From 0202e386385b082e0f1d6a3e08f877df9061eaaf Mon Sep 17 00:00:00 2001
From: Dan Nixon <dan@dan-nixon.com>
Date: Tue, 10 Oct 2023 03:50:04 +0100
Subject: [PATCH] dnscrypt-proxy2 configuration

---
 README.md                                  |  4 ----
 configurations/akane/nixos/default.nix     |  7 ++++++-
 configurations/kawashiro/nixos/default.nix |  7 ++++++-
 configurations/maya/nixos/default.nix      |  7 ++++++-
 configurations/yukari/nixos/default.nix    |  3 +--
 modules/nixos/dnscrypt-proxy.nix           | 12 ++++++++++++
 modules/nixos/encrypted-dns.nix            |  5 -----
 7 files changed, 31 insertions(+), 14 deletions(-)
 create mode 100644 modules/nixos/dnscrypt-proxy.nix
 delete mode 100644 modules/nixos/encrypted-dns.nix

diff --git a/README.md b/README.md
index 4c5bc1e..44194cd 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,3 @@ Normal:
 ```sh
 home-manager switch --flake .#<config name>
 ```
-
-## In Progress
-
-- https://mynixos.com/nixpkgs/option/services.dnscrypt-proxy2.enable
diff --git a/configurations/akane/nixos/default.nix b/configurations/akane/nixos/default.nix
index a2451f9..b7b5d09 100644
--- a/configurations/akane/nixos/default.nix
+++ b/configurations/akane/nixos/default.nix
@@ -16,7 +16,7 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../../modules/nixos/dan
     ../../../modules/nixos/dan/secrets
     ../../../modules/nixos/desktop-environment.nix
-    ../../../modules/nixos/encrypted-dns.nix
+    ../../../modules/nixos/dnscrypt-proxy.nix
     ../../../modules/nixos/locale.nix
     ../../../modules/nixos/networkmanager.nix
     ../../../modules/nixos/scanner.nix
@@ -33,6 +33,11 @@ inputs.nixpkgs.lib.nixosSystem {
 
       networking.hostName = "akane";
 
+      services.dnscrypt-proxy2.settings.forwarding_rules = "/etc/dnscrypt-proxy2/forwarding-rules.txt";
+      environment.etc."dnscrypt-proxy2/forwarding-rules.txt".text = ''
+        castle.dan-nixon.com 100.71.249.35
+      '';
+
       users.users.dan.extraGroups = ["dialout"];
 
       virtualisation.podman.enable = true;
diff --git a/configurations/kawashiro/nixos/default.nix b/configurations/kawashiro/nixos/default.nix
index 322ae73..bc94d89 100644
--- a/configurations/kawashiro/nixos/default.nix
+++ b/configurations/kawashiro/nixos/default.nix
@@ -15,7 +15,7 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../../modules/nixos/dan
     ../../../modules/nixos/dan/secrets
     ../../../modules/nixos/desktop-environment.nix
-    ../../../modules/nixos/encrypted-dns.nix
+    ../../../modules/nixos/dnscrypt-proxy.nix
     ../../../modules/nixos/locale.nix
     ../../../modules/nixos/networkmanager.nix
     ../../../modules/nixos/sound.nix
@@ -31,6 +31,11 @@ inputs.nixpkgs.lib.nixosSystem {
 
       networking.hostName = "kawashiro";
 
+      services.dnscrypt-proxy2.settings.forwarding_rules = "/etc/dnscrypt-proxy2/forwarding-rules.txt";
+      environment.etc."dnscrypt-proxy2/forwarding-rules.txt".text = ''
+        castle.dan-nixon.com 100.71.249.35
+      '';
+
       users.users.dan.extraGroups = ["dialout" "plugdev"];
 
       virtualisation.podman.enable = true;
diff --git a/configurations/maya/nixos/default.nix b/configurations/maya/nixos/default.nix
index 7d994ea..1d56084 100644
--- a/configurations/maya/nixos/default.nix
+++ b/configurations/maya/nixos/default.nix
@@ -14,7 +14,7 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../../modules/nixos/dan
     ../../../modules/nixos/dan/secrets
     ../../../modules/nixos/desktop-environment.nix
-    ../../../modules/nixos/encrypted-dns.nix
+    ../../../modules/nixos/dnscrypt-proxy.nix
     ../../../modules/nixos/locale.nix
     ../../../modules/nixos/networkmanager.nix
     ../../../modules/nixos/sound.nix
@@ -30,6 +30,11 @@ inputs.nixpkgs.lib.nixosSystem {
 
       networking.hostName = "maya";
 
+      services.dnscrypt-proxy2.settings.forwarding_rules = "/etc/dnscrypt-proxy2/forwarding-rules.txt";
+      environment.etc."dnscrypt-proxy2/forwarding-rules.txt".text = ''
+        castle.dan-nixon.com 100.71.249.35
+      '';
+
       virtualisation.podman.enable = true;
       services.upower.enable = true;
       services.tailscale.enable = true;
diff --git a/configurations/yukari/nixos/default.nix b/configurations/yukari/nixos/default.nix
index d2026ba..c523ee0 100644
--- a/configurations/yukari/nixos/default.nix
+++ b/configurations/yukari/nixos/default.nix
@@ -15,10 +15,9 @@ inputs.nixpkgs.lib.nixosSystem {
     })
     ./disk-config.nix
 
-    inputs.sops-nix.nixosModules.sops
     ../../../modules/nixos/base.nix
     ../../../modules/nixos/dan
-    ../../../modules/nixos/encrypted-dns.nix
+    ../../../modules/nixos/dnscrypt-proxy.nix
     ../../../modules/nixos/locale.nix
     ../../../modules/nixos/networkmanager.nix
     ../../../modules/nixos/ssh.nix
diff --git a/modules/nixos/dnscrypt-proxy.nix b/modules/nixos/dnscrypt-proxy.nix
new file mode 100644
index 0000000..f06d52a
--- /dev/null
+++ b/modules/nixos/dnscrypt-proxy.nix
@@ -0,0 +1,12 @@
+{...}: {
+  services.dnscrypt-proxy2 = {
+    enable = true;
+
+    settings = {
+      fallback_resolvers = ["9.9.9.9:53" "1.1.1.1:53"];
+      ignore_system_dns = true;
+
+      netprobe_address = "9.9.9.9:53";
+    };
+  };
+}
diff --git a/modules/nixos/encrypted-dns.nix b/modules/nixos/encrypted-dns.nix
deleted file mode 100644
index fd56132..0000000
--- a/modules/nixos/encrypted-dns.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{...}: {
-  services.dnscrypt-proxy2 = {
-    enable = true;
-  };
-}