enable = true;`
			`# See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml`
			`settings = {`
			`sources.public-resolvers = {`
			`urls = [`
			`"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"`
			`"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"`
			`];`
			`minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md`
			`cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";`
			`};`

			`# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity`
			`ipv6_servers = true;`

			`# Server must support DNS security extensions (DNSSEC)`
			`require_dnssec = true;`

			`# Server must not log user queries (declarative)`
			`require_nolog = true;`

			`# Server must not enforce its own blocklist (for parental control, ads blocking...)`
			`require_nofilter = true;`

			`## Enable experimental support for HTTP/3 (DoH3, HTTP over QUIC)`
			`## Note that, like DNSCrypt but unlike other HTTP versions, this uses`
			`## UDP and (usually) port 443 instead of TCP.`
			`http3 = false;`

			`## Enable a DNS cache to reduce latency and outgoing traffic.`
			`cache = true;`
			`};`
			`};`

			`systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;`
			`}`