From f5882396e3a142fb6f07e8d9295ab827c9b4fb18 Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Sat, 25 Nov 2023 09:19:31 +0100
Subject: [PATCH] sj-vps-htz0,containers/dns: remove IPv6, opportunistic TLS

---
 nix/os/devices/sj-vps-htz0/system.nix        | 16 ++++-----------
 nix/os/profiles/containers/configuration.nix | 13 +-----------
 nix/os/snippets/systemd-resolved.nix         | 21 ++++++++++++++++++++
 3 files changed, 26 insertions(+), 24 deletions(-)
 create mode 100644 nix/os/snippets/systemd-resolved.nix

diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix
index 35a196e..bf1389e 100644
--- a/nix/os/devices/sj-vps-htz0/system.nix
+++ b/nix/os/devices/sj-vps-htz0/system.nix
@@ -8,6 +8,10 @@
 }: let
   wireguardPort = 51820;
 in {
+  imports = [
+    ../../snippets/systemd-resolved.nix
+  ];
+
   networking.firewall.enable = true;
   networking.nftables.enable = true;
 
@@ -47,18 +51,6 @@ in {
     interface = "eth0";
   };
 
-  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-
-  services.resolved = {
-    enable = true;
-    dnssec = "true";
-    domains = ["~."];
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    extraConfig = ''
-      DNSOverTLS=yes
-    '';
-  };
-
   networking.nat = {
     enable = true;
     internalInterfaces = ["ve-*" "wg*"];
diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix
index edf3974..7462c08 100644
--- a/nix/os/profiles/containers/configuration.nix
+++ b/nix/os/profiles/containers/configuration.nix
@@ -1,19 +1,8 @@
 {...}: {
   networking.useHostResolvConf = false;
 
-  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-
-  services.resolved = {
-    enable = true;
-    dnssec = "true";
-    domains = ["~."];
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    extraConfig = ''
-      DNSOverTLS=yes
-    '';
-  };
-
   imports = [
+    ../../snippets/systemd-resolved.nix
     # ../../modules/ddclient-ovh.nix
     # ../../modules/ddclient-hetzner.nix
   ];
diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix
new file mode 100644
index 0000000..57dfb86
--- /dev/null
+++ b/nix/os/snippets/systemd-resolved.nix
@@ -0,0 +1,21 @@
+{
+  networking.nameservers = [
+    # https://dnsforge.de/
+    "176.9.93.198"
+    "176.9.1.117"
+
+    # TODO: enable IPv6
+    # "2a01:4f8:151:34aa::198"
+    # "2a01:4f8:141:316d::117"
+  ];
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~."];
+    extraConfig = ''
+      # TODO: figure out why "true" doesn't work
+      DNSOverTLS=opportunistic
+    '';
+  };
+}