maxwell/nameserver.nix

{ config, lib, ... }:

# Setup:
# pdns-recursor on localhost:55
# dnsdist on port 53 (DNS) and localhost:54 (DNSCrypt)
# sslh handling both HTTP and DNS on port 443
# ncdns for Namecoin bit. zone resolution

{
  # Recursive DNS resolver
  services.pdns-recursor =
    { enable = true;
      # Configures the bit. zone
      resolveNamecoin = true;
      dns.port = 55;
    };

  # Public DNS resolver
  services.dnsdist =
    { enable = true;
      extraConfig = ''
        -- Listen on IPv6 and IPv4
        setLocal("[::]:53"); addLocal("0.0.0.0:53")

        -- Allow everything
        setACL({"0.0.0.0/0", "::/0"})

        -- Set upstream resolver
        newServer({address="[::1]:55", name="pdns"})
      '';
    };

  # DNSCrypt endpoint
  services.dnsdist.dnscrypt =
    { enable = true;
      listenAddress = "[::1]";
      listenPort = 54;
      providerKey = config.secrets.dnscrypt.sec;
    };

  # Demultiplex HTTP and DNS from port 443
  services.sslh =
    { enable = true;
      method = "ev";
      settings.transparent = true;
      settings.listen = with config.var; lib.mkForce
        [ { host = hostname; port = "443"; is_udp = false; }
          { host = hostname; port = "443"; is_udp = true; }
        ];
      settings.protocols =
        [ # Send TLS to nginx (TCP)
          { name = "tls"; host = "localhost"; port= "443"; }
          # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
          { name = "anyprot"; host = "localhost"; port = "54"; }
          { name = "anyprot"; host = "localhost"; port = "54";
           is_udp = true; udp_timeout = 100; }
        ];
    };

  # This is needed for the rotation of DNSCrypt keys
  security.polkit.enable = true;

  # Namecoin resolver
  services.ncdns =
    { enable = true;
      # This is currently broken, see ncdns issue:
      # https://github.com/namecoin/ncdns/issues/127
      dnssec.enable = false;
    };

  # Namecoin daemon with RPC server
  services.namecoind =
    { enable = true;
      # This are used by the resolver (ncdns)
      # to query the blockchain.
      rpc.user     = config.secrets.namecoin.user;
      rpc.password = config.secrets.namecoin.password;
    };

  users.users.namecoin.group = "namecoin";

}