all repos — nixfiles @ a551b1a4227de9d0ebfea70d65614d0c63d092e9

System and user configuration, managed by nix and home-manager

network-manager: use unbound+stubby for cached DNS-over-TLS
Alan Pearce alan@alanpearce.eu
Wed, 23 Oct 2019 12:00:10 +0200
commit

a551b1a4227de9d0ebfea70d65614d0c63d092e9

parent

e790af5945e38ab65fb75c105ad292b8da440d34

1 files changed, 25 insertions(+), 3 deletions(-)

jump to
M system/settings/hardware/network-manager.nixsystem/settings/hardware/network-manager.nix
@@ -1,10 +1,32 @@ { config, pkgs, ... }:
 
-{ networking.networkmanager = {
-    enable = true;
-    dns = "unbound";
+{
+  networking = {
+    networkmanager = {
+      enable = true;
+      dns = "none";
+    };
   };
 
+  services.unbound = {
+    enable = true;
+    forwardAddresses = [ "127.0.0.1@5353" ];
+  };
+  services.stubby = {
+    enable = true;
+    roundRobinUpstreams = false;
+    listenAddresses = [ "127.0.0.1@5353" "0::1@5353" ];
+    upstreamServers = ''
+      - address_data: 45.90.28.0
+        tls_auth_name: "abd6e5.dns1.nextdns.io"
+      - address_data: 2a07:a8c0::0
+        tls_auth_name: "abd6e5.dns1.nextdns.io"
+      - address_data: 45.90.30.0
+        tls_auth_name: "abd6e5.dns2.nextdns.io"
+      - address_data: 2a07:a8c1::0
+        tls_auth_name: "abd6e5.dns2.nextdns.io"
+    '';
+  };
   environment.systemPackages = with pkgs; [
     networkmanagerapplet
     networkmanager_dmenu