blob: 87eb23ea45851c625a3720d109ee5b8a44304f9b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
{ config, lib, pkgs, ... }:
let
inherit (lib)
concatStringsSep
mkEnableOption mkIf mkOption types;
cfg = config.services.https-dns-proxy;
providers = {
cloudflare = {
ips = [ "1.1.1.1" "1.0.0.1" ];
url = "https://cloudflare-dns.com/dns-query";
};
google = {
ips = [ "8.8.8.8" "8.8.4.4" ];
url = "https://dns.google/dns-query";
};
quad9 = {
ips = [ "9.9.9.9" "149.112.112.112" ];
url = "https://dns.quad9.net/dns-query";
};
opendns = {
ips = [ "208.67.222.222" "208.67.220.220" ];
url = "https://doh.opendns.com/dns-query";
};
custom = {
inherit (cfg.provider) ips url;
};
};
defaultProvider = "quad9";
providerCfg =
concatStringsSep " " [
"-b"
(concatStringsSep "," providers."${cfg.provider.kind}".ips)
"-r"
providers."${cfg.provider.kind}".url
];
in
{
meta.maintainers = with lib.maintainers; [ peterhoeg ];
###### interface
options.services.https-dns-proxy = {
enable = mkEnableOption (lib.mdDoc "https-dns-proxy daemon");
address = mkOption {
description = lib.mdDoc "The address on which to listen";
type = types.str;
default = "127.0.0.1";
};
port = mkOption {
description = lib.mdDoc "The port on which to listen";
type = types.port;
default = 5053;
};
provider = {
kind = mkOption {
description = lib.mdDoc ''
The upstream provider to use or custom in case you do not trust any of
the predefined providers or just want to use your own.
The default is ${defaultProvider} and there are privacy and security
trade-offs when using any upstream provider. Please consider that
before using any of them.
Supported providers: ${concatStringsSep ", " (builtins.attrNames providers)}
If you pick the custom provider, you will need to provide the
bootstrap IP addresses as well as the resolver https URL.
'';
type = types.enum (builtins.attrNames providers);
default = defaultProvider;
};
ips = mkOption {
description = lib.mdDoc "The custom provider IPs";
type = types.listOf types.str;
};
url = mkOption {
description = lib.mdDoc "The custom provider URL";
type = types.str;
};
};
preferIPv4 = mkOption {
description = lib.mdDoc ''
https_dns_proxy will by default use IPv6 and fail if it is not available.
To play it safe, we choose IPv4.
'';
type = types.bool;
default = true;
};
extraArgs = mkOption {
description = lib.mdDoc "Additional arguments to pass to the process.";
type = types.listOf types.str;
default = [ "-v" ];
};
};
###### implementation
config = lib.mkIf cfg.enable {
systemd.services.https-dns-proxy = {
description = "DNS to DNS over HTTPS (DoH) proxy";
requires = [ "network.target" ];
after = [ "network.target" ];
wants = [ "nss-lookup.target" ];
before = [ "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
Type = "exec";
DynamicUser = true;
ProtectHome = "tmpfs";
ExecStart = lib.concatStringsSep " " (
[
(lib.getExe pkgs.https-dns-proxy)
"-a ${toString cfg.address}"
"-p ${toString cfg.port}"
"-l -"
providerCfg
]
++ lib.optional cfg.preferIPv4 "-4"
++ cfg.extraArgs
);
Restart = "on-failure";
};
};
};
}
|