--- /dev/null
+;; Copyright (c) 2022 Jakub Czajka <jakub@ekhem.eu.org>
+;; License: GPL-3.0 or later.
+;;
+;; dns.scm - package for DNSCrypt.
+
+(define-module (conf system dns)
+ #:use-module (gnu packages)
+ #:use-module (gnu packages golang)
+ #:use-module (gnu services)
+ #:use-module (gnu services shepherd)
+ #:use-module (guix build-system go)
+ #:use-module (guix gexp)
+ #:use-module (guix git-download)
+ #:use-module (guix licenses)
+ #:use-module (guix packages)
+ #:use-module (guix records)
+ #:use-module (guix utils)
+ #:use-module (ice-9 match)
+ #:export (dnscrypt-proxy
+ dnscrypt-proxy-configuration
+ dnscrypt-proxy-configuration?
+ dnscrypt-proxy-xresources
+ dnscrypt-proxy-service
+ dnscrypt-proxy-service-type))
+
+(define-public dnscrypt-proxy
+ (package
+ (name "dnscrypt-proxy")
+ (version "2.0.42")
+ (source
+ (origin
+ (method git-fetch)
+ (uri
+ (git-reference
+ (url "https://github.com/DNSCrypt/dnscrypt-proxy.git")
+ (commit version)))
+ (file-name
+ (git-file-name name
+ version))
+ (sha256
+ (base32
+ "1v4n0pkwcilxm4mnj4fsd4gf8pficjj40jnmfkiwl7ngznjxwkyw"))))
+ (build-system go-build-system)
+ (arguments
+ `(#:import-path "github.com/DNSCrypt/dnscrypt-proxy/dnscrypt-proxy"
+ #:unpack-path "github.com/DNSCrypt/dnscrypt-proxy"
+ #:install-source? #f))
+ (inputs
+ `(("go-golang-org-x-crypto" ,go-golang-org-x-crypto)
+ ("go-golang-org-x-net" ,go-golang-org-x-net)
+ ("go-golang-org-x-sys" ,go-golang-org-x-sys)
+ ("go-golang-org-x-text" ,go-golang-org-x-text)))
+ (home-page "https://dnscrypt.info")
+ (synopsis "Secure and flexible DNS proxy")
+ (description "@command{dnscrypt-proxy} is a flexible DNS proxy, with
+support for modern encrypted DNS protocols such as DNSCrypt v2 and
+DNS-over-HTTPS.")
+ (license isc)))
+
+(define-record-type* <dnscrypt-proxy-configuration>
+ dnscrypt-proxy-configuration make-dnscrypt-proxy-configuration
+ dnscrypt-proxy-configuration?
+ (package dnscrypt-proxy-configuration-package
+ (default dnscrypt-proxy))
+ (config-file dnscrypt-proxy-configuration-config-file
+ (default (string-concatenate
+ (list (getenv "GUIX_PACKAGE_PATH")
+ "/dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml")))))
+
+(define dnscrypt-proxy-shepherd-service
+ (match-lambda
+ (($ <dnscrypt-proxy-configuration> package config-file)
+ (shepherd-service
+ (provision '(dnscrypt-proxy dns))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append package "/bin/dnscrypt-proxy")
+ "-config"
+ "/etc/dnscrypt-proxy.toml")
+ #:log-file
+ "/var/log/dnscrypt-proxy.log"))
+ (stop #~(make-kill-destructor))
+ (documentation "Dnscrypt-proxy server.")))))
+
+(define (symlink-dnscrypt-proxy-dotfiles config)
+ (list `("dnscrypt-proxy.toml"
+ ,(local-file
+ (dnscrypt-proxy-configuration-config-file config)))
+ `("resolv.conf"
+ ,(local-file (string-concatenate
+ (list (getenv "GUIX_PACKAGE_PATH")
+ "/dns/etc/resolv.conf"))))))
+
+(define dnscrypt-proxy-service-type
+ (service-type
+ (name 'dnscrypt-proxy)
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list dnscrypt-proxy-shepherd-service))
+ (service-extension etc-service-type
+ symlink-dnscrypt-proxy-dotfiles)))
+ (default-value (dnscrypt-proxy-configuration))
+ (description "Shepherd service which runs the `dnscrypt-proxy` server.")))
+
+(define dnscrypt-proxy-service
+ (service dnscrypt-proxy-service-type))
--- /dev/null
+# Copyright (c) 2022 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+#
+# dnscrypt-proxy configuration file.
+# Sources:
+# https://github.com/DNSCrypt/dnscrypt-proxy/wiki
+# https://hispagatos.org/post/dnscrypt-proxy-arch-tut
+
+# Must be declared in [static].
+server_names = ['dnscrypt.eu-nl', 'dnscrypt.uk-ipv4', 'ffmuc.net', 'meganerd', 'publicarray-au-doh', 'scaleway-ams', 'scaleway-fr', 'v.dnscrypt.uk-ipv4']
+
+#
+listen_addresses = ['127.0.0.1:53']
+
+# Use servers reachable over IPv4.
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6
+# connectivity.
+ipv6_servers = false
+block_ipv6 = false
+
+# Use servers implementing the DNSCrypt protocol.
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol.
+doh_servers = true
+
+# Do not use servers implementing the Oblivious DNS-over-HTTPS protocol.
+#odoh_servers = false
+
+# Server must support DNS security extensions (DNSSEC).
+require_dnssec = false
+
+# Server must not log user queries (declarative).
+require_nolog = true
+
+# Server must not enforce its own blacklist (for parental control, ads
+# blocking...).
+require_nofilter = true
+
+# Set log to syslog.
+use_syslog = true
+
+# Response for blocked queries.
+blocked_query_response = 'refused'
+
+# Fallback and netprobe addresses.
+fallback_resolvers = ['91.239.100.100:53']
+netprobe_address = '91.239.100.100:53'
+
+# Cache DNS responses.
+cache = true
+
+# Create new & unique key for every single DNS query
+dnscrypt_ephemeral_keys = true
+
+# List of resolvers:
+# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+[static]
+
+ [sources.'public-resolvers']
+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+ cache_file = '/etc/dnscrypt-proxy/public-resolvers.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ refresh_delay = 72
+ prefix = ''
projects / guix.git / commitdiff