diff options
Diffstat (limited to 'system/modules/nextdns.nix')
| -rw-r--r-- | system/modules/nextdns.nix | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/system/modules/nextdns.nix b/system/modules/nextdns.nix new file mode 100644 index 00000000..6de4acdb --- /dev/null +++ b/system/modules/nextdns.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) stdenv; + + cfg = config.networking.nextdns; + + identifyingPrefix = if cfg.identifyDevice then "${config.networking.hostName}-" else ""; +in +{ + options = { + networking.nextdns.enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable DNS resolution via NextDNS"; + }; + + networking.nextdns.configID = mkOption { + type = types.str; + default = ""; + example = literalExample "abcdef"; + description = "NextDNS configuration ID"; + }; + + networking.nextdns.identifyDevice = mkOption { + type = types.bool; + default = false; + description = "Whether to send hostname for identifying in your logs"; + }; + + networking.nextdns.resolver = mkOption { + type = types.enum [ "kresd" "stubby" ]; + default = if stdenv.isDarwin then "stubby" else "kresd"; + description = "Resolver to use"; + }; + }; + + config = mkIf cfg.enable { + + assertions = [ + { + assertion = !(stdenv.isDarwin && cfg.resolver == "kresd"); + message = "kresd is not supported on Darwin"; + } + ]; + networking = if stdenv.isDarwin then + { + dns = [ + "::1" + "127.0.0.1" + "2a07:a8c0::ab:d6e5" + "2a07:a8c1::ab:d6e5" + "45.90.28.25" + "45.90.30.25" + ]; + } else { + networking.networkmanager.dns = "none"; + resolvconf.useLocalResolver = true; + }; + services = if cfg.resolver == "kresd" then { + kresd = { + enable = true; + extraConfig = '' + policy.add(policy.all(policy.TLS_FORWARD({ + {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, + {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, + {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}, + {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'} + }))) + ''; + }; + } else if cfg.resolver == "stubby" then { + stubby = { + enable = cfg.resolver == "stubby"; + fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ]; + roundRobinUpstreams = lib.mkDefault false; + upstreamServers = '' + - address_data: 45.90.28.0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" + - address_data: 2a07:a8c0::0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" + - address_data: 45.90.30.0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" + - address_data: 2a07:a8c1::0 + tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" + ''; + }; + } else abort "Cannot configure resolver ${cfg.resolver}"; + }; +} |