maxwell/nameserver.nix

{ config, ... }:

# Setup:
# PDNS recursor on port 53
# DNSCrypt wrapper on port 1194
# NCDNS for Namecoin bit. zone resolution

{
  # Recursive DNS resolver
  services.pdns-recursor = {
    enable = true;
    # Configures the bit. zone
    resolveNamecoin = true;
    # Use both IPv4 and IPv6
    dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
    settings.local-address = [ "0.0.0.0" "::" ];
  };

  # Wrap the local recursive resolver
  # in DNSCrypt on the default OpenVPN port.
  # This port is chosen because it's usually
  # not blocked in corporate networks.
  services.dnscrypt-wrapper = {
    enable  = true;
    address = "0.0.0.0";
    port    = 1194;
    providerKey.public = config.secrets.dnscrypt.pub;
    providerKey.secret = config.secrets.dnscrypt.sec;
  };

  # Namecoin resolver
  services.ncdns = {
    enable = true;
    # This is currently broken, see ncdns issue:
    # https://github.com/namecoin/ncdns/issues/127
    dnssec.enable = false;
  };

  # Namecoin daemon with RPC server
  services.namecoind = {
    enable = true;
    # This are used by the resolver (ncdns)
    # to query the blockchain.
    rpc.user     = config.secrets.namecoin.user;
    rpc.password = config.secrets.namecoin.password;
  };

}