Das Netzwerk in der Riesaer Str. 32
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

dnscache.nix 3.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136
  1. { hostName, config, lib, pkgs, ... }:
  2. lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
  3. services.unbound = {
  4. enable = true;
  5. interfaces = [ "0.0.0.0" "::0" ];
  6. # TODO: generate
  7. allowedAccess = [
  8. "fd23:42:c3d2:500::/56"
  9. "2a02:8106:208:5200::/56"
  10. "2a02:8106:211:e900::/56"
  11. "::172.20.72.0/117"
  12. "::172.22.99.0/120"
  13. "::1/128"
  14. "172.20.72.0/21"
  15. "10.0.0.0/24"
  16. "10.200.0.0/15"
  17. "172.22.99.0/24"
  18. "127.0.0.0/8"
  19. ];
  20. extraConfig = ''
  21. remote-control:
  22. control-enable: yes
  23. control-use-cert: no
  24. server:
  25. num-threads: 4
  26. verbosity: 1
  27. prefetch: yes
  28. serve-expired: yes
  29. cache-min-ttl: 60
  30. cache-max-ttl: 3600
  31. # For DNS over TLS
  32. tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
  33. # allow reverse lookup of rfc1918 space, which includes the DN42 address space
  34. unblock-lan-zones: yes
  35. insecure-lan-zones: yes
  36. domain-insecure: "dn42"
  37. domain-insecure: "10.in-addr.arpa"
  38. ${lib.concatMapStrings (x:
  39. " domain-insecure: ${toString x}.172.in-addr.arpa\n"
  40. ) [
  41. 16 17 18 19
  42. 20 21 22 23
  43. 24 25 26 27
  44. 28 29 30 31
  45. ]}
  46. domain-insecure: "168.192.in-addr.arpa"
  47. domain-insecure: "d.f.ip6.arpa"
  48. domain-insecure: "ffdd"
  49. forward-zone:
  50. name: "."
  51. forward-tls-upstream: yes
  52. # Quad9
  53. forward-addr: 2620:fe::fe@853#dns.quad9.net
  54. forward-addr: 9.9.9.9@853#dns.quad9.net
  55. forward-addr: 2620:fe::9@853#dns.quad9.net
  56. forward-addr: 149.112.112.112@853#dns.quad9.net
  57. # Cloudflare DNS
  58. forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
  59. forward-addr: 1.1.1.1@853#cloudflare-dns.com
  60. forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
  61. forward-addr: 1.0.0.1@853#cloudflare-dns.com
  62. # Local networks
  63. ${lib.concatMapStrings ({ name, ... }: ''
  64. forward-zone:
  65. name: "${name}"
  66. forward-host: "${config.site.net.serv.hosts4.dns}"
  67. ${lib.concatMapStrings (hosts6:
  68. " forward-host: ${hosts6.dns}\n"
  69. ) (builtins.attrValues config.site.net.serv.hosts6)}
  70. '') config.site.dns.localZones}
  71. # C3D2 reverse
  72. forward-zone:
  73. name: "99.22.172.in-addr.arpa"
  74. forward-host: "ns.c3d2.de"
  75. # Freifunk
  76. forward-zone:
  77. name: "ffdd"
  78. forward-addr: 10.200.0.4
  79. forward-addr: 10.200.0.16
  80. forward-zone:
  81. name: "200.10.in-addr.arpa"
  82. forward-addr: 10.200.0.4
  83. forward-addr: 10.200.0.16
  84. forward-zone:
  85. name: "201.10.in-addr.arpa"
  86. forward-addr: 10.200.0.4
  87. forward-addr: 10.200.0.16
  88. # DN42
  89. stub-zone:
  90. name: "dn42"
  91. stub-prime: yes
  92. stub-addr: 172.23.0.53
  93. stub-zone:
  94. name: "20.172.in-addr.arpa"
  95. stub-prime: yes
  96. stub-addr: 172.23.0.53
  97. stub-zone:
  98. name: "21.172.in-addr.arpa"
  99. stub-prime: yes
  100. stub-addr: 172.23.0.53
  101. stub-zone:
  102. name: "22.172.in-addr.arpa"
  103. stub-prime: yes
  104. stub-addr: 172.23.0.53
  105. stub-zone:
  106. name: "23.172.in-addr.arpa"
  107. stub-prime: yes
  108. stub-addr: 172.23.0.53
  109. stub-zone:
  110. name: "d.f.ip6.arpa"
  111. stub-prime: yes
  112. stub-addr: 172.23.0.53
  113. '';
  114. };
  115. }