maxwell/nameserver.nix

{ config, lib, ... }:

# Setup:
# PDNS recursor on port 53
# DNSCrypt wrapper on port 5353
# NCDNS for Namecoin bit. zone resolution
# sslh handling both HTTP and DSN on 443

{
  # Recursive DNS resolver
  services.pdns-recursor =
    { enable = true;
      # Configures the bit. zone
      resolveNamecoin = true;
      # Use both IPv4 and IPv6
      dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
      settings.local-address = [ "0.0.0.0" "::" ];
    };

  # Wrap the local recursive resolver in DNSCrypt
  services.dnscrypt-wrapper =
    { enable  = true;
      address = "[::]";
      providerKey.public = config.secrets.dnscrypt.pub;
      providerKey.secret = config.secrets.dnscrypt.sec;
    };

  # Demultiplex HTTP and DNS from port 443
  services.sslh =
    { enable = true;
      method = "ev";
      settings.transparent = true;
      settings.listen = with config.var; lib.mkForce
        [ { host = hostname; port = "443"; is_udp = false; }
          { host = hostname; port = "443"; is_udp = true; }
        ];
      settings.protocols =
        [ # Send TLS to nginx (TCP)
          { name = "tls"; host = "localhost"; port= "443"; }
          # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
          { name = "anyprot"; host = "localhost"; port = "5353"; }
          { name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true; }
        ];
    };

  # This is needed for the rotation of DNSCrypt keys
  security.polkit.enable = true;

  # Namecoin resolver
  services.ncdns =
    { enable = true;
      # This is currently broken, see ncdns issue:
      # https://github.com/namecoin/ncdns/issues/127
      dnssec.enable = false;
    };

  # Namecoin daemon with RPC server
  services.namecoind =
    { enable = true;
      # This are used by the resolver (ncdns)
      # to query the blockchain.
      rpc.user     = config.secrets.namecoin.user;
      rpc.password = config.secrets.namecoin.password;
    };

  users.users.namecoin.group = "namecoin";

}
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`{ config, lib, ... }:`
initial commit 2020-10-20 01:11:28 +02:00
			`# Setup:`
			`# PDNS recursor on port 53`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`# DNSCrypt wrapper on port 5353`
initial commit 2020-10-20 01:11:28 +02:00			`# NCDNS for Namecoin bit. zone resolution`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`# sslh handling both HTTP and DSN on 443`
initial commit 2020-10-20 01:11:28 +02:00
			`{`
			`# Recursive DNS resolver`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`services.pdns-recursor =`
			`{ enable = true;`
			`# Configures the bit. zone`
			`resolveNamecoin = true;`
			`# Use both IPv4 and IPv6`
			`dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];`
			`settings.local-address = [ "0.0.0.0" "::" ];`
			`};`
initial commit 2020-10-20 01:11:28 +02:00
nameserver: fix comment 2024-02-25 18:58:01 +01:00			`# Wrap the local recursive resolver in DNSCrypt`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`services.dnscrypt-wrapper =`
			`{ enable = true;`
			`address = "[::]";`
			`providerKey.public = config.secrets.dnscrypt.pub;`
			`providerKey.secret = config.secrets.dnscrypt.sec;`
			`};`

			`# Demultiplex HTTP and DNS from port 443`
			`services.sslh =`
			`{ enable = true;`
			`method = "ev";`
			`settings.transparent = true;`
			`settings.listen = with config.var; lib.mkForce`
			`[ { host = hostname; port = "443"; is_udp = false; }`
			`{ host = hostname; port = "443"; is_udp = true; }`
			`];`
			`settings.protocols =`
			`[ # Send TLS to nginx (TCP)`
nameserver: fix comment 2024-02-25 18:58:01 +01:00			`{ name = "tls"; host = "localhost"; port= "443"; }`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`# Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)`
			`{ name = "anyprot"; host = "localhost"; port = "5353"; }`
nameserver: fix comment 2024-02-25 18:58:01 +01:00			`{ name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true; }`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`];`
			`};`

email: fix DNSCrypt ephemeral keys rotation 2023-03-05 23:13:48 +01:00			`# This is needed for the rotation of DNSCrypt keys`
			`security.polkit.enable = true;`

initial commit 2020-10-20 01:11:28 +02:00			`# Namecoin resolver`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`services.ncdns =`
			`{ enable = true;`
			`# This is currently broken, see ncdns issue:`
			`# https://github.com/namecoin/ncdns/issues/127`
			`dnssec.enable = false;`
			`};`
initial commit 2020-10-20 01:11:28 +02:00
			`# Namecoin daemon with RPC server`
move dnscrypt to port 443 2023-08-15 16:21:59 +02:00			`services.namecoind =`
			`{ enable = true;`
			`# This are used by the resolver (ncdns)`
			`# to query the blockchain.`
			`rpc.user = config.secrets.namecoin.user;`
			`rpc.password = config.secrets.namecoin.password;`
			`};`
initial commit 2020-10-20 01:11:28 +02:00
fix namecoin module bug 2021-12-21 00:31:25 +01:00			`users.users.namecoin.group = "namecoin";`

initial commit 2020-10-20 01:11:28 +02:00			`}`