From b31fd3e7c4c2c4dcaf8e70724f648df025524556 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Wed, 18 Dec 2024 15:18:46 +0100
Subject: [PATCH 01/16] [postgres][miniflux] Permit local connections.

---
 postgres/pg_hba.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/postgres/pg_hba.conf b/postgres/pg_hba.conf
index 9feaea8..c2b6b1e 100755
--- a/postgres/pg_hba.conf
+++ b/postgres/pg_hba.conf
@@ -95,6 +95,8 @@ local   mail_db         dovecot                                  trust
 host    mail_db         dovecot          ::1/128                 trust
 host    mail_db         dkim             ::1/128                 trust
 host    analytics_db    rsyslog          ::1/128                 trust
+host    rss_db          miniflux         ::1/128                 trust
+local   rss_db          miniflux                                 trust
 local   analytics_db    analytics_reader                         trust
 local   gym_db          gym_tracker                              trust
 local   matrix_db       synapse_user                             trust
-- 
2.39.5


From 8594e9d2f72e24eb3eb95088d908c66348a6eeb5 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Wed, 18 Dec 2024 15:33:05 +0100
Subject: [PATCH 02/16] [miniflux] Customize configuration and add license.

---
 miniflux/miniflux.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/miniflux/miniflux.conf b/miniflux/miniflux.conf
index ec6028a..ab42455 100644
--- a/miniflux/miniflux.conf
+++ b/miniflux/miniflux.conf
@@ -1,3 +1,7 @@
-# See https://miniflux.app/docs/configuration.html
+# Copyright (c) 2024 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
 
+DATABASE_URL=user=miniflux dbname=${RSS_DB}
+LOG_LEVEL=error
+PORT=4080
 RUN_MIGRATIONS=1
-- 
2.39.5


From 87ff13f6567b8258c75549c19dbda2b7b397a3c2 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Wed, 18 Dec 2024 15:42:38 +0100
Subject: [PATCH 03/16] [miniflux] Configure nginx.

---
 miniflux/rss.conf | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 miniflux/rss.conf

diff --git a/miniflux/rss.conf b/miniflux/rss.conf
new file mode 100644
index 0000000..dbe0a09
--- /dev/null
+++ b/miniflux/rss.conf
@@ -0,0 +1,39 @@
+# Copyright (c) 2024 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+server {
+    server_name  rss.${private_domain};
+
+    listen       [::]:443 ssl http2;
+    listen       443 ssl http2;
+
+    ssl_certificate ${private_ssl_cert_dir}/fullchain.pem;
+    ssl_certificate_key ${private_ssl_cert_dir}/privkey.pem;
+
+    ssl_client_certificate ${ca_dir}/ca.pem;
+    ssl_verify_client on;
+
+    root ${prod_dir}/${rss};
+
+    location / {
+        proxy_pass http://127.0.0.1:4080;
+        proxy_redirect off;
+        proxy_set_header Host ${dollar}host;
+        proxy_set_header X-Real-IP ${dollar}remote_addr;
+        proxy_set_header X-Forwarded-For ${dollar}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto ${dollar}scheme;
+    }
+}
+
+server {
+    server_name  rss.${private_domain};
+
+    listen       [::]:80;
+    listen       80;
+
+    if (${dollar}host = rss.${private_domain}) {
+        return 301 https://${dollar}host${dollar}request_uri;
+    }
+
+    return 404;
+}
-- 
2.39.5


From d73abfead2923dd1ccfca7f2982f375e9a9983c7 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Wed, 18 Dec 2024 16:34:10 +0100
Subject: [PATCH 04/16] [miniflux] Create database.

---
 databases/rss/miniflux_db_create.sql | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 databases/rss/miniflux_db_create.sql

diff --git a/databases/rss/miniflux_db_create.sql b/databases/rss/miniflux_db_create.sql
new file mode 100644
index 0000000..633bd96
--- /dev/null
+++ b/databases/rss/miniflux_db_create.sql
@@ -0,0 +1,20 @@
+-- Copyright (c) 2024 Jakub Czajka <jakub@ekhem.eu.org>
+-- License: 0BSD.
+
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT * FROM pg_user WHERE usename = 'miniflux')
+    THEN
+        CREATE USER miniflux;
+    END IF;
+END$$;
+
+CREATE DATABASE rss_db
+    ENCODING 'UTF8'
+    LC_COLLATE='C'
+    LC_CTYPE='C'
+    TEMPLATE=template0
+    OWNER miniflux;
+
+-- See https://miniflux.app/docs/database.html.
+EXECUTE FORMAT('CREATE EXTENSION IF NOT EXISTS HSTORE')
-- 
2.39.5


From 9a7656669db43e5f5f260b4b3b2f5f8ef31f3d83 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Wed, 18 Dec 2024 16:58:41 +0100
Subject: [PATCH 05/16] [miniflux] Download entries with ydlpd.

