penal-colony/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos/modules/system/dns-over-tls.nix
ashisgreat22 2be8de47fa init
2026-01-14 21:24:19 +01:00

65 lines
1.5 KiB
Nix
Raw Blame History

# DNS-over-TLS Module
# Provides: Encrypted DNS with DNSSEC via systemd-resolved
#
# Usage:
# myModules.dnsOverTls = {
# enable = true;
# dnssec = true; # default: true
# primaryDns = [ "9.9.9.9" "1.1.1.1" ]; # default: Quad9 + Cloudflare
# fallbackDns = [ "1.1.1.1" "1.0.0.1" ]; # default: Cloudflare
# };
{
config,
lib,
pkgs,
...
}:
let
cfg = config.myModules.dnsOverTls;
in
{
options.myModules.dnsOverTls = {
enable = lib.mkEnableOption "DNS-over-TLS with DNSSEC";
dnssec = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable DNSSEC validation";
};
primaryDns = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [
"9.9.9.9"
"149.112.112.112"
"1.1.1.1"
"1.0.0.1"
];
description = "Primary DNS servers (Quad9 + Cloudflare by default)";
};
fallbackDns = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [
"1.1.1.1"
"1.0.0.1"
];
description = "Fallback DNS servers";
};
};
config = lib.mkIf cfg.enable {
networking.nameservers = cfg.primaryDns;
networking.networkmanager.dns = "systemd-resolved";
services.resolved = {
enable = true;
dnssec = if cfg.dnssec then "true" else "false";
domains = [ "~." ];
fallbackDns = cfg.fallbackDns;
dnsovertls = "true";
};
};
}
Reference in a new issue View git blame Copy permalink