From e6abf27d615c6e34f553ac49b36481c968a79cc7 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sat, 24 Dec 2022 10:01:36 +0100
Subject: [PATCH] [system] Encrypt DNS traffic.

Redirect DNS requests through `dnscrypt-proxy`, which encrypts the
traffic.
---
 conf/system/dns.scm                        | 105 +++++++++++++++++++++
 dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml |  67 +++++++++++++
 dns/etc/resolv.conf                        |   6 ++
 system.scm                                 |   6 +-
 4 files changed, 182 insertions(+), 2 deletions(-)
 create mode 100644 conf/system/dns.scm
 create mode 100644 dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml
 create mode 100644 dns/etc/resolv.conf

diff --git a/conf/system/dns.scm b/conf/system/dns.scm
new file mode 100644
index 0000000..b0b235e
--- /dev/null
+++ b/conf/system/dns.scm
@@ -0,0 +1,105 @@
+;; Copyright (c) 2022 Jakub Czajka <jakub@ekhem.eu.org>
+;; License: GPL-3.0 or later.
+;;
+;; dns.scm - package for DNSCrypt.
+
+(define-module (conf system dns)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages golang)
+  #:use-module (gnu services)
+  #:use-module (gnu services shepherd)
+  #:use-module (guix build-system go)
+  #:use-module (guix gexp)
+  #:use-module (guix git-download)
+  #:use-module (guix licenses)
+  #:use-module (guix packages)
+  #:use-module (guix records)
+  #:use-module (guix utils)
+  #:use-module (ice-9 match)
+  #:export (dnscrypt-proxy
+	    dnscrypt-proxy-configuration
+	    dnscrypt-proxy-configuration?
+	    dnscrypt-proxy-xresources
+	    dnscrypt-proxy-service
+	    dnscrypt-proxy-service-type))
+
+(define-public dnscrypt-proxy
+  (package
+    (name "dnscrypt-proxy")
+    (version "2.0.42")
+    (source
+     (origin
+      (method git-fetch)
+      (uri
+       (git-reference
+        (url "https://github.com/DNSCrypt/dnscrypt-proxy.git")
+        (commit version)))
+      (file-name
+       (git-file-name name
+		      version))
+      (sha256
+       (base32
+        "1v4n0pkwcilxm4mnj4fsd4gf8pficjj40jnmfkiwl7ngznjxwkyw"))))
+    (build-system go-build-system)
+    (arguments
+     `(#:import-path "github.com/DNSCrypt/dnscrypt-proxy/dnscrypt-proxy"
+       #:unpack-path "github.com/DNSCrypt/dnscrypt-proxy"
+       #:install-source? #f))
+    (inputs
+     `(("go-golang-org-x-crypto" ,go-golang-org-x-crypto)
+       ("go-golang-org-x-net" ,go-golang-org-x-net)
+       ("go-golang-org-x-sys" ,go-golang-org-x-sys)
+       ("go-golang-org-x-text" ,go-golang-org-x-text)))
+    (home-page "https://dnscrypt.info")
+    (synopsis "Secure and flexible DNS proxy")
+    (description "@command{dnscrypt-proxy} is a flexible DNS proxy, with
+support for modern encrypted DNS protocols such as DNSCrypt v2 and
+DNS-over-HTTPS.")
+    (license isc)))
+
+(define-record-type* <dnscrypt-proxy-configuration>
+  dnscrypt-proxy-configuration make-dnscrypt-proxy-configuration
+  dnscrypt-proxy-configuration?
+  (package dnscrypt-proxy-configuration-package
+	   (default dnscrypt-proxy))
+  (config-file dnscrypt-proxy-configuration-config-file
+               (default (string-concatenate
+			 (list (getenv "GUIX_PACKAGE_PATH")
+			       "/dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml")))))
+
+(define dnscrypt-proxy-shepherd-service
+  (match-lambda
+   (($ <dnscrypt-proxy-configuration> package config-file)
+    (shepherd-service
+     (provision '(dnscrypt-proxy dns))
+     (start #~(make-forkexec-constructor
+               (list #$(file-append package "/bin/dnscrypt-proxy")
+		     "-config"
+		     "/etc/dnscrypt-proxy.toml")
+	       #:log-file
+	       "/var/log/dnscrypt-proxy.log"))
+     (stop #~(make-kill-destructor))
