diff --git a/machines/fuuko/services/dnsmasq.nix b/machines/fuuko/services/dnsmasq.nix index f49e8d0..ab57826 100644 --- a/machines/fuuko/services/dnsmasq.nix +++ b/machines/fuuko/services/dnsmasq.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { services.dnsmasq = { @@ -30,36 +30,18 @@ leasesPath = "/var/lib/dnsmasq/dnsmasq.leases"; }; - services.stubby = { - enable = true; - listenAddresses = [ - "127.0.0.1@5353" - "0::1@5353" - ]; - upstreamServers = (lib.concatMapStrings - (server: with server; " - { address_data: ${addr}, tls_auth_name: \"${authName}\" }\n") - (lib.flatten - (lib.mapAttrsToList - (authName: addrs: map (addr: { inherit addr authName; }) addrs) - { - "dns.digitale-gesellschaft.ch" = [ - "185.95.218.42" - "185.95.218.43" - "2a05:fc84::42" - "2a05:fc84::43" - ]; - "dns3.digitalcourage.de" = [ - "5.9.164.112" - ]; - "dnsovertls.sinodun.com" = [ - "145.100.185.15" - "2001:610:1:40ba:145:100:185:15" - ]; - "dnsovertls1.sinodun.com" = [ - "145.100.185.16" - "2001:610:1:40ba:145:100:185:16" - ]; - }))); + systemd.services.https-dns-proxy = { + after = [ "network.target" ]; + before = [ "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.https-dns-proxy}/bin/https_dns_proxy -p 5353 -r https://dns.digitale-gesellschaft.ch/dns-query"; + Restart = "on-failure"; + TimeoutStopSec = "10"; + DynamicUser = true; + }; }; networking.firewall.allowedUDPPorts = [ 53 67 ];