summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--system/modules/nextdns.nix59
1 files changed, 33 insertions, 26 deletions
diff --git a/system/modules/nextdns.nix b/system/modules/nextdns.nix
index 2b7cd23b..7db03b1b 100644
--- a/system/modules/nextdns.nix
+++ b/system/modules/nextdns.nix
@@ -8,6 +8,34 @@ let
   cfg = config.networking.nextdns;
 
   identifyingPrefix = if cfg.identifyDevice then "${config.networking.hostName}-" else "";
+
+  kresdConfig = {
+    enable = true;
+    extraConfig = ''
+      policy.add(policy.all(policy.TLS_FORWARD({
+        {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'},
+        {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'},
+        {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'},
+        {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}
+      })))
+    '';
+  };
+
+  stubbyConfig = {
+    enable = true;
+    fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ];
+    roundRobinUpstreams = lib.mkDefault false;
+    upstreamServers = ''
+      - address_data: 45.90.28.0
+        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
+      - address_data: 2a07:a8c0::0
+        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
+      - address_data: 45.90.30.0
+        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
+      - address_data: 2a07:a8c1::0
+        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
+    '';
+  };
 in
 {
   options = {
@@ -59,31 +87,10 @@ in
       networkmanager.dns = "none";
       resolvconf.useLocalResolver = true;
     };
-    services.kresd = mkIf (cfg.resolver == "kresd") {
-      enable = true;
-      extraConfig = ''
-        policy.add(policy.all(policy.TLS_FORWARD({
-        {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'},
-        {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'},
-        {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'},
-        {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}
-        })))
-      '';
-    };
-    services.stubby = mkIf (cfg.resolver == "stubby") {
-      enable = true;
-      fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ];
-      roundRobinUpstreams = lib.mkDefault false;
-      upstreamServers = ''
-        - address_data: 45.90.28.0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
-        - address_data: 2a07:a8c0::0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
-        - address_data: 45.90.30.0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
-        - address_data: 2a07:a8c1::0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
-      '';
-    };
+    services = {
+      stubby = mkIf (cfg.resolver == "stubby") stubbyConfig;
+    } // (if !stdenv.isDarwin then {
+      kresd = mkIf (cfg.resolver == "kresd") kresdConfig;
+    } else {});
   };
 }