+     (documentation "Dnscrypt-proxy server.")))))
+
+(define (symlink-dnscrypt-proxy-dotfiles config)
+  (list `("dnscrypt-proxy.toml"
+	  ,(local-file
+	    (dnscrypt-proxy-configuration-config-file config)))
+	`("resolv.conf"
+	  ,(local-file (string-concatenate
+			(list (getenv "GUIX_PACKAGE_PATH")
+			      "/dns/etc/resolv.conf"))))))
+
+(define dnscrypt-proxy-service-type
+  (service-type
+   (name 'dnscrypt-proxy)
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list dnscrypt-proxy-shepherd-service))
+	  (service-extension etc-service-type
+			     symlink-dnscrypt-proxy-dotfiles)))
+   (default-value (dnscrypt-proxy-configuration))
+   (description "Shepherd service which runs the `dnscrypt-proxy` server.")))
+
+(define dnscrypt-proxy-service
+  (service dnscrypt-proxy-service-type))
diff --git a/dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml b/dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml
new file mode 100644
index 0000000..f2706f5
--- /dev/null
+++ b/dns/etc/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -0,0 +1,67 @@
+# Copyright (c) 2022 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+#
+# dnscrypt-proxy configuration file.
+# Sources:
+# https://github.com/DNSCrypt/dnscrypt-proxy/wiki
+# https://hispagatos.org/post/dnscrypt-proxy-arch-tut
+
+# Must be declared in [static].
+server_names = ['dnscrypt.eu-nl', 'dnscrypt.uk-ipv4', 'ffmuc.net', 'meganerd', 'publicarray-au-doh', 'scaleway-ams', 'scaleway-fr', 'v.dnscrypt.uk-ipv4']
+
+#
+listen_addresses = ['127.0.0.1:53']
+
+# Use servers reachable over IPv4.
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6
+# connectivity.
+ipv6_servers = false
+block_ipv6 = false
+
+# Use servers implementing the DNSCrypt protocol.
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol.
+doh_servers = true
+
+# Do not use servers implementing the Oblivious DNS-over-HTTPS protocol.
+#odoh_servers = false
+
+# Server must support DNS security extensions (DNSSEC).
+require_dnssec = false
+
+# Server must not log user queries (declarative).
+require_nolog = true
+
+# Server must not enforce its own blacklist (for parental control, ads
+# blocking...).
+require_nofilter = true
+
+# Set log to syslog.
+use_syslog = true
+
+# Response for blocked queries.
+blocked_query_response = 'refused'
+
+# Fallback and netprobe addresses.
+fallback_resolvers = ['91.239.100.100:53']
+netprobe_address = '91.239.100.100:53'
+
+# Cache DNS responses.
+cache = true
+
+# Create new & unique key for every single DNS query
+dnscrypt_ephemeral_keys = true
+
+# List of resolvers:
+# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+[static]
+
+  [sources.'public-resolvers']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+  cache_file = '/etc/dnscrypt-proxy/public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
diff --git a/dns/etc/resolv.conf b/dns/etc/resolv.conf
new file mode 100644
index 0000000..c500fd4
--- /dev/null
+++ b/dns/etc/resolv.conf
@@ -0,0 +1,6 @@
+# Copyright (c) 2022 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+#
+# Use dnscrypt-proxy
+nameserver 127.0.0.1
+options edns0
diff --git a/system.scm b/system.scm
index 26bf5a9..4766d54 100644
--- a/system.scm
+++ b/system.scm
@@ -3,7 +3,8 @@
 ;;
 ;; system.scm - system configuration for GNU Guix.
 
-(use-modules (conf system volume)
+(use-modules (conf system dns)
+             (conf system volume)
              (gnu)
              (gnu system nss))
 
@@ -68,5 +69,6 @@
  (name-service-switch %mdns-host-lookup-nss)
  (services
   (append
-   (list (service gnome-desktop-service-type))
+   (list (service gnome-desktop-service-type)
+	 dnscrypt-proxy-service)
    %desktop-services)))
-- 
2.39.5