diff --git a/modules/base.nix b/modules/base.nix index 7b2bab5..7983838 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -1,5 +1,12 @@ { config, pkgs, ... }: { + imports = [ + # DNS settings. + ./dns.nix + # Nix garbage collection. + ./nix-gc.nix + ]; + # Firmware. # # The list of hardware.enableAllFirmware contains non-redistributable licensed firmware files. @@ -21,15 +28,6 @@ # Enable networking. networking.networkmanager.enable = true; - networking.nameservers = [ - # https://www.kuketz-blog.de/empfehlungsecke/#dns - # unfiltered.adguard-dns.com (supports DNSSEC) - "94.140.14.140" "94.140.14.141" - # https://www.kuketz-blog.de/empfehlungsecke/#dns - # dot.ffmuc.net (supports DNSSEC) - "5.1.66.255" "185.150.99.255" - ]; - # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -75,17 +73,6 @@ nix.settings.auto-optimise-store = true; - # Keep only most recent 7 system generations - imports = [ ./base-gc.nix ]; - # - # Alternatively: Delete generations older than 7 days - # https://nixos.wiki/wiki/Storage_optimization#Automation - #nix.gc = { - # automatic = true; - # dates = "weekly"; - # options = "--delete-older-than 7d"; - #}; - # Delete all files in /tmp during boot. boot.tmp.cleanOnBoot = true; diff --git a/modules/dns.nix b/modules/dns.nix new file mode 100644 index 0000000..875447e --- /dev/null +++ b/modules/dns.nix @@ -0,0 +1,178 @@ +{ config, pkgs, ... }: +{ + assertions = [{ + assertion = config.networking.networkmanager.enable; + message = ''This module is only tested with NetworkManager''; + } { + assertion = ! config.services.resolved.enable; + message = ''This module is incompatible with resolved as resolved does not listen to IPv6 loopback''; + } { + assertion = config.networking.enableIPv6; + message = ''This module assumes that IPv6 networking is available''; + }]; + + # Encrypted, anonymized DNS queries. + # + # NixOS networking options: https://nixos.wiki/wiki/Encrypted_DNS#Setting_nameservers + # Exmaple dnscrypt-proxy config: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml + # NixOS config examples: + # https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2 + # https://github.com/LudovicoPiero/dotfiles/blob/338b0585d195e6644df9bf8b63fd574af7c18e26/cells/workstations/nixosProfiles/dnscrypt2/default.nix + # + # Check if it is working + # https://wiki.archlinux.org/title/Dnscrypt-proxy#Check_if_dnscrypt-proxy_is_working + + # TODO + # create new config option + # encrypted-dns + # If enabled + # use dnscrypt + # don't use adguard and ffmuc DNS servers + # Firefox use system DNS + + networking.nameservers = [ + "127.0.0.1" + "::1" + ]; + #networking.nameservers = [ + # # https://www.kuketz-blog.de/empfehlungsecke/#dns + # # unfiltered.adguard-dns.com (supports DNSSEC) + # "94.140.14.140" "94.140.14.141" + # # https://www.kuketz-blog.de/empfehlungsecke/#dns + # # dot.ffmuc.net (supports DNSSEC) + # "5.1.66.255" "185.150.99.255" + #]; + + # If using dhcpcd. + networking.dhcpcd.extraConfig = "nohook resolv.conf"; + # If using NetworkManager. + networking.networkmanager.dns = "none"; + + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + #listen_addresses = ['127.0.0.1:53']; + # This can be useful if you need to route everything through Tor. + # Otherwise, leave this to `false`. + force_tcp = false; + # Enable a DNS cache to reduce latency and outgoing traffic + cache = true; + # DNSCrypt: Create a new, unique key for every single DNS query. + # This may improve privacy but can also have a significant impact on CPU usage. + # Only enable if you don't have a lot of network