From 51df2155de65d0c9cf331c4944d03b42adf8c34d Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 26 May 2021 23:32:11 +0200 Subject: [PATCH] dnscache: update unbound settings for nixos-21.05 --- nix/nixos-module/container/dnscache.nix | 212 ++++++++++-------------- 1 file changed, 85 insertions(+), 127 deletions(-) diff --git a/nix/nixos-module/container/dnscache.nix b/nix/nixos-module/container/dnscache.nix index 945a0d0..d39c642 100644 --- a/nix/nixos-module/container/dnscache.nix +++ b/nix/nixos-module/container/dnscache.nix @@ -3,141 +3,99 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { services.unbound = { enable = true; - interfaces = [ "0.0.0.0" "::0" ]; - # TODO: generate - allowedAccess = [ - "fd23:42:c3d2:500::/56" - "2a02:8106:208:5200::/56" - "2a02:8106:211:e900::/56" - "::172.20.72.0/117" - "::172.22.99.0/120" - "::1/128" - "172.20.72.0/21" - "10.0.0.0/24" - "10.200.0.0/15" - "172.22.99.0/24" - "127.0.0.0/8" - ]; - extraConfig = '' - remote-control: - control-enable: yes - control-use-cert: no - - server: - num-threads: 4 - verbosity: 1 - prefetch: yes - serve-expired: yes - cache-min-ttl: 60 - cache-max-ttl: 3600 + settings = { + remote-control = { + control-enable = true; + control-use-cert = false; + }; + server = { + num-threads = 4; + verbosity = 1; + prefetch = true; + serve-expired = true; + cache-min-ttl = 60; + cache-max-ttl = 3600; + interface = [ "0.0.0.0" "'::0'" ]; + # TODO: generate + access-control = [ + "fd23:42:c3d2:500::/56 allow" + "2a02:8106:208:5200::/56 allow" + "2a02:8106:211:e900::/56 allow" + "::172.20.72.0/117 allow" + "::172.22.99.0/120 allow" + "::1/128 allow" + "172.20.72.0/21 allow" + "10.0.0.0/24 allow" + "10.200.0.0/15 allow" + "172.22.99.0/24 allow" + "127.0.0.0/8 allow" + "0.0.0.0/0 deny" + "::/0 deny" + ]; # For DNS over TLS - tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; # allow reverse lookup of rfc1918 space, which includes the DN42 address space - unblock-lan-zones: yes - insecure-lan-zones: yes + unblock-lan-zones = true; + insecure-lan-zones = true; - domain-insecure: "dn42" - domain-insecure: "d.f.ip6.arpa" - domain-insecure: "ffdd" - - forward-zone: - name: "." - forward-tls-upstream: yes - # Quad9 - forward-addr: 2620:fe::fe@853#dns.quad9.net - forward-addr: 9.9.9.9@853#dns.quad9.net - forward-addr: 2620:fe::9@853#dns.quad9.net - forward-addr: 149.112.112.112@853#dns.quad9.net - # Cloudflare DNS - forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com + domain-insecure = [ + "dn42" + "d.f.ip6.arpa" + "ffdd" + ]; + }; + forward-zone = let + mkFfddZone = name: { + inherit name; + forward-addr = [ "10.200.0.4" "10.200.0.16" ]; + }; + in [ { + name = "."; + forward-tls-upstream = true; + forward-addr = [ + # Quad9 + "2620:fe::fe@853#dns.quad9.net" + "9.9.9.9@853#dns.quad9.net" + "2620:fe::9@853#dns.quad9.net" + "149.112.112.112@853#dns.quad9.net" + # Cloudflare DNS + "2606:4700:4700::1111@853#cloudflare-dns.com" + "1.1.1.1@853#cloudflare-dns.com" + "2606:4700:4700::1001@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + } ] ++ # Local networks - - ${lib.concatMapStrings ({ name, ... }: '' - forward-zone: - name: "${name}" - forward-addr: "${config.site.net.serv.hosts4.dns}" - ${lib.concatMapStrings (hosts6: - " forward-addr: ${hosts6.dns}\n" - ) (builtins.attrValues config.site.net.serv.hosts6)} - '') config.site.dns.localZones} - - # # C3D2 reverse - # forward-zone: - # name: "99.22.172.in-addr.arpa" - # forward-host: "ns.c3d2.de" - + map ({ name, ... }: { + name = "${name}"; + forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++ + map (hosts6: hosts6.dns) + (builtins.attrValues config.site.net.serv.hosts6); + }) config.site.dns.localZones # Freifunk - - forward-zone: - name: "ffdd" - forward-addr: 10.200.0.4 - forward-addr: 10.200.0.16 - - forward-zone: - name: "200.10.in-addr.arpa" - forward-addr: 10.200.0.4 - forward-addr: 10.200.0.16 - - forward-zone: - name: "201.10.in-addr.arpa" - forward-addr: 10.200.0.4 - forward-addr: 10.200.0.16 - + ++ (map mkFfddZone [ + "ffdd" + "200.10.in-addr.arpa" + "201.10.in-addr.arpa" + ]); # DN42 - - stub-zone: - name: "dn42" - stub-prime: yes - stub-addr: 172.20.0.53 - stub-addr: fd42:d42:d42:54::1 - stub-addr: 172.23.0.53 - stub-addr: fd42:d42:d42:53::1 - - stub-zone: - name: "20.172.in-addr.arpa" - stub-prime: yes - stub-addr: 172.20.0.53 - stub-addr: fd42:d42:d42:54::1 - stub-addr: 172.23.0.53 - stub-addr: fd42:d42:d42:53::1 - - stub-zone: - name: "21.172.in-addr.arpa" - stub-prime: yes - stub-addr: 172.20.0.53 - stub-addr: fd42:d42:d42:54::1 - stub-addr: 172.23.0.53 - stub-addr: fd42:d42:d42:53::1 - - stub-zone: - name: "22.172.in-addr.arpa" - stub-prime: yes - stub-addr: 172.20.0.53 - stub-addr: fd42:d42:d42:54::1 - stub-addr: 172.23.0.53 - stub-addr: fd42:d42:d42:53::1 - - stub-zone: - name: "23.172.in-addr.arpa" - stub-prime: yes - stub-addr: 172.20.0.53 - stub-addr: fd42:d42:d42:54::1 - stub-addr: 172.23.0.53 - stub-addr: fd42:d42:d42:53::1 - - stub-zone: - name: "d.f.ip6.arpa" - stub-prime: yes - stub-addr: 172.20.0.53 - stub-addr: fd42:d42:d42:54::1 - stub-addr: 172.23.0.53 - stub-addr: fd42:d42:d42:53::1 - ''; + stub-zone = let + mkDn42Zone = name: { + inherit name; + stub-prime = true; + stub-addr = [ + "172.20.0.53" "fd42:d42:d42:54::1" + "172.23.0.53" "fd42:d42:d42:53::1" + ]; + }; + in map mkDn42Zone [ + "dn42" "d.f.ip6.arpa" + "20.172.in-addr.arpa" "21.172.in-addr.arpa" + "22.172.in-addr.arpa" "23.172.in-addr.arpa" + ]; + }; }; }