From 1e5e82cd4956d189615691dbcda2f7b598043d52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= <leana.jiang+git@icloud.com>
Date: Thu, 23 Oct 2025 10:03:03 +0800
Subject: [PATCH] vanadium/secure_dns: init

---
 nix/configurations/vanadium.nix               |  1 +
 .../vanadium/nixos/connectivity.nix           | 80 -------------------
 .../vanadium/nixos/secure_dns.nix             | 80 +++++++++++++++++++
 3 files changed, 81 insertions(+), 80 deletions(-)
 create mode 100644 nix/configurations/vanadium/nixos/secure_dns.nix

diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix
index c9e02c13..208e712e 100644
--- a/nix/configurations/vanadium.nix
+++ b/nix/configurations/vanadium.nix
@@ -92,6 +92,7 @@ in
 
       ./vanadium/nixos/audio.nix
       ./vanadium/nixos/connectivity.nix
+      ./vanadium/nixos/secure_dns.nix
       ./vanadium/nixos/input.nix
 
       ./vanadium/nixos/misc.nix
diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix
index 8f107a64..5a0891fc 100644
--- a/nix/configurations/vanadium/nixos/connectivity.nix
+++ b/nix/configurations/vanadium/nixos/connectivity.nix
@@ -77,84 +77,4 @@
   services.mullvad-vpn.enable = true;
 
   hardware.bluetooth.enable = true;
-
-  #
-  # Secure DNS
-  #
-  # https://nixos.wiki/wiki/Encrypted_DNS
-  networking = {
-    nameservers = ["127.0.0.1" "::1"];
-    dhcpcd.extraConfig = "nohook resolv.conf";
-    # networkmanager.dns = "none";
-  };
-
-  services.resolved.enable = false;
-
-  services.dnscrypt-proxy2 = {
-    enable = true;
-    # Settings reference:
-    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
-    settings = {
-      listen_addresses = ["127.0.0.1:53"];
-      ipv4_servers = true;
-
-      require_dnssec = true;
-      require_nolog = true;
-      require_nofilter = true;
-
-      lb_strategy = "p2";
-      lb_estimator = true;
-
-      blocked_names = {
-        # Blocklists are made of one pattern per line.
-        # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
-        blocked_names_file = let
-          # Prevent building up reliance on chatbots
-          # Gotta preserve that thinking ability of my smoof bwain
-          ai_list = let
-            src = pkgs.fetchFromGitHub {
-              owner = "laylavish";
-              repo = "uBlockOrigin-HUGE-AI-Blocklist";
-              rev = "9bb188e2701138e03f73bacebd6b19b181ca0012";
-              hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA=";
-            };
-          in
-            lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [
-              (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
-              (lib.splitString "\n")
-              (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
-              (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0
-            ];
-
-          hategroup_list = let
-            src = pkgs.fetchFromGitHub {
-              owner = "chigh";
-              repo = "hategroup-dnsbl";
-              rev = "cc19c050997d5f54014bb20c764b131e003dfb17";
-              hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ=";
-            };
-          in
-            lib.pipe (builtins.readFile "${src}/blocklist.txt") [
-              (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
-              (lib.splitString "\n")
-              (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
-            ];
-
-          combined_lists = ai_list ++ hategroup_list;
-        in
-          pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists);
-      };
-
-      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
-      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
-      sources.public-resolvers = {
-        urls = [
-          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-        ];
-        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
-        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-      };
-    };
-  };
 }
diff --git a/nix/configurations/vanadium/nixos/secure_dns.nix b/nix/configurations/vanadium/nixos/secure_dns.nix
new file mode 100644
index 00000000..eebd747a
--- /dev/null
+++ b/nix/configurations/vanadium/nixos/secure_dns.nix
@@ -0,0 +1,80 @@
+# https://nixos.wiki/wiki/Encrypted_DNS
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  networking = {
+    nameservers = ["127.0.0.1" "::1"];
+    dhcpcd.extraConfig = "nohook resolv.conf";
+    # networkmanager.dns = "none";
+  };
+
+  services.resolved.enable = false;
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # Settings reference:
+    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    settings = {
+      listen_addresses = ["127.0.0.1:53"];
+      ipv4_servers = true;
+
+      require_dnssec = true;
+      require_nolog = true;
+      require_nofilter = true;
+
+      lb_strategy = "p2";
+      lb_estimator = true;
+
+      # Blocklists are made of one pattern per line.
+      # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
+      blocked_names.blocked_names_file = let
+        # Prevent building up reliance on chatbots
+        # Gotta preserve that thinking ability of my smoof bwain
+        ai_list = let
+          src = pkgs.fetchFromGitHub {
+            owner = "laylavish";
+            repo = "uBlockOrigin-HUGE-AI-Blocklist";
+            rev = "9bb188e2701138e03f73bacebd6b19b181ca0012";
+            hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA=";
+          };
+        in
+          lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [
+            (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
+            (lib.splitString "\n")
+            (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
+            (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0
+          ];
+
+        hategroup_list = let
+          src = pkgs.fetchFromGitHub {
+            owner = "chigh";
+            repo = "hategroup-dnsbl";
+            rev = "cc19c050997d5f54014bb20c764b131e003dfb17";
+            hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ=";
+          };
+        in
+          lib.pipe (builtins.readFile "${src}/blocklist.txt") [
+            (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
+            (lib.splitString "\n")
+            (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
+          ];
+
+        combined_lists = ai_list ++ hategroup_list;
+      in
+        pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists);
+
+      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
+      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+    };
+  };
+}