---
 miniflux/download.sh | 27 +++++++++++++++++++++++++++
 miniflux/rss.conf    | 20 ++++++++++++++++++++
 miniflux/ydlpd.sh    | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100755 miniflux/download.sh
 create mode 100755 miniflux/ydlpd.sh

diff --git a/miniflux/download.sh b/miniflux/download.sh
new file mode 100755
index 0000000..88d62a5
--- /dev/null
+++ b/miniflux/download.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+# Copyright (c) 2024 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+#
+# Clicking on the "Download" button on entry's page sends a POST request to
+# /entry/download/<entry_id>. This script resolves the <entry_id> to an <url>
+# and redirects the client to /ydlpd?url=<url> with HTTP 303 See Other [1]. This
+# causes the client to automatically send a GET request to that address.
+#
+# [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303
+
+. /etc/environment
+
+VIDEO=$(/usr/bin/psql --user=miniflux \
+                      --dbname=${RSS_DB} \
+                      --tuples-only \
+                      --no-align \
+                      --command="
+SELECT url
+FROM entries
+WHERE id = ${ENTRY_ID}")
+
+echo "HTTP/1.1 303 See Other"
+echo "Location: /ydlpd?url=${VIDEO}"
+echo "Content-Type: text/html; charset=UTF-8"
+echo "Content-Length: 0"
+echo ""
diff --git a/miniflux/rss.conf b/miniflux/rss.conf
index dbe0a09..9cc60e6 100644
--- a/miniflux/rss.conf
+++ b/miniflux/rss.conf
@@ -15,6 +15,26 @@ server {
 
     root ${prod_dir}/${rss};
 
+    location ~ ^/entry/download/(\d+)$ {
+        include fastcgi_params;
+        fastcgi_pass unix:/var/run/fcgiwrap.socket;
+
+        fastcgi_read_timeout 30;
+
+        fastcgi_param ENTRY_ID ${dollar}1;
+        fastcgi_param SCRIPT_FILENAME ${dollar}document_root/download.sh;
+    }
+
+    location ~ ^/ydlpd(.*)$ {
+        include fastcgi_params;
+        fastcgi_pass unix:/var/run/fcgiwrap.socket;
+
+        fastcgi_read_timeout 30;
+
+        fastcgi_param URL ${dollar}arg_url;
+        fastcgi_param SCRIPT_FILENAME ${dollar}document_root/ydlpd.sh;
+    }
+
     location / {
         proxy_pass http://127.0.0.1:4080;
         proxy_redirect off;
diff --git a/miniflux/ydlpd.sh b/miniflux/ydlpd.sh
new file mode 100755
index 0000000..3f3b3fa
--- /dev/null
+++ b/miniflux/ydlpd.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Copyright (c) 2024 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+#
+# If user downloads entry's page, miniflux embeds the HTML. The response needs to
+# have the following format [1]:
+#
+# {
+#   "content": "<page's HTML>",
+#   "reading_time": "<integer>"
+# }
+#
+# Moreover, the HTML embeded in JSON needs to have '\n' instead of new lines.
+# This script returns a HTML form to select the format for download and passes
+# it alongside video's URL to ydlpd for download.
+#
+# [1] https://github.com/miniflux/v2/blob/main/internal/ui/static/js/app.js#L355
+
+. /etc/environment
+
+PAGE=$(echo "\
+<form id='ydlpd' action='https://yt.${private_domain}/download'>
+  <fieldset>
+    <input type='text' id='url' name='url' value='${URL}' required />
+    <div class='container'>
+      <select id='format' name='format'>
+        <option value=''>--Select format--</option>
+        <option value='video'>video</option>
+        <option value='audio'>audio</option>
+      </select>
+      <button type='submit'>Download</button>
+    </div>
+  </fieldset>
+</form>" | sed 's/^[ \t]*//g')
+
+echo "HTTP/1.1 200 OK"
+echo "Content-type: text/json"
+echo ""
+echo -n "{\"content\": \"${PAGE}\"" | sed --null-data 's/\n/\\n/g'
+echo -n ", \"reading_time\": \"1\"}"
-- 
2.39.5


From 14ba38185c092e59f08258a04136c3554ca99869 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Wed, 18 Dec 2024 17:02:55 +0100
Subject: [PATCH 06/16] [miniflux] Style ydlpd integration with CSS.

---
 miniflux/rss.conf  |  4 ++++
 miniflux/ydlpd.css | 24 ++++++++++++++++++++++++
 miniflux/ydlpd.sh  |  3 +++
 3 files changed, 31 insertions(+)
 create mode 100644 miniflux/ydlpd.css

diff --git a/miniflux/rss.conf b/miniflux/rss.conf
index 9cc60e6..76d7856 100644
--- a/miniflux/rss.conf
+++ b/miniflux/rss.conf
@@ -35,6 +35,10 @@ server {
         fastcgi_param SCRIPT_FILENAME ${dollar}document_root/ydlpd.sh;
     }
 
+    location = /ydlpd.css {
+        try_files /ydlpd.css =404;
+    }
+
     location / {
         proxy_pass http://127.0.0.1:4080;
         proxy_redirect off;
diff --git a/miniflux/ydlpd.css b/miniflux/ydlpd.css
new file mode 100644
index 0000000..bd3baef
--- /dev/null
+++ b/miniflux/ydlpd.css
@@ -0,0 +1,24 @@
+#ydlpd {
+  width: 100%;
+}
+#ydlpd fieldset {
+  background-color: #7fa99b;
+  border: solid;
+  display: flex;
+  flex-direction: column;
+  justify-content: space-evenly;
+  row-gap: 5px;
+  width: 100%;
+}
+#ydlpd input {
+  width: 100%;
+}
+#ydlpd select, button {
+  font-size: .7em;
+  height: 100%;
+  padding: 5px;
+}
+#ydlpd .container {
+  display: flex;
+  justify-content: space-evenly;
+}
diff --git a/miniflux/ydlpd.sh b/miniflux/ydlpd.sh
index 3f3b3fa..48fbb69 100755
--- a/miniflux/ydlpd.sh
+++ b/miniflux/ydlpd.sh
@@ -18,7 +18,10 @@
 
 . /etc/environment
 
+# Miniflux page's configuration does not permit defining CSS in <style> or
+# inline. However, it can be defined in a stylesheet file.
 PAGE=$(echo "\
+<link rel='stylesheet' href='/ydlpd.css'>
 <form id='ydlpd' action='https://yt.${private_domain}/download'>
   <fieldset>
     <input type='text' id='url' name='url' value='${URL}' required />
-- 
2.39.5


From 92fb59fcf54843fc859118b7d3192a6c9509074f Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Thu, 2 Jan 2025 14:05:16 +0100
Subject: [PATCH 07/16] [postgres] Permit authentication for kwerenda.

