From 749f4be1ef9b115c97fa717cc6068ab342c7650c Mon Sep 17 00:00:00 2001
From: Alan Pearce
Date: Tue, 12 Nov 2019 19:30:35 +0100
Subject: Configure nextdns usage via module

---
 system/modules/nextdns.nix | 92 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 system/modules/nextdns.nix

(limited to 'system/modules/nextdns.nix')

diff --git a/system/modules/nextdns.nix b/system/modules/nextdns.nix
new file mode 100644
index 00000000..6de4acdb
--- /dev/null
+++ b/system/modules/nextdns.nix
@@ -0,0 +1,92 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (pkgs) stdenv;
+
+  cfg = config.networking.nextdns;
+
+  identifyingPrefix = if cfg.identifyDevice then "${config.networking.hostName}-" else "";
+in
+{
+  options = {
+    networking.nextdns.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to enable DNS resolution via NextDNS";
+    };
+
+    networking.nextdns.configID = mkOption {
+      type = types.str;
+      default = "";
+      example = literalExample "abcdef";
+      description = "NextDNS configuration ID";
+    };
+
+    networking.nextdns.identifyDevice = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to send hostname for identifying in your logs";
+    };
+
+    networking.nextdns.resolver = mkOption {
+      type = types.enum [ "kresd" "stubby" ];
+      default = if stdenv.isDarwin then "stubby" else "kresd";
+      description = "Resolver to use";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    assertions = [
+      {
+        assertion = !(stdenv.isDarwin && cfg.resolver == "kresd");
+        message = "kresd is not supported on Darwin";
+      }
+    ];
+    networking = if stdenv.isDarwin then
+    {
+      dns = [
+        "::1"
+        "127.0.0.1"
+        "2a07:a8c0::ab:d6e5"
+        "2a07:a8c1::ab:d6e5"
+        "45.90.28.25"
+        "45.90.30.25"
+      ];
+    } else {
+      networking.networkmanager.dns = "none";
+      resolvconf.useLocalResolver = true;
+    };
+    services = if cfg.resolver == "kresd" then {
+      kresd = {
+        enable = true;
+        extraConfig = ''
+          policy.add(policy.all(policy.TLS_FORWARD({
+            {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'},
+            {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'},
+            {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'},
+            {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}
+          })))
+        '';
+      };
+    } else if cfg.resolver == "stubby" then {
+      stubby = {
+        enable = cfg.resolver == "stubby";
+        fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ];
+        roundRobinUpstreams = lib.mkDefault false;
+        upstreamServers = ''
+          - address_data: 45.90.28.0
+            tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
+          - address_data: 2a07:a8c0::0
+            tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
+          - address_data: 45.90.30.0
+            tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
+          - address_data: 2a07:a8c1::0
+            tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
+        '';
+      };
+    } else abort "Cannot configure resolver ${cfg.resolver}";
+  };
+}
-- 
cgit 1.4.1