host: add encrypted-dns

nixos/hosts/asus-gl553vd/default.nix

@@ -11,6 +11,7 @@
     ../../shared/gnupg.nix
     ../../shared/garbage-collector.nix
     ../../shared/networking.secret.nix
+    ../../shared/encrypted-dns.nix
   ];
 
   # Use latest kernel

nixos/hosts/home/default.nix

@@ -12,6 +12,7 @@
     ../../shared/gnupg.nix
     ../../shared/garbage-collector.nix
     ../../shared/networking.secret.nix
+    ../../shared/encrypted-dns.nix
   ];
 
   # Configure kernel
@@ -40,6 +41,7 @@
     };
 
     networkmanager.enable = true;
+
     firewall.allowedTCPPortRanges = [
       { from = 1300; to = 1400; }
     ];

nixos/shared/encrypted-dns.nix

@@ -0,0 +1,32 @@
+{ ... }:
+
+{
+  networking = {
+    nameservers = [ "127.0.0.1" "::1" ];
+    networkmanager.dns = "none";
+  };
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      server_names = [
+        "sdns://AgMAAAAAAAAADTE1Ny45MC4xMjQuNjKgEbEC5rH2PlKJhNYCXzKxOCQfyIu9dRlXTXDJgy1T4eigWu-EP_zy7HBV9QShYvIp-DkcNw_zphY9LbPz1gTWIr4gRE69Z7uD-IB7OSHpOKyReLiCvVCq2xEjHwRM9fCN984QZG5zLmJyYWhtYS53b3JsZAovZG5zLXF1ZXJ5"
+        "sdns://AgMAAAAAAAAAF1syYTAxOjRmODoxYzFjOmY1ZTE6OjFdoBGxAuax9j5SiYTWAl8ysTgkH8iLvXUZV01wyYMtU-HooFrvhD_88uxwVfUEoWLyKfg5HDcP86YWPS2z89YE1iK-IEROvWe7g_iAezkh6TiskXi4gr1QqtsRIx8ETPXwjffOEGRucy5icmFobWEud29ybGQKL2Rucy1xdWVyeQ"
+      ];
+    };
+  };
+
+}