dnscrypt listening subnets

2026-02-06 18:40:31 -06:00
parent a7482ee146
commit 7a5f577806
2 changed files with 25 additions and 2 deletions
--- a/modules/services/network.nix
+++ b/modules/services/network.nix
@@ -1,10 +1,23 @@
 { config, lib, ... }:
+let
+  stripCidr = cidr: cidr |> lib.splitString "/" |> builtins.head;
+  wgListenIps = config.my.wgInterfaces |> builtins.attrValues;
+  wgListenAddrs = wgListenIps |> builtins.map (ip: "${stripCidr ip}:53");
+in
 {
  options.my.services.network.enable = lib.mkEnableOption "network configuration and services";
  config = lib.mkIf config.my.services.network.enable {
    networking = {
      enableIPv6 = true;
-      firewall.enable = true;
+      firewall = {
+        enable = true;
+        interfaces = lib.mkIf config.my.services.wireguard.enable {
+          wg0 = {
+            allowedTCPPorts = [ 53 ];
+            allowedUDPPorts = [ 53 ];
+          };
+        };
+      };
      dhcpcd.extraConfig = "nohook resolv.conf";
      networkmanager = {
        enable = true;
@@ -19,6 +32,16 @@
      settings = {
        ipv6_servers = true;
        require_dnssec = true;
+        log_level = 4;
+        listen_addresses = [
+          "${config.my.localhost}:53"
+          "${config.my.localhost6}:53"
+        ]
+        ++ lib.optionals config.my.services.wireguard.enable wgListenAddrs;
+        query_log = {
+          file = "/var/lib/dnscrypt-proxy/query.log";
+          format = "tsv";
+        };
        sources.public-resolvers = {
          urls = [
            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"