parent
4fd28d2566
commit
39a6621150
@ -0,0 +1,128 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
let |
||||
inherit (lib) |
||||
concatStringsSep |
||||
mkEnableOption mkIf mkOption types; |
||||
|
||||
cfg = config.services.https-dns-proxy; |
||||
|
||||
providers = { |
||||
cloudflare = { |
||||
ips = [ "1.1.1.1" "1.0.0.1" ]; |
||||
url = "https://cloudflare-dns.com/dns-query"; |
||||
}; |
||||
google = { |
||||
ips = [ "8.8.8.8" "8.8.4.4" ]; |
||||
url = "https://dns.google/dns-query"; |
||||
}; |
||||
quad9 = { |
||||
ips = [ "9.9.9.9" "149.112.112.112" ]; |
||||
url = "https://dns.quad9.net/dns-query"; |
||||
}; |
||||
}; |
||||
|
||||
defaultProvider = "quad9"; |
||||
|
||||
providerCfg = |
||||
let |
||||
isCustom = cfg.provider.kind == "custom"; |
||||
in |
||||
lib.concatStringsSep " " [ |
||||
"-b" |
||||
(concatStringsSep "," (if isCustom then cfg.provider.ips else providers."${cfg.provider.kind}".ips)) |
||||
"-r" |
||||
(if isCustom then cfg.provider.url else providers."${cfg.provider.kind}".url) |
||||
]; |
||||
|
||||
in |
||||
{ |
||||
meta.maintainers = with lib.maintainers; [ peterhoeg ]; |
||||
|
||||
###### interface |
||||
|
||||
options.services.https-dns-proxy = { |
||||
enable = mkEnableOption "https-dns-proxy daemon"; |
||||
|
||||
address = mkOption { |
||||
description = "The address on which to listen"; |
||||
type = types.str; |
||||
default = "127.0.0.1"; |
||||
}; |
||||
|
||||
port = mkOption { |
||||
description = "The port on which to listen"; |
||||
type = types.port; |
||||
default = 5053; |
||||
}; |
||||
|
||||
provider = { |
||||
kind = mkOption { |
||||
description = '' |
||||
The upstream provider to use or custom in case you do not trust any of |
||||
the predefined providers or just want to use your own. |
||||
|
||||
The default is ${defaultProvider} and there are privacy and security trade-offs |
||||
when using any upstream provider. Please consider that before using any |
||||
of them. |
||||
|
||||
If you pick a custom provider, you will need to provide the bootstrap |
||||
IP addresses as well as the resolver https URL. |
||||
''; |
||||
type = types.enum ((builtins.attrNames providers) ++ [ "custom" ]); |
||||
default = defaultProvider; |
||||
}; |
||||
|
||||
ips = mkOption { |
||||
description = "The custom provider IPs"; |
||||
type = types.listOf types.str; |
||||
}; |
||||
|
||||
url = mkOption { |
||||
description = "The custom provider URL"; |
||||
type = types.str; |
||||
}; |
||||
}; |
||||
|
||||
preferIPv4 = mkOption { |
||||
description = '' |
||||
https_dns_proxy will by default use IPv6 and fail if it is not available. |
||||
To play it safe, we choose IPv4. |
||||
''; |
||||
type = types.bool; |
||||
default = true; |
||||
}; |
||||
|
||||
extraArgs = mkOption { |
||||
description = "Additional arguments to pass to the process."; |
||||
type = types.listOf types.str; |
||||
default = [ "-v" ]; |
||||
}; |
||||
}; |
||||
|
||||
###### implementation |
||||
|
||||
config = lib.mkIf cfg.enable { |
||||
systemd.services.https-dns-proxy = { |
||||
description = "DNS to DNS over HTTPS (DoH) proxy"; |
||||
after = [ "network.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
serviceConfig = rec { |
||||
Type = "exec"; |
||||
DynamicUser = true; |
||||
ExecStart = lib.concatStringsSep " " ( |
||||
[ |
||||
"${pkgs.https-dns-proxy}/bin/https_dns_proxy" |
||||
"-a ${toString cfg.address}" |
||||
"-p ${toString cfg.port}" |
||||
"-l -" |
||||
providerCfg |
||||
] |
||||
++ lib.optional cfg.preferIPv4 "-4" |
||||
++ cfg.extraArgs |
||||
); |
||||
Restart = "on-failure"; |
||||
}; |
||||
}; |
||||
}; |
||||
} |
Loading…
Reference in new issue