configure systemd-resolved with DoTHEADmaster

Disable networkmanager from writing `/etc/resolv.conf` and use
configured DNS servers with DNS over TLS.

Prune down list of nameservers as Level3 and OpenDNS do not currently
support DoT.

Signed-off-by: Kenny Ballou <kb@devnulllabs.io>

6 files changed, 43 insertions, 12 deletions

diff --git a/daeva/configuration.nix b/daeva/configuration.nix
index fa0a9b1..f3a8481 100644
--- a/daeva/configuration.nix
+++ b/daeva/configuration.nix
@@ -14,11 +14,12 @@
     ../secrets.nix
     ../services/clamav.nix
     ../services/dbus.nix
-    ../services/dnsmasq.nix
+    ../services/resolved.nix
     ../services/firewall.nix
     ../services/kde.nix
     ../services/haveged.nix
     ../services/logind.nix
+    ../services/networkmanager.nix
     ../services/podman.nix
     ../services/printing.nix
     ../services/sound.nix
@@ -42,7 +43,7 @@
     ../system/wireshark.nix
     ../system/yubikey-gpg.nix
     ../unfree.nix
-    ];
+  ];
 
   # Use the GRUB 2 boot loader.
   boot.loader.systemd-boot = {
diff --git a/daeva/nftables-rules.nft b/daeva/nftables-rules.nft
index 43234cd..0bc9d54 100644
--- a/daeva/nftables-rules.nft
+++ b/daeva/nftables-rules.nft
@@ -30,6 +30,8 @@ table inet filter {
         icmp type echo-request counter accept
         icmp type echo-reply counter accept
         udp dport domain counter accept
+        tcp dport domain-s counter accept
+        udp dport domain-s counter accept
         tcp dport http counter accept
         tcp dport https counter accept
         udp dport https counter accept
diff --git a/eligos/nftables-rules.nft b/eligos/nftables-rules.nft
index c26071e..d051a6d 100644
--- a/eligos/nftables-rules.nft
+++ b/eligos/nftables-rules.nft
@@ -39,6 +39,8 @@ table inet filter {
         iif lo oif lo counter accept
         ip saddr 127.0.0.1 ip daddr 127.0.0.1/8 counter accept
         udp dport domain counter accept
+        tcp dport domain-s counter accept
+        udp dport domain-s counter accept
         tcp dport http counter accept
         tcp dport https counter accept
         tcp dport ssh counter accept
diff --git a/services/networkmanager.nix b/services/networkmanager.nix
index a12d271..b7e526d 100644
--- a/services/networkmanager.nix
+++ b/services/networkmanager.nix
@@ -2,14 +2,6 @@
 {
   networking.networkmanager = {
     enable = true;
-    # dnsmasq will handle this...
-    dns = "none";
-    appendNameservers = [
-      "1.1.1.1"
-      "1.0.0.1"
-      "9.9.9.9"
-      "208.67.222.222"
-      "208.67.220.220"
-    ];
+    dns = "systemd-resolved";
   };
 }
diff --git a/services/resolved.nix b/services/resolved.nix
new file mode 100644
index 0000000..49021c4
--- /dev/null
+++ b/services/resolved.nix
@@ -0,0 +1,21 @@
+{ config, ... }:
+{
+  services.resolved = {
+    enable = true;
+    domains = [];
+    fallbackDns = [
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
+      "9.9.9.9#dns.quad9.net"
+      "8.8.8.8#dns.google"
+      "8.8.4.4#dns.google"
+      "2606:4700:4700::1111#one.one.one.one"
+      "2606:4700:4700::1001#one.one.one.one"
+      "2620:fe::fe#quad9.net"
+      "2620:fe::9#quad9.net"
+    ];
+    extraConfig = ''
+      DNSOverTLS=yes
+    '';
+  };
+}
diff --git a/system/networking.nix b/system/networking.nix
index 0d7afbe..cb37897 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -1,4 +1,17 @@
 { config, ... }:
 {
-  networking.networkmanager.enable = true;
+  networking = {
+    nameservers = [
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
+      "9.9.9.9#dns.quad9.net"
+      "8.8.8.8#dns.google"
+      "8.8.4.4#dns.google"
+      "2606:4700:4700::1111#one.one.one.one"
+      "2606:4700:4700::1001#one.one.one.one"
+      "2620:fe::fe#quad9.net"
+      "2620:fe::9#quad9.net"
+    ];
+    networkmanager.enable = true;
+  };
 }