encrypted dns

common/firefox.nix

@@ -62,6 +62,11 @@ in
           "media.hardware-video-decoding.enabled" = true;
           "media.ffmpeg.vaapi.enabled" = true;
           "network.dns.disableIPv6" = true;
+          # "network.dns.DNS_HTTPS.domain" = "::1";
+          "network.connectivity-service.DNSv4.domain" = "127.0.0.1";
+          "network.connectivity-service.DNSv6.domain" = "::1";
+          network.dns.localDomains = "::1";
+          network.dns.forceResolve = true;
           "media.rdd-ffmpeg.enabled" = true;
           "media.navigator.mediadatadecoder_vpx_enabled" = true;
         } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };

common/tooling/nix-index.nix

@@ -13,6 +13,7 @@ in
   users.users."${user}" = {
     isSystemUser = true;
     group = user;
+    uid = 995;
   };
   users.groups."${user}" = { };
 

hardening/default.nix

@@ -10,6 +10,7 @@
     ./apparmor
     ./opensnitch
     ./security.nix
+    ./encrypt-dns.nix
   ];
 
   specialisation.unhardened.configuration = {

hardening/encrypt-dns.nix

@@ -0,0 +1,39 @@
+{ pkgs, config, lib, ... }:
+{
+  networking = {
+    nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
+    dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
+    networkmanager.dns = "none"; # nm
+    resolvconf.useLocalResolver = true; # resoved
+  };
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = config.networking.enableIPv6;
+      ipv4_servers = true;
+      require_dnssec = true;
+      dnscrypt_servers = true;
+      doh_servers = true;
+      odoh_servers = false;
+      require_nolog = true;
+      require_nofilter = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      # server_names = [ ... ];
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+}

hardening/opensnitch/cups.nix

@@ -48,7 +48,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "5353|53";
+              data = "5353";
             }
             {
               type = "simple";
@@ -77,7 +77,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "53|631|80";
+              data = "631|80";
             }
             {
               type = "lists";

hardening/opensnitch/default.nix

@@ -29,6 +29,7 @@ in
     ./network_support.nix
     ./firefox.nix
     ./tooling.nix
+    ./dns.nix
   ];
 
   config = mkIf (enable && tooling.enable && network) {

hardening/opensnitch/dns.nix

@@ -0,0 +1,77 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.grimmShared)
+    enable
+    tooling
+    network
+    ;
+  inherit (lib)
+    getExe
+    mkIf
+    ;
+
+  created = "1970-01-01T00:00:00.0+00:00";
+
+  dnscrypt_proxy_user = "dnscrypt-proxy2";
+in
+{
+
+  config = mkIf (enable && tooling.enable && network) {
+    users.users."${dnscrypt_proxy_user}" = {
+      isSystemUser = true;
+      group = dnscrypt_proxy_user;
+      uid = 991;
+    };
+    users.groups."${dnscrypt_proxy_user}" = { };
+
+    systemd.services.dnscrypt-proxy2.serviceConfig = {
+      DynamicUser = lib.mkForce true;
+      User = dnscrypt_proxy_user;
+      Group = dnscrypt_proxy_user;
+    };
+
+    services.opensnitch.rules = {
+      dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
+        name = "dnscrypt-proxy";
+        enabled = true;
+        action = "allow";
+        duration = "always";
+        inherit created;
+        operator = {
+          type = "list";
+          operand = "list";
+          list = [
+            {
+              type = "simple";
+              sensitive = false;
+              operand = "process.path";
+              data = getExe pkgs.dnscrypt-proxy;
+            }
+            {
+              type = "regexp";
+              operand = "dest.port";
+              data = "53|443|4434|5443";
+            }
+            #  {
+            #    type = "lists";
+            #    operand = "lists.nets";
+            #    data = pkgs.writeTextDir "cidr_dns.list" (
+            #      concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
+            #    );
+            #  }
+            {
+              type = "simple";
+              operand = "user.id";
+              data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
+            }
+          ];
+        };
+      };
+    };
+  };
+}

hardening/opensnitch/network_support.nix

@@ -11,60 +11,15 @@ let
     network
     ;
   inherit (lib)
-    getExe
-    concatLines
     getExe'
     mkIf
     ;
 
-  local_network = [
-    "192.168.0.0/16"
-    "10.0.0.0/8"
-    "172.16.0.0/12"
-    "fc00::/7"
-  ];
-
   created = "1970-01-01T00:00:00.0+00:00";
 in
 {
   config = mkIf (enable && tooling.enable && network) {
     services.opensnitch.rules = {
-      nsncd = mkIf (config.services.nscd.enableNsncd) {
-        name = "nsncd-dns";
-        enabled = true;
-        action = "allow";
-        duration = "always";
-        inherit created;
-        operator = {
-          type = "list";
-          operand = "list";
-          list = [
-            {
-              type = "simple";
-              sensitive = false;
-              operand = "process.path";
-              data = getExe pkgs.nsncd;
-            }
-            {
-              type = "simple";
-              operand = "dest.port";
-              data = "53";
-            }
-            {
-              type = "lists";
-              operand = "lists.nets";
-              data = pkgs.writeTextDir "cidr_dns.list" (
-                concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
-              );
-            }
-            {
-              type = "simple";
-              operand = "user.id";
-              data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
-            }
-          ];
-        };
-      };
       network-manager = mkIf (config.networking.networkmanager.enable) {
         name = "network-manager";
         enabled = true;

hardening/opensnitch/nix.nix

@@ -39,7 +39,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "53|443";
+              data = "443";
             }
             {
               type = "simple";
@@ -70,7 +70,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "53|443";
+              data = "443";
             }
             {
               type = "regexp";

hardening/opensnitch/osu.nix

@@ -51,7 +51,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "443|53";
+              data = "443";
             }
             {
               type = "regexp";

hardening/opensnitch/time.nix

@@ -39,7 +39,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "123|37|53";
+              data = "123|37";
             }
             #              {
             #                type = "regexp";