{ config, pkgs, lib, ... }: { imports = [ ]; nix.useSandbox = false; nix.maxJobs = lib.mkDefault 4; boot.isContainer = true; # /sbin/init boot.loader.initScript.enable = true; boot.loader.grub.enable = false; #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"]; fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; networking.hostName = "dnscache"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.useNetworkd = true; networking.useDHCP = false; networking.interfaces.eth0.ipv4.addresses = [ { address = ""; prefixLength = 26; } ]; networking.defaultGateway = ""; services.resolved.enable = false; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ]; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ wget vim traceroute tcpdump bind ]; # Create a few files early before packing tarball for Proxmox # architecture/OS detection. system.extraSystemBuilderCmds = '' mkdir -m 0755 -p $out/bin ln -s ${pkgs.bash}/bin/bash $out/bin/sh mkdir -m 0755 -p $out/sbin ln -s ../init $out/sbin/init ''; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "19.09"; # Did you read the comment? networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 22 53 ]; # For NixOps: services.openssh = { enable = true; permitRootLogin = "yes"; }; services.unbound = { enable = true; interfaces = [ "" "::0" ]; allowedAccess = [ "fd23:42:c3d2:500::/56" "2a02:8106:208:5200::/56" "2a02:8106:211:e900::/56" "::" "::" "::1/128" "" "" "" "" ]; forwardAddresses = [ # Quad9 "" #dns.quad9.net "2620:fe::fe@853" #dns.quad9.net "" #dns.quad9.net "2620:fe::9@853" #dns.quad9.net # Cloudflare DNS "" #cloudflare-dns.com "2606:4700:4700::1111@853" #cloudflare-dns.com "" #cloudflare-dns.com "2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com ]; extraConfig = '' server: domain-insecure: "dn42" domain-insecure: "20.172.in-addr.arpa" domain-insecure: "21.172.in-addr.arpa" domain-insecure: "22.172.in-addr.arpa" domain-insecure: "23.172.in-addr.arpa" domain-insecure: "d.f.ip6.arpa" domain-insecure: "ffdd" domain-insecure: "200.10.in-addr.arpa" local-zone: "20.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault local-zone: "ffdd." nodefault local-zone: "200.10.in-addr.arpa." nodefault remote-control: control-enable: yes server-key-file: /var/lib/unbound/unbound_server.key server-cert-file: /var/lib/unbound/unbound_server.pem control-key-file: /var/lib/unbound/unbound_control.key control-cert-file: /var/lib/unbound/unbound_control.pem forward-zone: name: "dn42" forward-addr: forward-zone: name: "20.172.in-addr.arpa" forward-addr: forward-zone: name: "21.172.in-addr.arpa" forward-addr: forward-zone: name: "22.172.in-addr.arpa" forward-addr: forward-zone: name: "23.172.in-addr.arpa" forward-addr: forward-zone: name: "d.f.ip6.arpa" forward-addr: forward-zone: name: "ffdd" forward-addr: forward-addr: forward-zone: name: "200.10.in-addr.arpa" forward-addr: forward-addr: ''; }; services.collectd = { enable = true; autoLoadPlugin = true; plugins = { cpu = ""; memory = ""; interface = ""; load = ""; exec = let unboundScript = builtins.toFile "unbound.rb" '' loop do `/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset` .lines .filter { |l| l =~ /^total\./ } .each { |l| if l =~ /total\.(.+?)=([\d\.]+)/ name = $1 value = $2.to_f if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/ ty = "gauge" else ty = "derive" value = value.to_i end puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}" end } sleep 10 end ''; in '' Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" ''; network = '' Server "grafana.hq.c3d2.de" "25826" ''; }; extraConfig = '' Interval 10 ''; }; }