{ config, lib, ... }: # Setup: # pdns-recursor on localhost:55 # dnsdist on port 53 (DNS) and localhost:54 (DNSCrypt) # sslh handling both HTTP and DNS on port 443 # ncdns for Namecoin bit. zone resolution { # Recursive DNS resolver services.pdns-recursor = { enable = true; # Configures the bit. zone resolveNamecoin = true; dns.port = 55; }; # Public DNS resolver services.dnsdist = { enable = true; extraConfig = '' -- Listen on IPv6 and IPv4 setLocal("[::]:53"); addLocal("0.0.0.0:53") -- Allow everything setACL({"0.0.0.0/0", "::/0"}) -- Set upstream resolver newServer({address="[::1]:55", name="pdns"}) ''; }; # DNSCrypt endpoint services.dnsdist.dnscrypt = { enable = true; listenAddress = "[::1]"; listenPort = 54; providerKey = config.secrets.dnscrypt.sec; }; # Demultiplex HTTP and DNS from port 443 services.sslh = { enable = true; method = "ev"; settings.transparent = true; settings.listen = with config.var; lib.mkForce [ { host = hostname; port = "443"; is_udp = false; } { host = hostname; port = "443"; is_udp = true; } ]; settings.protocols = [ # Send TLS to nginx (TCP) { name = "tls"; host = "localhost"; port= "443"; } # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP) { name = "anyprot"; host = "localhost"; port = "54"; } { name = "anyprot"; host = "localhost"; port = "54"; is_udp = true; udp_timeout = 100; } ]; }; # This is needed for the rotation of DNSCrypt keys security.polkit.enable = true; # Namecoin resolver services.ncdns = { enable = true; # This is currently broken, see ncdns issue: # https://github.com/namecoin/ncdns/issues/127 dnssec.enable = false; }; # Namecoin daemon with RPC server services.namecoind = { enable = true; # This are used by the resolver (ncdns) # to query the blockchain. rpc.user = config.secrets.namecoin.user; rpc.password = config.secrets.namecoin.password; }; users.users.namecoin.group = "namecoin"; }