40 lines
1009 B
Nix
40 lines
1009 B
Nix
{ config, lib, options, ... }:
|
|
let
|
|
# Targets the custom options we created
|
|
cfg = config.my.dns;
|
|
|
|
# Feature detection
|
|
hasSettings = options.services.resolved ? settings;
|
|
in
|
|
{
|
|
options.my.dns = {
|
|
enable = lib.mkEnableOption "custom DNS setup with Cloudflare and LibreDNS";
|
|
|
|
strictDNSSEC = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "If true, enforces strict DNSSEC. If false, uses allow-downgrade.";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
networking.nameservers = [
|
|
"116.202.176.26#dot.libredns.gr"
|
|
"1.1.1.1#cloudflare-dns.com"
|
|
"1.0.0.1#cloudflare-dns.com"
|
|
];
|
|
|
|
services.resolved = if hasSettings then {
|
|
enable = true;
|
|
settings.Resolve = {
|
|
DNSOverTLS = "yes";
|
|
DNSSEC = if cfg.strictDNSSEC then "yes" else "allow-downgrade";
|
|
};
|
|
} else {
|
|
enable = true;
|
|
dnsovertls = "true";
|
|
dnssec = if cfg.strictDNSSEC then "true" else "allow-downgrade";
|
|
};
|
|
};
|
|
}
|