---
 postgres/pg_hba.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/postgres/pg_hba.conf b/postgres/pg_hba.conf
index c2b6b1e..1d278a6 100755
--- a/postgres/pg_hba.conf
+++ b/postgres/pg_hba.conf
@@ -91,6 +91,7 @@ local   all             postgres                                 trust
 
 # TYPE  DATABASE        USER             ADDRESS                 METHOD
 
+host    all             authenticator    ::1/128                 trust
 local   mail_db         dovecot                                  trust
 host    mail_db         dovecot          ::1/128                 trust
 host    mail_db         dkim             ::1/128                 trust
-- 
2.39.5


From f2e8b7c60f9d0f5714a91435fea0078b1ac3eb45 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 12:41:21 +0100
Subject: [PATCH 08/16] [dns] Add default configuration for dnscrypt-proxy.

---
 dnscrypt-proxy/dnscrypt-proxy.conf    |  20 +
 dnscrypt-proxy/dnscrypt-proxy.service |  20 +
 dnscrypt-proxy/dnscrypt-proxy.toml    | 909 ++++++++++++++++++++++++++
 dnscrypt-proxy/resolv.conf            |   2 +
 4 files changed, 951 insertions(+)
 create mode 100644 dnscrypt-proxy/dnscrypt-proxy.conf
 create mode 100644 dnscrypt-proxy/dnscrypt-proxy.service
 create mode 100644 dnscrypt-proxy/dnscrypt-proxy.toml
 create mode 100644 dnscrypt-proxy/resolv.conf

