70 lines
2.0 KiB
Nix
70 lines
2.0 KiB
Nix
{ config, lib, ... }:
|
|
|
|
# Setup:
|
|
# PDNS recursor on port 53
|
|
# DNSCrypt wrapper on port 5353
|
|
# NCDNS for Namecoin bit. zone resolution
|
|
# sslh handling both HTTP and DSN on 443
|
|
|
|
{
|
|
# Recursive DNS resolver
|
|
services.pdns-recursor =
|
|
{ enable = true;
|
|
# Configures the bit. zone
|
|
resolveNamecoin = true;
|
|
# Use both IPv4 and IPv6
|
|
dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
|
|
settings.local-address = [ "0.0.0.0" "::" ];
|
|
};
|
|
|
|
# Wrap the local recursive resolver in DNSCrypt
|
|
services.dnscrypt-wrapper =
|
|
{ enable = true;
|
|
address = "[::]";
|
|
providerKey.public = config.secrets.dnscrypt.pub;
|
|
providerKey.secret = config.secrets.dnscrypt.sec;
|
|
};
|
|
|
|
# Demultiplex HTTP and DNS from port 443
|
|
services.sslh =
|
|
{ enable = true;
|
|
method = "ev";
|
|
settings.transparent = true;
|
|
settings.listen = with config.var; lib.mkForce
|
|
[ { host = hostname; port = "443"; is_udp = false; }
|
|
{ host = hostname; port = "443"; is_udp = true; }
|
|
];
|
|
settings.protocols =
|
|
[ # Send TLS to nginx (TCP)
|
|
{ name = "tls"; host = "localhost"; port= "443"; }
|
|
# Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
|
|
{ name = "anyprot"; host = "localhost"; port = "5353"; }
|
|
{ name = "anyprot"; host = "localhost"; port = "5353";
|
|
is_udp = true; udp_timeout = 100; }
|
|
];
|
|
};
|
|
|
|
# This is needed for the rotation of DNSCrypt keys
|
|
security.polkit.enable = true;
|
|
|
|
# Namecoin resolver
|
|
services.ncdns =
|
|
{ enable = true;
|
|
# This is currently broken, see ncdns issue:
|
|
# https://github.com/namecoin/ncdns/issues/127
|
|
dnssec.enable = false;
|
|
};
|
|
|
|
# Namecoin daemon with RPC server
|
|
services.namecoind =
|
|
{ enable = true;
|
|
# This are used by the resolver (ncdns)
|
|
# to query the blockchain.
|
|
rpc.user = config.secrets.namecoin.user;
|
|
rpc.password = config.secrets.namecoin.password;
|
|
};
|
|
|
|
users.users.namecoin.group = "namecoin";
|
|
|
|
}
|