load. + #dnscrypt_ephemeral_keys = false + + # Use servers reachable over IPv4. + ipv4_servers = true; + # Use servers reachable over IPv6. + # Do not enable if you don't have IPv6 connectivity. + ipv6_servers = true; + block_ipv6 = false; + # Use servers implementing the DNSCrypt protocol. + dnscrypt_servers = true; + # Use servers implementing the DNS-over-HTTPS protocol. + doh_servers = false; + # Use servers implementing the Oblivious DoH protocol + odoh_servers = false; + # Server must support DNS security extensions (DNSSEC). + require_dnssec = true; + # Server must not log user queries (declarative). + require_nolog = true; + # Server must not enforce its own blacklist (for parental control, ads blocking...). + require_nofilter = true; + + # Fetch list of dnscrypt server names. + # These server names are used below in the `server_names` and `via` options. + sources = { + public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + relays = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/relays.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + + # Names of servers to be used for DNS queries. + # These are not contacted directly. + # Instead, the queries are forwarded by relay servers. + server_names = [ + # Operated by https://cryptostorm.is/ + "cs-berlin" + "cs-de" + "cs-dus1" + "cs-dus2" + "cs-dus3" + "cs-dus4" + # Other operators. + "dns.digitale-gesellschaft.ch" + "dns.digitale-gesellschaft.ch-ipv6" + "dct-de" + "dct-nl" + "dns.digitalsize.net" + "dns.digitalsize.net-ipv6" + "ibksturm" # Switzerland + "doh-ibksturm" # Switzerland + "faelix-ch-ipv4" # Switzerland + + # Already used as relay server. + #"dnswarden-uncensor-dc-swiss" # Switzerland + + # DNS servers that filter some requests. + #"switch" # Filters requests + #"dnsforge.de" # Filters requests + #"brahma-world" # Filters requests + #"brahma-world-ipv6" # Filters requests + #"libredns" # No DNSSEC + ]; + anonymized_dns = { + routes = [ + { + # All DNS servers given in `server_names`. + server_name = "*"; + # Relay servers. + # These forward requests to the chosen DNS servers. + via = [ + "anon-digitalprivacy.diy-ipv4" # Germany, by https://digitalprivacy.diy + "anon-serbica" # Netherlands, by https://litepay.ch + "anon-kama" # France, by Frank Denis (@jedisct1) + "anon-scaleway" # France, by Frank Denis (@jedisct1) + "anon-scaleway2" # France, by Frank Denis (@jedisct1) + "anon-fluffycat-fr-01" # France + "anon-dnswarden-swiss" + + # Already used as DNS server. + #"anon-cs-berlin" + #"anon-cs-de" + #"anon-cs-dus1" # Germany + #"anon-cs-dus2" # Germany + #"anon-cs-dus3" # Germany + #"anon-cs-dus4" # Germany + #"anon-cs-fr" + #"anon-cs-dk" + #"anon-cs-belgium" + #"anon-cs-nl" + #"anon-cs-nl2" + #"anon-cs-poland" + #"anon-cs-czech" + #"anon-cs-austria" + ]; + } + ]; + # Skip resolvers incompatible with anonymization instead of using them directly. + skip_incompatible = true; + }; + }; + }; +} diff --git a/modules/base-gc.nix b/modules/nix-gc.nix similarity index 77% rename from modules/base-gc.nix rename to modules/nix-gc.nix index 9364d24..3380af4 100644 --- a/modules/base-gc.nix +++ b/modules/nix-gc.nix @@ -1,6 +1,16 @@ { config, pkgs, ... }: { + # Keep only the 7 most recent system generations. + # # Based on https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/misc/nix-gc.nix + # + # Alternatively: Delete generations older than 7 days + # https://nixos.wiki/wiki/Storage_optimization#Automation + #nix.gc = { + # automatic = true; + # dates = "weekly"; + # options = "--delete-older-than 7d"; + #}; assertions = [{ assertion = config.nix.enable;