diff --git a/dnscrypt-proxy/dnscrypt-proxy.conf b/dnscrypt-proxy/dnscrypt-proxy.conf
new file mode 100644
index 0000000..6e8daaa
--- /dev/null
+++ b/dnscrypt-proxy/dnscrypt-proxy.conf
@@ -0,0 +1,20 @@
+# Copyright (c) 2025 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+stream {
+    # DNS upstream pool
+    upstream dnscrypt-proxy {
+        zone dns 64k;
+        server 127.0.0.1:53;
+    }
+
+    # DoT server for decryption
+    server {
+        listen       853 ssl;
+
+        ssl_certificate ${private_ssl_cert_dir}/fullchain.pem;
+        ssl_certificate_key ${private_ssl_cert_dir}/privkey.pem;
+
+        proxy_pass dnscrypt-proxy;
+    }
+}
diff --git a/dnscrypt-proxy/dnscrypt-proxy.service b/dnscrypt-proxy/dnscrypt-proxy.service
new file mode 100644
index 0000000..42bdf67
--- /dev/null
+++ b/dnscrypt-proxy/dnscrypt-proxy.service
@@ -0,0 +1,20 @@
+# Copyright (c) 2025 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+[Unit]
+Description=Encrypted/authenticated DNS proxy.
+ConditionFileIsExecutable=/usr/bin/dnscrypt-proxy
+
+[Service]
+StartLimitInterval=5
+StartLimitBurst=10
+ExecStart=/usr/bin/dnscrypt-proxy "-config" "/etc/dns/dnscrypt-proxy.toml"
+
+WorkingDirectory=/etc
+Restart=always
+
+RestartSec=120
+EnvironmentFile=-/etc/sysconfig/dnscrypt-proxy
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
new file mode 100644
index 0000000..6ecd915
--- /dev/null
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -0,0 +1,909 @@
+
+##############################################
+#                                            #
+#        dnscrypt-proxy configuration        #
+#                                            #
+##############################################
+
+## This is an example configuration file.
+## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
+##
+## Online documentation is available here: https://dnscrypt.info/doc
+
+
+
+##################################
+#         Global settings        #
+##################################
+
+## List of servers to use
+##
+## Servers from the "public-resolvers" source (see down below) can
+## be viewed here: https://dnscrypt.info/public-servers
+##
+## The proxy will automatically pick working servers from this list.
+## Note that the require_* filters do NOT apply when using this setting.
+##
+## By default, this list is empty and all registered servers matching the
+## require_* filters will be used instead.
+##
+## Remove the leading # first to enable this; lines starting with # are ignored.
+
+# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
+
+
+## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
+## Example with both IPv4 and IPv6:
+## listen_addresses = ['127.0.0.1:53', '[::1]:53']
+##
+## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
+## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
+
+listen_addresses = ['127.0.0.1:53']
+
+
+## Maximum number of simultaneous client connections to accept
+
+max_clients = 250
+
+
+## Switch to a different system user after listening sockets have been created.
+## Note (1): this feature is currently unsupported on Windows.
+## Note (2): this feature is not compatible with systemd socket activation.
+## Note (3): when using -pidfile, the PID file directory must be writable by the new user
+
+# user_name = 'nobody'
+
+
+## Require servers (from remote sources) to satisfy specific properties
+
+# Use servers reachable over IPv4
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+ipv6_servers = false
+
+# Use servers implementing the DNSCrypt protocol
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol
+doh_servers = true
+
+# Use servers implementing the Oblivious DoH protocol
+odoh_servers = false
+
+
+## Require servers defined by remote sources to satisfy specific properties
+
+# Server must support DNS security extensions (DNSSEC)
+require_dnssec = false
+
+# Server must not log user queries (declarative)
+require_nolog = true
+
+# Server must not enforce its own blocklist (for parental control, ads blocking...)
+require_nofilter = true
+
+# Server names to avoid even if they match all criteria
+disabled_server_names = []
+
+
+## Always use TCP to connect to upstream servers.
+## This can be useful if you need to route everything through Tor.
+## Otherwise, leave this to `false`, as it doesn't improve security
+## (dnscrypt-proxy will always encrypt everything even using UDP), and can
+## only increase latency.
+
+force_tcp = false
+
+
+## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
+## Note that, like DNSCrypt but unlike other HTTP versions, this uses
+## UDP and (usually) port 443 instead of TCP.
+
+http3 = false
+
+
+## SOCKS proxy
+## Uncomment the following line to route all TCP connections to a local Tor node
+## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
+
+# proxy = 'socks5://127.0.0.1:9050'
+
+
+## HTTP/HTTPS proxy
+## Only for DoH servers
+
+# http_proxy = 'http://127.0.0.1:8888'
+
+
+## How long a DNS query will wait for a response, in milliseconds.
+## If you have a network with *a lot* of latency, you may need to
+## increase this. Startup may be slower if you do so.
+## Don't increase it too much. 10000 is the highest reasonable value.
+## A timeout below 5000 is not recommended.
+
+timeout = 5000
+
+
+## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds
+
+keepalive = 30
+
+
+## Add EDNS-client-subnet information to outgoing queries
+##
+## Multiple networks can be listed; they will be randomly chosen.
+## These networks don't have to match your actual networks.
+
+# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']
+
+
+## Response for blocked queries. Options are `refused`, `hinfo` (default) or
+## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
+## Using the `hinfo` option means that some responses will be lies.
+## Unfortunately, the `hinfo` option appears to be required for Android 8+
+
+# blocked_query_response = 'refused'
+
+
+## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
+## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
+## The response quality still depends on the server itself.
+
+# lb_strategy = 'p2'
+
+## Set to `true` to constantly try to estimate the latency of all the resolvers
+## and adjust the load-balancing parameters accordingly, or to `false` to disable.
+## Default is `true` that makes 'p2' `lb_strategy` work well.
+
+# lb_estimator = true
+
+
+## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
+
+# log_level = 2
+
+
+## Log file for the application, as an alternative to sending logs to
+## the standard system logging service (syslog/Windows event log).
+##
+## This file is different from other log files, and will not be
+## automatically rotated by the application.
+
+# log_file = 'dnscrypt-proxy.log'
+
+
+## When using a log file, only keep logs from the most recent launch.
+
+# log_file_latest = true
+
+
+## Use the system logger (syslog on Unix, Event Log on Windows)
+
+# use_syslog = true
+
+
+## The maximum concurrency to reload certificates from the resolvers.
+## Default is 10.
+
+# cert_refresh_concurrency = 10
+
+
+## Delay, in minutes, after which certificates are reloaded
+
+cert_refresh_delay = 240
+
+
+## Initially don't check DNSCrypt server certificates for expiration, and
