{ config, lib, ... }: # Setup: # PDNS recursor on port 53 # DNSCrypt wrapper on port 5353 # NCDNS for Namecoin bit. zone resolution # sslh handling both HTTP and DSN on 443 { # Recursive DNS resolver services.pdns-recursor = { enable = true; # Configures the bit. zone resolveNamecoin = true; # Use both IPv4 and IPv6 dns.allowFrom = [ "0.0.0.0/0" "::0/0" ]; settings.local-address = [ "0.0.0.0" "::" ]; }; # Wrap the local recursive resolver # in DNSCrypt on the default OpenVPN port. # This port is chosen because it's usually # not blocked in corporate networks. services.dnscrypt-wrapper = { enable = true; address = "[::]"; providerKey.public = config.secrets.dnscrypt.pub; providerKey.secret = config.secrets.dnscrypt.sec; }; # Demultiplex HTTP and DNS from port 443 services.sslh = { enable = true; method = "ev"; settings.transparent = true; settings.listen = with config.var; lib.mkForce [ { host = hostname; port = "443"; is_udp = false; } { host = hostname; port = "443"; is_udp = true; } ]; settings.protocols = [ # Send TLS to nginx (TCP) { name = "tls"; host= "localhost"; port= "443"; } # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP) { name = "anyprot"; host = "localhost"; port = "5353"; } { name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true;} ]; }; # This is needed for the rotation of DNSCrypt keys security.polkit.enable = true; # Namecoin resolver services.ncdns = { enable = true; # This is currently broken, see ncdns issue: # https://github.com/namecoin/ncdns/issues/127 dnssec.enable = false; }; # Namecoin daemon with RPC server services.namecoind = { enable = true; # This are used by the resolver (ncdns) # to query the blockchain. rpc.user = config.secrets.namecoin.user; rpc.password = config.secrets.namecoin.password; }; users.users.namecoin.group = "namecoin"; }