dnscrypt listening subnets

modules/modules.nix

@@ -30,7 +30,7 @@ in
     };
     localhost6 = lib.mkOption {
       type = lib.types.str;
-      default = "::1";
+      default = "[::1]";
       description = "The localhost ipv6 address.";
     };
     secureHost = lib.mkOption {

modules/services/network.nix

@@ -1,10 +1,23 @@
 { config, lib, ... }:
+let
+  stripCidr = cidr: cidr |> lib.splitString "/" |> builtins.head;
+  wgListenIps = config.my.wgInterfaces |> builtins.attrValues;
+  wgListenAddrs = wgListenIps |> builtins.map (ip: "${stripCidr ip}:53");
+in
 {
   options.my.services.network.enable = lib.mkEnableOption "network configuration and services";
   config = lib.mkIf config.my.services.network.enable {
     networking = {
       enableIPv6 = true;
-      firewall.enable = true;
+      firewall = {
+        enable = true;
+        interfaces = lib.mkIf config.my.services.wireguard.enable {
+          wg0 = {
+            allowedTCPPorts = [ 53 ];
+            allowedUDPPorts = [ 53 ];
+          };
+        };
+      };
       dhcpcd.extraConfig = "nohook resolv.conf";
       networkmanager = {
         enable = true;
@@ -19,6 +32,16 @@
       settings = {
         ipv6_servers = true;
         require_dnssec = true;
+        log_level = 4;
+        listen_addresses = [
+          "${config.my.localhost}:53"
+          "${config.my.localhost6}:53"
+        ]
+        ++ lib.optionals config.my.services.wireguard.enable wgListenAddrs;
+        query_log = {
+          file = "/var/lib/dnscrypt-proxy/query.log";
+          format = "tsv";
+        };
         sources.public-resolvers = {
           urls = [
             "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"