+## only start checking them after a first successful connection to a resolver.
+## This can be useful on routers with no battery-backed clock.
+
+# cert_ignore_timestamp = false
+
+
+## DNSCrypt: Create a new, unique key for every single DNS query
+## This may improve privacy but can also have a significant impact on CPU usage
+## Only enable if you don't have a lot of network load
+
+# dnscrypt_ephemeral_keys = false
+
+
+## DoH: Disable TLS session tickets - increases privacy but also latency
+
+# tls_disable_session_tickets = false
+
+
+## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
+## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+##
+## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
+## the following suite improves performance.
+## This may also help on Intel CPUs running 32-bit operating systems.
+##
+## Keep tls_cipher_suite empty if you have issues fetching sources or
+## connecting to some DoH servers.
+
+# tls_cipher_suite = [52392, 49199]
+
+
+## Log TLS key material to a file, for debugging purposes only.
+## This file will contain the TLS master key, which can be used to decrypt
+## all TLS traffic to/from DoH servers.
+## Never ever enable except for debugging purposes with a tool such as mitmproxy.
+
+# tls_key_log_file = '/tmp/keylog.txt'
+
+
+## Bootstrap resolvers
+##
+## These are normal, non-encrypted DNS resolvers, that will be only used
+## for one-shot queries when retrieving the initial resolvers list and if
+## the system DNS configuration doesn't work.
+##
+## No user queries will ever be leaked through these resolvers, and they will
+## not be used after IP addresses of DoH resolvers have been found (if you are
+## using DoH).
+##
+## They will never be used if lists have already been cached, and if the stamps
+## of the configured servers already include IP addresses (which is the case for
+## most of DoH servers, and for all DNSCrypt servers and relays).
+##
+## They will not be used if the configured system DNS works, or after the
+## proxy already has at least one usable secure resolver.
+##
+## Resolvers supporting DNSSEC are recommended, and, if you are using
+## DoH, bootstrap resolvers should ideally be operated by a different entity
+## than the DoH servers you will be using, especially if you have IPv6 enabled.
+##
+## People in China may want to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
+##
+## If more than one resolver is specified, they will be tried in sequence.
+##
+## TL;DR: put valid standard resolver addresses here. Your actual queries will
+## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
+## lists are up to date, these resolvers will not even be used.
+
+bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53']
+
+
+## When internal DNS resolution is required, for example to retrieve
+## the resolvers list:
+##
+## - queries will be sent to dnscrypt-proxy itself, if it is already
+##   running with active servers (*)
+## - or else, queries will be sent to fallback servers
+## - finally, if `ignore_system_dns` is `false`, queries will be sent
+##   to the system DNS
+##
+## (*) this is incompatible with systemd sockets.
+## `listen_addrs` must not be empty.
+
+ignore_system_dns = true
+
+
+## Maximum time (in seconds) to wait for network connectivity before
+## initializing the proxy.
+## Useful if the proxy is automatically started at boot, and network
+## connectivity is not guaranteed to be immediately available.
+## Use 0 to not test for connectivity at all (not recommended),
+## and -1 to wait as much as possible.
+
+netprobe_timeout = 60
+
+## Address and port to try initializing a connection to, just to check
+## if the network is up. It can be any address and any port, even if
+## there is nothing answering these on the other side. Just don't use
+## a local address, as the goal is to check for Internet connectivity.
+## On Windows, a datagram with a single, nul byte will be sent, only
+## when the system starts.
+## On other operating systems, the connection will be initialized
+## but nothing will be sent at all.
+
+netprobe_address = '9.9.9.9:53'
+
+
+## Offline mode - Do not use any remote encrypted servers.
+## The proxy will remain fully functional to respond to queries that
+## plugins can handle directly (forwarding, cloaking, ...)
+
+# offline_mode = false
+
+
+## Additional data to attach to outgoing queries.
+## These strings will be added as TXT records to queries.
+## Do not use, except on servers explicitly asking for extra data
+## to be present.
+## encrypted-dns-server can be configured to use this for access control
+## in the [access_control] section
+
+# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
+
+
+## Automatic log files rotation
+
+# Maximum log files size in MB - Set to 0 for unlimited.
+log_files_max_size = 10
+
+# How long to keep backup files, in days
+log_files_max_age = 7
+
+# Maximum log files backups to keep (or 0 to keep all backups)
+log_files_max_backups = 1
+
+
+
+#########################
+#        Filters        #
+#########################
+
+## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
+## configure dnscrypt-proxy to do any kind of filtering (including the filters
+## below and blocklists).
+## You can still choose resolvers that do DNSSEC validation.
+
+
+## Immediately respond to IPv6-related queries with an empty response
+## This makes things faster when there is no IPv6 connectivity, but can
+## also cause reliability issues with some stub resolvers.
+
+block_ipv6 = false
+
+
+## Immediately respond to A and AAAA queries for host names without a domain name
+## This also prevents "dotless domain names" from being resolved upstream.
+
+block_unqualified = true
+
+
+## Immediately respond to queries for local zones instead of leaking them to
+## upstream resolvers (always causing errors or timeouts).
+
+block_undelegated = true
+
+
+## TTL for synthetic responses sent when a request has been blocked (due to
+## IPv6 or blocklists).
+
+reject_ttl = 10
+
+
+
+##################################################################################
+#        Route queries for specific domains to a dedicated set of servers        #
+##################################################################################
+
+## See the `example-forwarding-rules.txt` file for an example
+
+# forwarding_rules = 'forwarding-rules.txt'
+
+
+
+###############################
+#        Cloaking rules       #
+###############################
+
+## Cloaking returns a predefined address for a specific name.
+## In addition to acting as a HOSTS file, it can also return the IP address
+## of a different name. It will also do CNAME flattening.
+## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
+## for cloaking rules that do not contain wild cards.
+##
+## See the `example-cloaking-rules.txt` file for an example
+
+# cloaking_rules = 'cloaking-rules.txt'
+
+## TTL used when serving entries in cloaking-rules.txt
+
+# cloak_ttl = 600
+# cloak_ptr = false
+
+
+
+###########################
+#        DNS cache        #
+###########################
+
+## Enable a DNS cache to reduce latency and outgoing traffic
+
+cache = true
+
+
+## Cache size
+
+cache_size = 4096
+
+
+## Minimum TTL for cached entries
