From 552f6065637a9ef4345e51c2fdb9feab0d115a7f Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Sun, 15 Dec 2024 15:22:29 +0100 Subject: [PATCH] Set up DNS over TLS for adguard --- nixos/hosts/wheatley/configuration.nix | 56 ++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index ac15f38..d19ff26 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -62,12 +62,60 @@ # Configure DNS servers manually (this example uses Cloudflare and Google DNS) # IPv6 DNS servers can be used here as well. networking.nameservers = [ - "94.140.14.49" - "94.140.14.59" - "2a10:50c0:0:0:0:0:ded:ff" - "2a10:50c0:0:0:0:0:dad:ff" + "127.0.0.1" + "::1" ]; + services.stubby = { + enable = true; + settings = + pkgs.stubby.passthru.settingsExample + // { + upstream_recursive_servers = [ + { + address_data = "94.140.14.49"; + tls_auth_name = "4b921896.d.adguard-dns.com"; + tls_pubkey_pinset = [ + { + digest = "sha256"; + value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + } + ]; + } + { + address_data = "94.140.14.59"; + tls_auth_name = "4b921896.d.adguard-dns.com"; + tls_pubkey_pinset = [ + { + digest = "sha256"; + value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + } + ]; + } + { + address_data = "2a10:50c0:0:0:0:0:ded:ff"; + tls_auth_name = "4b921896.d.adguard-dns.com"; + tls_pubkey_pinset = [ + { + digest = "sha256"; + value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + } + ]; + } + { + address_data = "2a10:50c0:0:0:0:0:dad:ff"; + tls_auth_name = "4b921896.d.adguard-dns.com"; + tls_pubkey_pinset = [ + { + digest = "sha256"; + value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + } + ]; + } + ]; + }; + }; + services.openssh = { enable = true; # require public key authentication for better security