AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DNS-over-TLS

Browse Source
This commit is contained in:
Dmitriy Kholkin 2021-10-26 01:04:58 +03:00
parent d4a78796b2
commit 7d5d966668
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
profiles/servers/nginx.nix
View File

@ -1,4 +1,43 @@
{ pkgs, config, lib, ... }: { { pkgs, config, lib, ... }: {
## DNS-over-TLS
services.stubby = {
enable = true;
listenAddresses = [ "0::1" "127.0.0.1" ];
roundRobinUpstreams = false;
upstreamServers = ''
## Quad9
- address_data: 2620:fe::fe
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::9
tls_auth_name: "dns.quad9.net"
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_auth_name: "dns.quad9.net"
## Cloudflare
- address_data: 2606:4700:4700::1112
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1002
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.2
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.2
tls_auth_name: "cloudflare-dns.com"
'';
extraConfig = ''
# Set TLS 1.3 as minimum acceptable version
tls_min_version: GETDNS_TLS1_3
# Require DNSSEC validation
dnssec: GETDNS_EXTENSION_TRUE
'';
};
networking.nameservers = [ "::1" "127.0.0.1" ];
services.resolved = {
enable = true;
fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;