+
+cache_min_ttl = 2400
+
+
+## Maximum TTL for cached entries
+
+cache_max_ttl = 86400
+
+
+## Minimum TTL for negatively cached entries
+
+cache_neg_min_ttl = 60
+
+
+## Maximum TTL for negatively cached entries
+
+cache_neg_max_ttl = 600
+
+
+
+########################################
+#        Captive portal handling       #
+########################################
+
+[captive_portals]
+
+## A file that contains a set of names used by operating systems to
+## check for connectivity and captive portals, along with hard-coded
+## IP addresses to return.
+
+# map_file = 'example-captive-portals.txt'
+
+
+
+##################################
+#        Local DoH server        #
+##################################
+
+[local_doh]
+
+## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
+## requiring a direct connection to a DoH server in order to enable some
+## features will enable these, without bypassing your DNS proxy.
+
+## Addresses that the local DoH server should listen to
+
+# listen_addresses = ['127.0.0.1:3000']
+
+
+## Path of the DoH URL. This is not a file, but the part after the hostname
+## in the URL. By convention, `/dns-query` is frequently chosen.
+## For each `listen_address` the complete URL to access the server will be:
+## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
+
+# path = '/dns-query'
+
+
+## Certificate file and key - Note that the certificate has to be trusted.
+## Can be generated using the following command:
+## openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout localhost.pem -out localhost.pem
+## See the documentation (wiki) for more information.
+
+# cert_file = 'localhost.pem'
+# cert_key_file = 'localhost.pem'
+
+
+
+###############################
+#        Query logging        #
+###############################
+
+## Log client queries to a file
+
+[query_log]
+
+## Path to the query log file (absolute, or relative to the same directory as the config file)
+## Can be set to /dev/stdout in order to log to the standard output.
+
+# file = 'query.log'
+
+
+## Query log format (currently supported: tsv and ltsv)
+
+format = 'tsv'
+
+
+## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+
+# ignored_qtypes = ['DNSKEY', 'NS']
+
+
+
+############################################
+#        Suspicious queries logging        #
+############################################
+
+## Log queries for nonexistent zones
+## These queries can reveal the presence of malware, broken/obsolete applications,
+## and devices signaling their presence to 3rd parties.
+
+[nx_log]
+
+## Path to the query log file (absolute, or relative to the same directory as the config file)
+
+# file = 'nx.log'
+
+
+## Query log format (currently supported: tsv and ltsv)
+
+format = 'tsv'
+
+
+
+######################################################
+#        Pattern-based blocking (blocklists)         #
+######################################################
+
+## Blocklists are made of one pattern per line. Example of valid patterns:
+##
+##   example.com
+##   =example.com
+##   *sex*
+##   ads.*
+##   ads*.example.*
+##   ads*.example[0-9]*.com
+##
+## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
+## A script to build blocklists from public feeds can be found in the
+## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
+
+[blocked_names]
+
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+
+# blocked_names_file = 'blocked-names.txt'
+
+
+## Optional path to a file logging blocked queries
+
+# log_file = 'blocked-names.log'
+
+
+## Optional log format: tsv or ltsv (default: tsv)
+
+# log_format = 'tsv'
+
+
+
+###########################################################
+#        Pattern-based IP blocking (IP blocklists)        #
+###########################################################
+
+## IP blocklists are made of one pattern per line. Example of valid patterns:
+##
+##   127.*
+##   fe80:abcd:*
+##   192.168.1.4
+
+[blocked_ips]
+
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+
+# blocked_ips_file = 'blocked-ips.txt'
+
+
+## Optional path to a file logging blocked queries
+
+# log_file = 'blocked-ips.log'
+
+
+## Optional log format: tsv or ltsv (default: tsv)
+
+# log_format = 'tsv'
+
+
+
+######################################################
+#   Pattern-based allow lists (blocklists bypass)    #
+######################################################
+
+## Allowlists support the same patterns as blocklists
+## If a name matches an allowlist entry, the corresponding session
+## will bypass names and IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[allowed_names]
+
+## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
+
+# allowed_names_file = 'allowed-names.txt'
+
+
+## Optional path to a file logging allowed queries
+
+# log_file = 'allowed-names.log'
+
+
+## Optional log format: tsv or ltsv (default: tsv)
+
+# log_format = 'tsv'
+
+
+
+#########################################################
+#   Pattern-based allowed IPs lists (blocklists bypass) #
+#########################################################
+
+## Allowed IP lists support the same patterns as IP blocklists
+## If an IP response matches an allowed entry, the corresponding session
+## will bypass IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[allowed_ips]
+
+## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
+
+# allowed_ips_file = 'allowed-ips.txt'
+
+
+## Optional path to a file logging allowed queries
+
+# log_file = 'allowed-ips.log'
+
+## Optional log format: tsv or ltsv (default: tsv)
+
+# log_format = 'tsv'
+
+
+
+##########################################
+#        Time access restrictions        #
+##########################################
+
+## One or more weekly schedules can be defined here.
+## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
+## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+##
+## For example, the following rule in a blocklist file:
+## *.youtube.* @time-to-sleep
+## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
+##
+## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
+## {after= '9:00', before='18:00'} matches 9:00-18:00
+
+[schedules]
+
+  # [schedules.time-to-sleep]
+  #   mon = [{after='21:00', before='7:00'}]
+  #   tue = [{after='21:00', before='7:00'}]
+  #   wed = [{after='21:00', before='7:00'}]
+  #   thu = [{after='21:00', before='7:00'}]
+  #   fri = [{after='23:00', before='7:00'}]
+  #   sat = [{after='23:00', before='7:00'}]
+  #   sun = [{after='21:00', before='7:00'}]
+
+  # [schedules.work]
+  #   mon = [{after='9:00', before='18:00'}]
+  #   tue = [{after='9:00', before='18:00'}]
+  #   wed = [{after='9:00', before='18:00'}]
+  #   thu = [{after='9:00', before='18:00'}]
+  #   fri = [{after='9:00', before='17:00'}]
+
+
+
+#########################
+#        Servers        #
+#########################
+
+## Remote lists of available servers
+## Multiple sources can be used simultaneously, but every source
+## requires a dedicated cache file.
+##
+## Refer to the documentation for URLs of public sources.
+##
+## A prefix can be prepended to server names in order to
+## avoid collisions if different sources share the same for
+## different servers. In that case, names listed in `server_names`
+## must include the prefixes.
