2025-05-08 19:51:32 +02:00
{
config ,
lib ,
pkgs ,
. . .
2025-07-20 01:23:48 +02:00
} :
let
2025-05-08 19:51:32 +02:00
StateDirectory = " d n s c r y p t - p r o x y " ;
inherit ( lib . modules ) mkForce ;
2025-07-20 01:23:48 +02:00
in
{
2025-05-08 19:51:32 +02:00
networking = {
networkmanager . dns = mkForce " n o n e " ;
nameservers = [
" 1 2 7 . 0 . 0 . 1 "
" : : 1 "
] ;
} ;
# See https://wiki.nixos.org/wiki/Encrypted_DNS
services . dnscrypt-proxy2 = {
enable = true ;
# See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
settings = {
sources . public-resolvers = {
urls = [
" h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / D N S C r y p t / d n s c r y p t - r e s o l v e r s / m a s t e r / v 3 / p u b l i c - r e s o l v e r s . m d "
" h t t p s : / / d o w n l o a d . d n s c r y p t . i n f o / r e s o l v e r s - l i s t / v 3 / p u b l i c - r e s o l v e r s . m d "
] ;
minisign_key = " R W Q f 6 L R C G A 9 i 5 3 m l Y e c O 4 I z T 5 1 T G P p v W u c N S C h 1 C B M 0 Q T a L n 7 3 Y 7 G F O 3 " ; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
cache_file = " / v a r / l i b / ${ StateDirectory } / p u b l i c - r e s o l v e r s . m d " ;
} ;
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true ;
# Server must support DNS security extensions (DNSSEC)
require_dnssec = true ;
# Server must not log user queries (declarative)
require_nolog = true ;
# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true ;
## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
## Note that, like DNSCrypt but unlike other HTTP versions, this uses
## UDP and (usually) port 443 instead of TCP.
http3 = false ;
## Enable a DNS cache to reduce latency and outgoing traffic.
cache = true ;
} ;
} ;
systemd . services . dnscrypt-proxy2 . serviceConfig . StateDirectory = StateDirectory ;
}
