From 6f73ad90fe7f08bf5cfa1912a932d0119a60d549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 12:08:40 +0800 Subject: [PATCH] tree-wide: make secure_dns a shared module --- nix/configurations/hydrogen.nix | 5 +- nix/configurations/vanadium.nix | 2 +- .../vanadium/nixos/secure_dns.nix | 57 ------------------- .../extra}/secure_dns.nix | 6 +- 4 files changed, 6 insertions(+), 64 deletions(-) delete mode 100644 nix/configurations/vanadium/nixos/secure_dns.nix rename nix/{configurations/hydrogen/nixos => nixosModules/extra}/secure_dns.nix (98%) diff --git a/nix/configurations/hydrogen.nix b/nix/configurations/hydrogen.nix index 6cdc248b..d0196449 100644 --- a/nix/configurations/hydrogen.nix +++ b/nix/configurations/hydrogen.nix @@ -57,8 +57,11 @@ in ./hydrogen/nixos/misc.nix ./hydrogen/nixos/programs.nix ./hydrogen/nixos/connectivity.nix - ./hydrogen/nixos/secure_dns.nix + # QUIRK: + # Had issue when building the installer as it fails to bootstrap itself + # Might be useful to disable for the first build. + ../nixosModules/extra/secure_dns.nix ../nixosModules/common/disable-command-not-found.nix ../nixosModules/common/network.nix ../nixosModules/common/sudo-conf.nix diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix index 1ed762c7..0e72a47e 100644 --- a/nix/configurations/vanadium.nix +++ b/nix/configurations/vanadium.nix @@ -90,7 +90,6 @@ in ./vanadium/nixos/audio.nix ./vanadium/nixos/connectivity.nix - ./vanadium/nixos/secure_dns.nix ./vanadium/nixos/input.nix ./vanadium/nixos/misc.nix @@ -108,6 +107,7 @@ in ../nixosModules/common/system-nixconf.nix ../nixosModules/common/xscreensaver.nix + ../nixosModules/extra/secure_dns.nix ../nixosModules/extra/zram.nix ../nixosModules/extra/leana.nix diff --git a/nix/configurations/vanadium/nixos/secure_dns.nix b/nix/configurations/vanadium/nixos/secure_dns.nix deleted file mode 100644 index 1aeeff7f..00000000 --- a/nix/configurations/vanadium/nixos/secure_dns.nix +++ /dev/null @@ -1,57 +0,0 @@ -# https://nixos.wiki/wiki/Encrypted_DNS -{ - lib, - pkgs, - ... -}: { - networking = { - nameservers = ["127.0.0.1" "::1"]; - dhcpcd.extraConfig = "nohook resolv.conf"; - # networkmanager.dns = "none"; - }; - - services.resolved.enable = false; - - services.dnscrypt-proxy2 = { - enable = true; - # Settings reference: - # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml - settings = { - listen_addresses = ["127.0.0.1:53"]; - ipv4_servers = true; - - require_dnssec = true; - require_nolog = true; - require_nofilter = true; - - lb_strategy = "p2"; - lb_estimator = true; - - # Blocklists are made of one pattern per line. - # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75 - blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [ - # Prevent building up reliance on chatbots - # Gotta preserve that thinking ability of my smoof bwain - pkgs.ai_blocklist - pkgs.hategroup_blocklist - - # Gotta purify my smoos brain for a while - (pkgs.writeText "extra_dns_blocklist" '' - instagram.com - youtube.com - '') - ]; - - # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests - # query_log.file = "/var/log/dnscrypt-proxy/query.log"; - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - }; - }; -} diff --git a/nix/configurations/hydrogen/nixos/secure_dns.nix b/nix/nixosModules/extra/secure_dns.nix similarity index 98% rename from nix/configurations/hydrogen/nixos/secure_dns.nix rename to nix/nixosModules/extra/secure_dns.nix index 1aeeff7f..f662db89 100644 --- a/nix/configurations/hydrogen/nixos/secure_dns.nix +++ b/nix/nixosModules/extra/secure_dns.nix @@ -1,9 +1,5 @@ # https://nixos.wiki/wiki/Encrypted_DNS -{ - lib, - pkgs, - ... -}: { +{pkgs, ...}: { networking = { nameservers = ["127.0.0.1" "::1"]; dhcpcd.extraConfig = "nohook resolv.conf";