+##
+## If the `urls` property is missing, cache files and valid signatures
+## must already be present. This doesn't prevent these cache files from
+## expiring after `refresh_delay` hours.
+## `refreshed_delay` must be in the [24..168] interval.
+## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.
+## The maximum delay of 168 hours (1 week) ensures cache freshness.
+
+[sources]
+
+  ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+
+  [sources.public-resolvers]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+    cache_file = 'public-resolvers.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 73
+    prefix = ''
+
+  ### Anonymized DNS relays
+
+  [sources.relays]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
+    cache_file = 'relays.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 73
+    prefix = ''
+
+  ### ODoH (Oblivious DoH) servers and relays
+
+  # [sources.odoh-servers]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
+  #   cache_file = 'odoh-servers.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 73
+  #   prefix = ''
+  # [sources.odoh-relays]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
+  #   cache_file = 'odoh-relays.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 73
+  #   prefix = ''
+
+  ### Quad9
+
+  # [sources.quad9-resolvers]
+  #   urls = ['https://www.quad9.net/quad9-resolvers.md']
+  #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+  #   cache_file = 'quad9-resolvers.md'
+  #   prefix = 'quad9-'
+
+  ### Another example source, with resolvers censoring some websites not appropriate for children
+  ### This is a subset of the `public-resolvers` list, so enabling both is useless.
+
+  # [sources.parental-control]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
+  #   cache_file = 'parental-control.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+  ### dnscry.pt servers - See https://www.dnscry.pt
+
+  #  [sources.dnscry-pt-resolvers]
+  #    urls = ["https://www.dnscry.pt/resolvers.md"]
+  #    minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
+  #    cache_file = "dnscry.pt-resolvers.md"
+  #    refresh_delay = 73
+  #    prefix = "dnscry.pt-"
+
+
+#########################################
+#        Servers with known bugs        #
+#########################################
+
+[broken_implementations]
+
+## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
+## truncate responses larger than questions as expected by the DNSCrypt protocol.
+## This prevents large responses from being received over UDP and over relays.
+##
+## Older versions of the `dnsdist` server software had a bug with queries larger
+## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
+## some server may still run an outdated version.
+##
+## The list below enables workarounds to make non-relayed usage more reliable
+## until the servers are fixed.
+
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cisco-sandbox', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
+
+
+
+#################################################################
+#        Certificate-based client authentication for DoH        #
+#################################################################
+
+## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
+## This is only useful if you are operating your own, private DoH server(s).
+## 'creds' maps servers to certificates, and supports multiple entries.
+## If you are not using the standard root CA, an optional "root_ca"
+## property set to the path to a root CRT file can be added to a server entry.
+
+[doh_client_x509_auth]
+
+# creds = [
+#    { server_name='*', client_cert='client.crt', client_key='client.key' }
+# ]
+
+
+
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+## Routes are indirect ways to reach DNSCrypt servers.
+##
+## A route maps a server name ("server_name") to one or more relays that will be
+## used to connect to that server.
+##
+## A relay can be specified as a DNS Stamp (either a relay stamp, or a
+## DNSCrypt stamp) or a server name.
+##
+## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
+## and "example-server-2" via the relay whose relay DNS stamp is
+## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
+##
+## !!! THESE ARE JUST EXAMPLES !!!
+##
+## Review the list of available relays from the "relays.md" file, and, for each
+## server you want to use, define the relays you want connections to go through.
+##
+## Carefully choose relays and servers so that they are run by different entities.
+##
+## "server_name" can also be set to "*" to define a default route, for all servers:
+## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
+##
+## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
+## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
+##
+## Manual selection is always recommended over automatic selection, so that you can
+## select (relay,server) pairs that work well and fit your own criteria (close by or
+## in different countries, operated by different entities, on distinct ISPs...)
+
+# routes = [
+#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
+#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
+# ]
+
+
+## Skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = false
+
+
+## If public server certificates for a non-conformant server cannot be
+## retrieved via a relay, try getting them directly. Actual queries
+## will then always go through relays.
+
+# direct_cert_fallback = false
+
+
+
+###############################
+#            DNS64            #
+###############################
+
+## DNS64 is a mechanism for synthesizing AAAA records from A records.
+## It is used with an IPv6/IPv4 translator to enable client-server
+## communication between an IPv6-only client and an IPv4-only server,
+## without requiring any changes to either the IPv6 or the IPv4 node,
+## for the class of applications that work through NATs.
+##
+## There are two options to synthesize such records:
+## Option 1: Using a set of static IPv6 prefixes;
+## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
+##
+## If both options are configured - only static prefixes are used.
+## (Ref. RFC6147, RFC6052, RFC7050)
+##
+## Do not enable unless you know what DNS64 is and why you need it, or else
+## you won't be able to connect to anything at all.
+
+[dns64]
+
+## Static prefix(es) as Pref64::/n CIDRs
+
+# prefix = ['64:ff9b::/96']
+
+## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
+## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
+## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
+## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
+
+# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
+
+
+
+########################################
+#            Static entries            #
+########################################
+
+## Optional, local, static list of additional servers
+## Mostly useful for testing your own servers.
+
+[static]
+
+  # [static.myserver]
+  #   stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
diff --git a/dnscrypt-proxy/resolv.conf b/dnscrypt-proxy/resolv.conf
new file mode 100644
index 0000000..12efe6d
--- /dev/null
+++ b/dnscrypt-proxy/resolv.conf
@@ -0,0 +1,2 @@
+nameserver 127.0.0.1
+options edns0
-- 
2.39.5


