{ config, pkgs, lib, ... }: { imports = [ ]; nix.useSandbox = false; nix.maxJobs = lib.mkDefault 4; boot.isContainer = true; # /sbin/init boot.loader.initScript.enable = true; boot.loader.grub.enable = false; #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"]; fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; networking.hostName = "dnscache"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.useNetworkd = true; networking.useDHCP = false; networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; networking.defaultGateway = "172.20.73.1"; services.resolved.enable = false; networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ]; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ wget vim traceroute tcpdump bind ]; # Create a few files early before packing tarball for Proxmox # architecture/OS detection. system.extraSystemBuilderCmds = '' mkdir -m 0755 -p $out/bin ln -s ${pkgs.bash}/bin/bash $out/bin/sh mkdir -m 0755 -p $out/sbin ln -s ../init $out/sbin/init ''; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "19.09"; # Did you read the comment? networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 22 53 ]; # For NixOps: services.openssh = { enable = true; permitRootLogin = "yes"; }; services.unbound = { enable = true; interfaces = [ "0.0.0.0" "::0" ]; allowedAccess = [ "fd23:42:c3d2:500::/56" "2a02:8106:208:5200::/56" "2a02:8106:211:e900::/56" "::172.20.72.0/117" "::172.22.99.0/120" "::1/128" "172.20.72.0/21" "10.0.0.0/24" "10.200.0.0/15" "172.22.99.0/24" "127.0.0.0/8" ]; forwardAddresses = [ # Quad9 "9.9.9.9@853" #dns.quad9.net "2620:fe::fe@853" #dns.quad9.net "149.112.112.112@853" #dns.quad9.net "2620:fe::9@853" #dns.quad9.net # Cloudflare DNS "1.1.1.1@853" #cloudflare-dns.com "2606:4700:4700::1111@853" #cloudflare-dns.com "1.0.0.1@853" #cloudflare-dns.com "2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com ]; extraConfig = '' server: domain-insecure: "dn42" domain-insecure: "20.172.in-addr.arpa" domain-insecure: "21.172.in-addr.arpa" domain-insecure: "22.172.in-addr.arpa" domain-insecure: "23.172.in-addr.arpa" domain-insecure: "d.f.ip6.arpa" domain-insecure: "ffdd" domain-insecure: "200.10.in-addr.arpa" local-zone: "20.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault local-zone: "ffdd." nodefault local-zone: "200.10.in-addr.arpa." nodefault remote-control: control-enable: yes server-key-file: /var/lib/unbound/unbound_server.key server-cert-file: /var/lib/unbound/unbound_server.pem control-key-file: /var/lib/unbound/unbound_control.key control-cert-file: /var/lib/unbound/unbound_control.pem forward-zone: name: "99.22.172.in-addr.arpa" forward-host: "ns.c3d2.de" forward-zone: name: "zentralwerk.dn42" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "72.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "73.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "74.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "75.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "76.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "77.20.172.in-addr.arpa" forward-host: "dns.serv.zentralwerk.org" forward-zone: name: "dn42" forward-addr: 172.23.0.53 forward-zone: name: "20.172.in-addr.arpa" forward-addr: 172.23.0.53 forward-zone: name: "21.172.in-addr.arpa" forward-addr: 172.23.0.53 forward-zone: name: "22.172.in-addr.arpa" forward-addr: 172.23.0.53 forward-zone: name: "23.172.in-addr.arpa" forward-addr: 172.23.0.53 forward-zone: name: "d.f.ip6.arpa" forward-addr: 172.23.0.53 forward-zone: name: "ffdd" forward-addr: 10.200.0.4 forward-addr: 10.200.0.16 forward-zone: name: "200.10.in-addr.arpa" forward-addr: 10.200.0.4 forward-addr: 10.200.0.16 ''; }; services.collectd = { enable = true; autoLoadPlugin = true; plugins = { cpu = ""; memory = ""; interface = ""; load = ""; exec = let unboundScript = builtins.toFile "unbound.rb" '' loop do `/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset` .lines .filter { |l| l =~ /^total\./ } .each { |l| if l =~ /total\.(.+?)=([\d\.]+)/ name = $1 value = $2.to_f if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/ ty = "gauge" else ty = "derive" value = value.to_i end puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}" end } sleep 10 end ''; in '' Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" ''; network = '' Server "grafana.serv.zentralwerk.dn42" "25826" ''; }; extraConfig = '' Interval 10 ''; }; }