winzlieb/network
winzlieb
/
network
forked from zentralwerk/network
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

dnscache: update unbound settings for nixos-21.05

This commit is contained in:
Astro 2021-05-26 23:32:11 +02:00
parent e1c4c864d9
commit 51df2155de
1 changed files with 85 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
nix/nixos-module/container/dnscache.nix
View File

@ -3,141 +3,99 @@
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
services.unbound = { services.unbound = {
enable = true; enable = true;
interfaces = [ "0.0.0.0" "::0" ]; settings = {
# TODO: generate remote-control = {
allowedAccess = [ control-enable = true;
"fd23:42:c3d2:500::/56" control-use-cert = false;
"2a02:8106:208:5200::/56" };
"2a02:8106:211:e900::/56" server = {
"::172.20.72.0/117" num-threads = 4;
"::172.22.99.0/120" verbosity = 1;
"::1/128" prefetch = true;
"172.20.72.0/21" serve-expired = true;
"10.0.0.0/24" cache-min-ttl = 60;
"10.200.0.0/15" cache-max-ttl = 3600;
"172.22.99.0/24"
"127.0.0.0/8"
];
extraConfig = ''
remote-control:
control-enable: yes
control-use-cert: no
server:
num-threads: 4
verbosity: 1
prefetch: yes
serve-expired: yes
cache-min-ttl: 60
cache-max-ttl: 3600
interface = [ "0.0.0.0" "'::0'" ];
# TODO: generate
access-control = [
"fd23:42:c3d2:500::/56 allow"
"2a02:8106:208:5200::/56 allow"
"2a02:8106:211:e900::/56 allow"
"::172.20.72.0/117 allow"
"::172.22.99.0/120 allow"
"::1/128 allow"
"172.20.72.0/21 allow"
"10.0.0.0/24 allow"
"10.200.0.0/15 allow"
"172.22.99.0/24 allow"
"127.0.0.0/8 allow"
"0.0.0.0/0 deny"
"::/0 deny"
];
# For DNS over TLS # For DNS over TLS
tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# allow reverse lookup of rfc1918 space, which includes the DN42 address space # allow reverse lookup of rfc1918 space, which includes the DN42 address space
unblock-lan-zones: yes unblock-lan-zones = true;
insecure-lan-zones: yes insecure-lan-zones = true;
domain-insecure: "dn42" domain-insecure = [
domain-insecure: "d.f.ip6.arpa" "dn42"
domain-insecure: "ffdd" "d.f.ip6.arpa"
"ffdd"
forward-zone: ];
name: "." };
forward-tls-upstream: yes
# Quad9
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Cloudflare DNS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-zone = let
mkFfddZone = name: {
inherit name;
forward-addr = [ "10.200.0.4" "10.200.0.16" ];
};
in [ {
name = ".";
forward-tls-upstream = true;
forward-addr = [
# Quad9
"2620:fe::fe@853#dns.quad9.net"
"9.9.9.9@853#dns.quad9.net"
"2620:fe::9@853#dns.quad9.net"
"149.112.112.112@853#dns.quad9.net"
# Cloudflare DNS
"2606:4700:4700::1111@853#cloudflare-dns.com"
"1.1.1.1@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
} ] ++
# Local networks # Local networks
map ({ name, ... }: {
${lib.concatMapStrings ({ name, ... }: '' name = "${name}";
forward-zone: forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
name: "${name}" map (hosts6: hosts6.dns)
forward-addr: "${config.site.net.serv.hosts4.dns}" (builtins.attrValues config.site.net.serv.hosts6);
${lib.concatMapStrings (hosts6: }) config.site.dns.localZones
" forward-addr: ${hosts6.dns}\n"
) (builtins.attrValues config.site.net.serv.hosts6)}
'') config.site.dns.localZones}
# # C3D2 reverse
# forward-zone:
# name: "99.22.172.in-addr.arpa"
# forward-host: "ns.c3d2.de"
# Freifunk # Freifunk
++ (map mkFfddZone [
forward-zone: "ffdd"
name: "ffdd" "200.10.in-addr.arpa"
forward-addr: 10.200.0.4 "201.10.in-addr.arpa"
forward-addr: 10.200.0.16 ]);
forward-zone:
name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "201.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
# DN42 # DN42
stub-zone = let
stub-zone: mkDn42Zone = name: {
name: "dn42" inherit name;
stub-prime: yes stub-prime = true;
stub-addr: 172.20.0.53 stub-addr = [
stub-addr: fd42:d42:d42:54::1 "172.20.0.53" "fd42:d42:d42:54::1"
stub-addr: 172.23.0.53 "172.23.0.53" "fd42:d42:d42:53::1"
stub-addr: fd42:d42:d42:53::1 ];
};
stub-zone: in map mkDn42Zone [
name: "20.172.in-addr.arpa" "dn42" "d.f.ip6.arpa"
stub-prime: yes "20.172.in-addr.arpa" "21.172.in-addr.arpa"
stub-addr: 172.20.0.53 "22.172.in-addr.arpa" "23.172.in-addr.arpa"
stub-addr: fd42:d42:d42:54::1 ];
stub-addr: 172.23.0.53 };
stub-addr: fd42:d42:d42:53::1
stub-zone:
name: "21.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.20.0.53
stub-addr: fd42:d42:d42:54::1
stub-addr: 172.23.0.53
stub-addr: fd42:d42:d42:53::1
stub-zone:
name: "22.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.20.0.53
stub-addr: fd42:d42:d42:54::1
stub-addr: 172.23.0.53
stub-addr: fd42:d42:d42:53::1
stub-zone:
name: "23.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.20.0.53
stub-addr: fd42:d42:d42:54::1
stub-addr: 172.23.0.53
stub-addr: fd42:d42:d42:53::1
stub-zone:
name: "d.f.ip6.arpa"
stub-prime: yes
stub-addr: 172.20.0.53
stub-addr: fd42:d42:d42:54::1
stub-addr: 172.23.0.53
stub-addr: fd42:d42:d42:53::1
'';
}; };
} }