{ config, lib, pkgs, ... }: with lib; let inherit (pkgs) stdenv; cfg = config.networking.nextdns; identifyingPrefix = if cfg.identifyDevice then "${config.networking.hostName}-" else ""; in { options = { networking.nextdns.enable = mkOption { type = types.bool; default = false; description = "Whether to enable DNS resolution via NextDNS"; }; networking.nextdns.configID = mkOption { type = types.str; default = ""; example = literalExample "abcdef"; description = "NextDNS configuration ID"; }; networking.nextdns.identifyDevice = mkOption { type = types.bool; default = false; description = "Whether to send hostname for identifying in your logs"; }; networking.nextdns.resolver = mkOption { type = types.enum [ "kresd" "stubby" ]; default = if stdenv.isDarwin then "stubby" else "kresd"; description = "Resolver to use"; }; }; config = mkIf cfg.enable { assertions = [ { assertion = !(stdenv.isDarwin && cfg.resolver == "kresd"); message = "kresd is not supported on Darwin"; } ]; networking = if stdenv.isDarwin then { dns = [ "::1" "127.0.0.1" "2a07:a8c0::ab:d6e5" "2a07:a8c1::ab:d6e5" "45.90.28.25" "45.90.30.25" ]; } else { networking.networkmanager.dns = "none"; resolvconf.useLocalResolver = true; }; services = if cfg.resolver == "kresd" then { kresd = { enable = true; extraConfig = '' policy.add(policy.all(policy.TLS_FORWARD({ {'45.90.28.0', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, {'2a07:a8c0::', hostname='${identifyingPrefix}${cfg.configID}.dns1.nextdns.io'}, {'45.90.30.0', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'}, {'2a07:a8c1::', hostname='${identifyingPrefix}${cfg.configID}.dns2.nextdns.io'} }))) ''; }; } else if cfg.resolver == "stubby" then { stubby = { enable = cfg.resolver == "stubby"; fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ]; roundRobinUpstreams = lib.mkDefault false; upstreamServers = '' - address_data: 45.90.28.0 tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" - address_data: 2a07:a8c0::0 tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io" - address_data: 45.90.30.0 tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" - address_data: 2a07:a8c1::0 tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io" ''; }; } else abort "Cannot configure resolver ${cfg.resolver}"; }; }