From dc694bb4e6473944ba077d65909572925d444340 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Thu, 21 Mar 2024 18:18:23 +0300
Subject: [PATCH] host: add encrypted-dns

---
 nixos/hosts/asus-gl553vd/default.nix |  1 +
 nixos/hosts/home/default.nix         |  2 ++
 nixos/shared/encrypted-dns.nix       | 32 ++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 nixos/shared/encrypted-dns.nix

diff --git a/nixos/hosts/asus-gl553vd/default.nix b/nixos/hosts/asus-gl553vd/default.nix
index 4c1960b..05f140e 100644
--- a/nixos/hosts/asus-gl553vd/default.nix
+++ b/nixos/hosts/asus-gl553vd/default.nix
@@ -11,6 +11,7 @@
     ../../shared/gnupg.nix
     ../../shared/garbage-collector.nix
     ../../shared/networking.secret.nix
+    ../../shared/encrypted-dns.nix
   ];
 
   # Use latest kernel
diff --git a/nixos/hosts/home/default.nix b/nixos/hosts/home/default.nix
index 93b8739..43a413a 100644
--- a/nixos/hosts/home/default.nix
+++ b/nixos/hosts/home/default.nix
@@ -12,6 +12,7 @@
     ../../shared/gnupg.nix
     ../../shared/garbage-collector.nix
     ../../shared/networking.secret.nix
+    ../../shared/encrypted-dns.nix
   ];
 
   # Configure kernel
@@ -40,6 +41,7 @@
     };
 
     networkmanager.enable = true;
+
     firewall.allowedTCPPortRanges = [
       { from = 1300; to = 1400; }
     ];
diff --git a/nixos/shared/encrypted-dns.nix b/nixos/shared/encrypted-dns.nix
new file mode 100644
index 0000000..6b07f39
--- /dev/null
+++ b/nixos/shared/encrypted-dns.nix
@@ -0,0 +1,32 @@
+{ ... }:
+
+{
+  networking = {
+    nameservers = [ "127.0.0.1" "::1" ];
+    networkmanager.dns = "none";
+  };
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      server_names = [
+        "sdns://AgMAAAAAAAAADTE1Ny45MC4xMjQuNjKgEbEC5rH2PlKJhNYCXzKxOCQfyIu9dRlXTXDJgy1T4eigWu-EP_zy7HBV9QShYvIp-DkcNw_zphY9LbPz1gTWIr4gRE69Z7uD-IB7OSHpOKyReLiCvVCq2xEjHwRM9fCN984QZG5zLmJyYWhtYS53b3JsZAovZG5zLXF1ZXJ5"
+        "sdns://AgMAAAAAAAAAF1syYTAxOjRmODoxYzFjOmY1ZTE6OjFdoBGxAuax9j5SiYTWAl8ysTgkH8iLvXUZV01wyYMtU-HooFrvhD_88uxwVfUEoWLyKfg5HDcP86YWPS2z89YE1iK-IEROvWe7g_iAezkh6TiskXi4gr1QqtsRIx8ETPXwjffOEGRucy5icmFobWEud29ybGQKL2Rucy1xdWVyeQ"
+      ];
+    };
+  };
+
+}