{ config, lib, pkgs, ...}: with lib; let cfg = config.services.stubby; fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols; listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses; # By default, the recursive resolvers maintained by the getdns # project itself are enabled. More information about both getdns's servers, # as well as third party options for upstream resolvers, can be found here: # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers # # You can override these values by supplying a yaml-formatted array of your # preferred upstream resolvers in the following format: # # 106 # - address_data: IPv4 or IPv6 address of the upstream # port: Port for UDP/TCP (default is 53) # tls_auth_name: Authentication domain name checked against the server # certificate # tls_pubkey_pinset: An SPKI pinset verified against the keys in the server # certificate # - digest: Only "sha256" is currently supported # value: Base64 encoded value of the sha256 fingerprint of the public # key # tls_port: Port for TLS (default is 853) defaultUpstream = '' - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ''; # Resolution type is not changeable here because it is required per the # stubby documentation: # # "resolution_type: Work in stub mode only (not recursive mode) - required for Stubby # operation." # # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby confFile = pkgs.writeText "stubby.yml" '' resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: ${fallbacks} tls_authentication: ${cfg.authenticationMode} tls_query_padding_blocksize: ${toString cfg.queryPaddingBlocksize} edns_client_subnet_private: ${if cfg.subnetPrivate then "1" else "0"} idle_timeout: ${toString cfg.idleTimeout} listen_addresses: ${listeners} round_robin_upstreams: ${if cfg.roundRobinUpstreams then "1" else "0"} ${cfg.extraConfig} upstream_recursive_servers: ${cfg.upstreamServers} ''; in { options = { services.stubby = { enable = mkEnableOption "Stubby DNS resolver"; fallbackProtocols = mkOption { default = [ "GETDNS_TRANSPORT_TLS" ]; type = with types; listOf (enum [ "GETDNS_TRANSPORT_TLS" "GETDNS_TRANSPORT_TCP" "GETDNS_TRANSPORT_UDP" ]); description = '' Ordered list composed of one or more transport protocols. Strict mode should only use GETDNS_TRANSPORT_TLS. Other options are GETDNS_TRANSPORT_UDP and GETDNS_TRANSPORT_TCP. ''; }; authenticationMode = mkOption { default = "GETDNS_AUTHENTICATION_REQUIRED"; type = types.enum [ "GETDNS_AUTHENTICATION_REQUIRED" "GETDNS_AUTHENTICATION_NONE" ]; description = '' Selects the Strict or Opportunistic usage profile. For strict, set to GETDNS_AUTHENTICATION_REQUIRED. for opportunistic, use GETDNS_AUTHENTICATION_NONE. ''; }; queryPaddingBlocksize = mkOption { default = 128; type = types.int; description = '' EDNS0 option to pad the size of the DNS query to the given blocksize. ''; }; subnetPrivate = mkOption { default = true; type = types.bool; description = '' EDNS0 option for ECS client privacy. Default is true. If set, this option prevents the client subnet from being sent to authoritative nameservers. ''; }; idleTimeout = mkOption { default = 10000; type = types.int; description = "EDNS0 option for keepalive idle timeout expressed in milliseconds."; }; listenAddresses = mkOption { default = [ "127.0.0.1" "0::1" ]; type = with types; listOf str; description = '' Sets the listen address for the stubby daemon. Uses port 53 by default. Ise IP@port to specify a different port. ''; }; roundRobinUpstreams = mkOption { default = true; type = types.bool; description = '' Instructs stubby to distribute queries across all available name servers. Default is true. Set to false in order to use the first available. ''; }; upstreamServers = mkOption { default = defaultUpstream; type = types.lines; description = '' Replace default upstreams. See stubby 1 for an example of the entry formatting. In Strict mode, at least one of the following settings must be supplied for each nameserver: tls_auth_name or tls_pubkey_pinset. ''; }; debugLogging = mkOption { default = false; type = types.bool; description = "Enable or disable debug level logging."; }; extraConfig = mkOption { default = ""; type = types.lines; description = '' Add additional configuration options. see stubby1 for more options. ''; }; }; }; config = mkIf cfg.enable { environment.systemPackages = [ pkgs.stubby ]; systemd.services.stubby = { description = "Stubby local DNS resolver"; after = [ "network.target" ]; before = [ "nss-lookup.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}"; DynamicUser = true; }; }; }; }