summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorAlan Pearce2019-10-23 12:00:10 +0200
committerAlan Pearce2019-10-23 12:00:10 +0200
commita551b1a4227de9d0ebfea70d65614d0c63d092e9 (patch)
tree3fe0ed4e4b15308405632aae191f56340b312aaf
parente790af5945e38ab65fb75c105ad292b8da440d34 (diff)
downloadnixfiles-a551b1a4227de9d0ebfea70d65614d0c63d092e9.tar.lz
nixfiles-a551b1a4227de9d0ebfea70d65614d0c63d092e9.tar.zst
nixfiles-a551b1a4227de9d0ebfea70d65614d0c63d092e9.zip
network-manager: use unbound+stubby for cached DNS-over-TLS
-rw-r--r--system/settings/hardware/network-manager.nix28
1 files changed, 25 insertions, 3 deletions
diff --git a/system/settings/hardware/network-manager.nix b/system/settings/hardware/network-manager.nix
index f28548a1..4fc762d5 100644
--- a/system/settings/hardware/network-manager.nix
+++ b/system/settings/hardware/network-manager.nix
@@ -1,10 +1,32 @@
 { config, pkgs, ... }:
 
-{ networking.networkmanager = {
-    enable = true;
-    dns = "unbound";
+{
+  networking = {
+    networkmanager = {
+      enable = true;
+      dns = "none";
+    };
   };
 
+  services.unbound = {
+    enable = true;
+    forwardAddresses = [ "127.0.0.1@5353" ];
+  };
+  services.stubby = {
+    enable = true;
+    roundRobinUpstreams = false;
+    listenAddresses = [ "127.0.0.1@5353" "0::1@5353" ];
+    upstreamServers = ''
+      - address_data: 45.90.28.0
+        tls_auth_name: "abd6e5.dns1.nextdns.io"
+      - address_data: 2a07:a8c0::0
+        tls_auth_name: "abd6e5.dns1.nextdns.io"
+      - address_data: 45.90.30.0
+        tls_auth_name: "abd6e5.dns2.nextdns.io"
+      - address_data: 2a07:a8c1::0
+        tls_auth_name: "abd6e5.dns2.nextdns.io"
+    '';
+  };
   environment.systemPackages = with pkgs; [
     networkmanagerapplet
     networkmanager_dmenu