diff options
-rw-r--r-- | system/modules/nextdns.nix | 59 |
1 files changed, 33 insertions, 26 deletions
diff --git a/system/modules/nextdns.nix b/system/modules/nextdns.nix index 2b7cd23b..7db03b1b 100644 --- a/system/modules/nextdns.nix +++ b/system/modules/nextdns.nix @@ -8,6 +8,34 @@ let cfg = config.networking.nextdns; identifyingPrefix = if cfg.identifyDevice then "${config.networking.hostName}-" else ""; + + kresdConfig = { + enable = true; + extraConfig = '' + policy.add(policy.all(policy.TLS_FORWARD({ + {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, + {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, + {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}, + {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'} + }))) + ''; + }; + + stubbyConfig = { + enable = true; + fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ]; + roundRobinUpstreams = lib.mkDefault false; + upstreamServers = '' + - address_data: 45.90.28.0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" + - address_data: 2a07:a8c0::0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" + - address_data: 45.90.30.0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" + - address_data: 2a07:a8c1::0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" + ''; + }; in { options = { @@ -59,31 +87,10 @@ in networkmanager.dns = "none"; resolvconf.useLocalResolver = true; }; - services.kresd = mkIf (cfg.resolver == "kresd") { - enable = true; - extraConfig = '' - policy.add(policy.all(policy.TLS_FORWARD({ - {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, - {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, - {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}, - {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'} - }))) - ''; - }; - services.stubby = mkIf (cfg.resolver == "stubby") { - enable = true; - fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ]; - roundRobinUpstreams = lib.mkDefault false; - upstreamServers = '' - - address_data: 45.90.28.0 - tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" - - address_data: 2a07:a8c0::0 - tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" - - address_data: 45.90.30.0 - tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" - - address_data: 2a07:a8c1::0 - tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" - ''; - }; + services = { + stubby = mkIf (cfg.resolver == "stubby") stubbyConfig; + } // (if !stdenv.isDarwin then { + kresd = mkIf (cfg.resolver == "kresd") kresdConfig; + } else {}); }; } |