From 7a5f577806989737d64c8a781dfda14ba1911ce6 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Fri, 6 Feb 2026 18:40:31 -0600 Subject: [PATCH] dnscrypt listening subnets --- modules/modules.nix | 2 +- modules/services/network.nix | 25 ++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/modules/modules.nix b/modules/modules.nix index fb76f3b..d4ddc48 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -30,7 +30,7 @@ in }; localhost6 = lib.mkOption { type = lib.types.str; - default = "::1"; + default = "[::1]"; description = "The localhost ipv6 address."; }; secureHost = lib.mkOption { diff --git a/modules/services/network.nix b/modules/services/network.nix index 37208b2..2410fec 100644 --- a/modules/services/network.nix +++ b/modules/services/network.nix @@ -1,10 +1,23 @@ { config, lib, ... }: +let + stripCidr = cidr: cidr |> lib.splitString "/" |> builtins.head; + wgListenIps = config.my.wgInterfaces |> builtins.attrValues; + wgListenAddrs = wgListenIps |> builtins.map (ip: "${stripCidr ip}:53"); +in { options.my.services.network.enable = lib.mkEnableOption "network configuration and services"; config = lib.mkIf config.my.services.network.enable { networking = { enableIPv6 = true; - firewall.enable = true; + firewall = { + enable = true; + interfaces = lib.mkIf config.my.services.wireguard.enable { + wg0 = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + }; + }; dhcpcd.extraConfig = "nohook resolv.conf"; networkmanager = { enable = true; @@ -19,6 +32,16 @@ settings = { ipv6_servers = true; require_dnssec = true; + log_level = 4; + listen_addresses = [ + "${config.my.localhost}:53" + "${config.my.localhost6}:53" + ] + ++ lib.optionals config.my.services.wireguard.enable wgListenAddrs; + query_log = { + file = "/var/lib/dnscrypt-proxy/query.log"; + format = "tsv"; + }; sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"