encrypted dns

This commit is contained in:
Grimmauld 2025-01-28 19:54:36 +01:00
parent 59c4d9dd11
commit d62b9c76d2
No known key found for this signature in database
11 changed files with 130 additions and 51 deletions

View file

@ -62,6 +62,11 @@ in
"media.hardware-video-decoding.enabled" = true;
"media.ffmpeg.vaapi.enabled" = true;
"network.dns.disableIPv6" = true;
# "network.dns.DNS_HTTPS.domain" = "::1";
"network.connectivity-service.DNSv4.domain" = "127.0.0.1";
"network.connectivity-service.DNSv6.domain" = "::1";
network.dns.localDomains = "::1";
network.dns.forceResolve = true;
"media.rdd-ffmpeg.enabled" = true;
"media.navigator.mediadatadecoder_vpx_enabled" = true;
} // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };

View file

@ -13,6 +13,7 @@ in
users.users."${user}" = {
isSystemUser = true;
group = user;
uid = 995;
};
users.groups."${user}" = { };

View file

@ -10,6 +10,7 @@
./apparmor
./opensnitch
./security.nix
./encrypt-dns.nix
];
specialisation.unhardened.configuration = {

39
hardening/encrypt-dns.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, config, lib, ... }:
{
networking = {
nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
networkmanager.dns = "none"; # nm
resolvconf.useLocalResolver = true; # resoved
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = config.networking.enableIPv6;
ipv4_servers = true;
require_dnssec = true;
dnscrypt_servers = true;
doh_servers = true;
odoh_servers = false;
require_nolog = true;
require_nofilter = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
# server_names = [ ... ];
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
}

View file

@ -48,7 +48,7 @@ in
{
type = "regexp";
operand = "dest.port";
data = "5353|53";
data = "5353";
}
{
type = "simple";
@ -77,7 +77,7 @@ in
{
type = "regexp";
operand = "dest.port";
data = "53|631|80";
data = "631|80";
}
{
type = "lists";

View file

@ -29,6 +29,7 @@ in
./network_support.nix
./firefox.nix
./tooling.nix
./dns.nix
];
config = mkIf (enable && tooling.enable && network) {

View file

@ -0,0 +1,77 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
dnscrypt_proxy_user = "dnscrypt-proxy2";
in
{
config = mkIf (enable && tooling.enable && network) {
users.users."${dnscrypt_proxy_user}" = {
isSystemUser = true;
group = dnscrypt_proxy_user;
uid = 991;
};
users.groups."${dnscrypt_proxy_user}" = { };
systemd.services.dnscrypt-proxy2.serviceConfig = {
DynamicUser = lib.mkForce true;
User = dnscrypt_proxy_user;
Group = dnscrypt_proxy_user;
};
services.opensnitch.rules = {
dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
name = "dnscrypt-proxy";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.dnscrypt-proxy;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443|4434|5443";
}
# {
# type = "lists";
# operand = "lists.nets";
# data = pkgs.writeTextDir "cidr_dns.list" (
# concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
# );
# }
{
type = "simple";
operand = "user.id";
data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
}
];
};
};
};
};
}

View file

@ -11,60 +11,15 @@ let
network
;
inherit (lib)
getExe
concatLines
getExe'
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
}
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
operand = "user.id";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;

View file

@ -39,7 +39,7 @@ in
{
type = "regexp";
operand = "dest.port";
data = "53|443";
data = "443";
}
{
type = "simple";
@ -70,7 +70,7 @@ in
{
type = "regexp";
operand = "dest.port";
data = "53|443";
data = "443";
}
{
type = "regexp";

View file

@ -51,7 +51,7 @@ in
{
type = "regexp";
operand = "dest.port";
data = "443|53";
data = "443";
}
{
type = "regexp";

View file

@ -39,7 +39,7 @@ in
{
type = "regexp";
operand = "dest.port";
data = "123|37|53";
data = "123|37";
}
# {
# type = "regexp";