144 lines
3.8 KiB
Nix
144 lines
3.8 KiB
Nix
{ hostName, config, lib, pkgs, ... }:
|
|
|
|
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
|
services.unbound = {
|
|
enable = true;
|
|
interfaces = [ "0.0.0.0" "::0" ];
|
|
# TODO: generate
|
|
allowedAccess = [
|
|
"fd23:42:c3d2:500::/56"
|
|
"2a02:8106:208:5200::/56"
|
|
"2a02:8106:211:e900::/56"
|
|
"::172.20.72.0/117"
|
|
"::172.22.99.0/120"
|
|
"::1/128"
|
|
"172.20.72.0/21"
|
|
"10.0.0.0/24"
|
|
"10.200.0.0/15"
|
|
"172.22.99.0/24"
|
|
"127.0.0.0/8"
|
|
];
|
|
extraConfig = ''
|
|
remote-control:
|
|
control-enable: yes
|
|
control-use-cert: no
|
|
|
|
server:
|
|
num-threads: 4
|
|
verbosity: 1
|
|
prefetch: yes
|
|
serve-expired: yes
|
|
cache-min-ttl: 60
|
|
cache-max-ttl: 3600
|
|
|
|
# For DNS over TLS
|
|
tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
|
|
|
|
# allow reverse lookup of rfc1918 space, which includes the DN42 address space
|
|
unblock-lan-zones: yes
|
|
insecure-lan-zones: yes
|
|
|
|
domain-insecure: "dn42"
|
|
domain-insecure: "d.f.ip6.arpa"
|
|
domain-insecure: "ffdd"
|
|
|
|
forward-zone:
|
|
name: "."
|
|
forward-tls-upstream: yes
|
|
# Quad9
|
|
forward-addr: 2620:fe::fe@853#dns.quad9.net
|
|
forward-addr: 9.9.9.9@853#dns.quad9.net
|
|
forward-addr: 2620:fe::9@853#dns.quad9.net
|
|
forward-addr: 149.112.112.112@853#dns.quad9.net
|
|
# Cloudflare DNS
|
|
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
|
|
forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
|
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
|
|
forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
|
|
|
# Local networks
|
|
|
|
${lib.concatMapStrings ({ name, ... }: ''
|
|
forward-zone:
|
|
name: "${name}"
|
|
forward-addr: "${config.site.net.serv.hosts4.dns}"
|
|
${lib.concatMapStrings (hosts6:
|
|
" forward-addr: ${hosts6.dns}\n"
|
|
) (builtins.attrValues config.site.net.serv.hosts6)}
|
|
'') config.site.dns.localZones}
|
|
|
|
# # C3D2 reverse
|
|
# forward-zone:
|
|
# name: "99.22.172.in-addr.arpa"
|
|
# forward-host: "ns.c3d2.de"
|
|
|
|
# Freifunk
|
|
|
|
forward-zone:
|
|
name: "ffdd"
|
|
forward-addr: 10.200.0.4
|
|
forward-addr: 10.200.0.16
|
|
|
|
forward-zone:
|
|
name: "200.10.in-addr.arpa"
|
|
forward-addr: 10.200.0.4
|
|
forward-addr: 10.200.0.16
|
|
|
|
forward-zone:
|
|
name: "201.10.in-addr.arpa"
|
|
forward-addr: 10.200.0.4
|
|
forward-addr: 10.200.0.16
|
|
|
|
# DN42
|
|
|
|
stub-zone:
|
|
name: "dn42"
|
|
stub-prime: yes
|
|
stub-addr: 172.20.0.53
|
|
stub-addr: fd42:d42:d42:54::1
|
|
stub-addr: 172.23.0.53
|
|
stub-addr: fd42:d42:d42:53::1
|
|
|
|
stub-zone:
|
|
name: "20.172.in-addr.arpa"
|
|
stub-prime: yes
|
|
stub-addr: 172.20.0.53
|
|
stub-addr: fd42:d42:d42:54::1
|
|
stub-addr: 172.23.0.53
|
|
stub-addr: fd42:d42:d42:53::1
|
|
|
|
stub-zone:
|
|
name: "21.172.in-addr.arpa"
|
|
stub-prime: yes
|
|
stub-addr: 172.20.0.53
|
|
stub-addr: fd42:d42:d42:54::1
|
|
stub-addr: 172.23.0.53
|
|
stub-addr: fd42:d42:d42:53::1
|
|
|
|
stub-zone:
|
|
name: "22.172.in-addr.arpa"
|
|
stub-prime: yes
|
|
stub-addr: 172.20.0.53
|
|
stub-addr: fd42:d42:d42:54::1
|
|
stub-addr: 172.23.0.53
|
|
stub-addr: fd42:d42:d42:53::1
|
|
|
|
stub-zone:
|
|
name: "23.172.in-addr.arpa"
|
|
stub-prime: yes
|
|
stub-addr: 172.20.0.53
|
|
stub-addr: fd42:d42:d42:54::1
|
|
stub-addr: 172.23.0.53
|
|
stub-addr: fd42:d42:d42:53::1
|
|
|
|
stub-zone:
|
|
name: "d.f.ip6.arpa"
|
|
stub-prime: yes
|
|
stub-addr: 172.20.0.53
|
|
stub-addr: fd42:d42:d42:54::1
|
|
stub-addr: 172.23.0.53
|
|
stub-addr: fd42:d42:d42:53::1
|
|
'';
|
|
};
|
|
}
|