From de093b7d6fdecdaa3557c639ebe3c3ea67142bce Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 17:06:41 +0100
Subject: [PATCH 09/16] [dns] Run service as non-root.

---
 dnscrypt-proxy/dnscrypt-proxy.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
index 6ecd915..88fc917 100644
--- a/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -52,7 +52,7 @@ max_clients = 250
 ## Note (2): this feature is not compatible with systemd socket activation.
 ## Note (3): when using -pidfile, the PID file directory must be writable by the new user
 
-# user_name = 'nobody'
+user_name = 'dnscrypt-proxy'
 
 
 ## Require servers (from remote sources) to satisfy specific properties
-- 
2.39.5


From b998e793a9a064e6ce20c474e8d776d00f6dee37 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 17:06:57 +0100
Subject: [PATCH 10/16] [dns] Configure block list.

---
 dnscrypt-proxy/dnscrypt-proxy.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
index 88fc917..67850ee 100644
--- a/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -553,7 +553,7 @@ format = 'tsv'
 
 ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
 
-# blocked_names_file = 'blocked-names.txt'
+  blocked_names_file = '/etc/dns/blocked-names.txt'
 
 
 ## Optional path to a file logging blocked queries
-- 
2.39.5


From a1cc1b825a8309c2a888db64c85b2edb169335cb Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 17:22:40 +0100
Subject: [PATCH 11/16] [nginx][dns] Proxy DNS-over-TLS to dnscrypt-proxy.

---
 nginx/nginx.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 128c081..763fa2c 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -72,6 +72,7 @@ http {
     include /etc/nginx/sites-enabled/*;
 }
 
+include /etc/nginx/streams-enabled/*;
 
 #mail {
 #	# See sample authentication script at:
-- 
2.39.5


From eecd98332bcdf4affa468e0babd7ecb48edabbff Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 18:06:50 +0100
Subject: [PATCH 12/16] [dns] Use privacy-oriented upstream DNS servers.

---
 dnscrypt-proxy/dnscrypt-proxy.toml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
index 67850ee..46a17f2 100644
--- a/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -56,6 +56,8 @@ user_name = 'dnscrypt-proxy'
 
 
 ## Require servers (from remote sources) to satisfy specific properties
+# https://hispagatos.org/post/dnscrypt-proxy-arch-tut
+server_names = ['dnscrypt.eu-nl', 'dnscrypt.uk-ipv4', 'ffmuc.net', 'meganerd', 'publicarray-au-doh', 'scaleway-ams', 'scaleway-fr', 'v.dnscrypt.uk-ipv4']
 
 # Use servers reachable over IPv4
 ipv4_servers = true
-- 
2.39.5


From ef5de92e030e7de799ea149b8a794bf662461681 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 18:07:42 +0100
Subject: [PATCH 13/16] [dns] Require DNSSEC.

---
 dnscrypt-proxy/dnscrypt-proxy.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
index 46a17f2..b0f880d 100644
--- a/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -78,7 +78,7 @@ odoh_servers = false
 ## Require servers defined by remote sources to satisfy specific properties
 
 # Server must support DNS security extensions (DNSSEC)
-require_dnssec = false
+require_dnssec = true
 
 # Server must not log user queries (declarative)
 require_nolog = true
-- 
2.39.5


From 0ad7aa949535081c0ee726074d5baf068a6ea266 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 23 Mar 2025 19:06:18 +0100
Subject: [PATCH 14/16] [dns] Add file for generating a domain blocklist.

---
 dnscrypt-proxy/domains-blocklist.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 dnscrypt-proxy/domains-blocklist.txt

diff --git a/dnscrypt-proxy/domains-blocklist.txt b/dnscrypt-proxy/domains-blocklist.txt
new file mode 100644
index 0000000..17e944f
--- /dev/null
+++ b/dnscrypt-proxy/domains-blocklist.txt
@@ -0,0 +1,2 @@
+file:/tmp/blacklist.txt
+https://dblw.oisd.nl/
-- 
2.39.5


From 7e27d3c6b44d89eb4f78fdfdcbfaff45af625a1a Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sat, 29 Mar 2025 15:25:08 +0100
Subject: [PATCH 15/16] [dns] Listen for external connections.

This is required for MacOS.
---
 dnscrypt-proxy/dnscrypt-proxy.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
index b0f880d..cb000cc 100644
--- a/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -39,7 +39,7 @@
 ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
 ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
 
-listen_addresses = ['127.0.0.1:53']
+listen_addresses = ['0.0.0.0:53']
 
 
 ## Maximum number of simultaneous client connections to accept
-- 
2.39.5


From f297de33639a7be77a833dea964946b4551919b1 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 30 Mar 2025 11:59:18 +0200
Subject: [PATCH 16/16] [dns] Add schedule for sleep time.

---
 dnscrypt-proxy/dnscrypt-proxy.toml | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/dnscrypt-proxy/dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
index cb000cc..4cbe846 100644
--- a/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -669,14 +669,16 @@ format = 'tsv'
 
 [schedules]
 
-  # [schedules.time-to-sleep]
-  #   mon = [{after='21:00', before='7:00'}]
-  #   tue = [{after='21:00', before='7:00'}]
-  #   wed = [{after='21:00', before='7:00'}]
-  #   thu = [{after='21:00', before='7:00'}]
-  #   fri = [{after='23:00', before='7:00'}]
-  #   sat = [{after='23:00', before='7:00'}]
-  #   sun = [{after='21:00', before='7:00'}]
+
+## The server operates in the UTC time.
+  [schedules.time-to-sleep]
+    mon = [{after='21:00', before='5:00'}]
+    tue = [{after='21:00', before='5:00'}]
+    wed = [{after='21:00', before='5:00'}]
+    thu = [{after='21:00', before='5:00'}]
+    fri = [{after='21:00', before='5:00'}]
+    sat = [{after='21:00', before='5:00'}]
+    sun = [{after='21:00', before='5:00'}]
 
   # [schedules.work]
   #   mon = [{after='9:00', before='18:00'}]
-- 
2.39.5