network/nix/nixos-module/container/dnscache.nix

165 lines
4.4 KiB
Nix

{ hostName, config, lib, pkgs, ... }:
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
services.unbound = {
enable = true;
interfaces = [ "0.0.0.0" "::0" ];
# TODO: generate
allowedAccess = [
"fd23:42:c3d2:500::/56"
"2a02:8106:208:5200::/56"
"2a02:8106:211:e900::/56"
"::172.20.72.0/117"
"::172.22.99.0/120"
"::1/128"
"172.20.72.0/21"
"10.0.0.0/24"
"10.200.0.0/15"
"172.22.99.0/24"
"127.0.0.0/8"
];
extraConfig = ''
remote-control:
control-enable: yes
control-use-cert: no
server:
num-threads: 4
verbosity: 1
prefetch: yes
serve-expired: yes
cache-min-ttl: 60
cache-max-ttl: 3600
# For DNS over TLS
tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
# allow reverse lookup of rfc1918 space, which includes the DN42 address space
unblock-lan-zones: yes
insecure-lan-zones: yes
domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "99.22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa"
domain-insecure: "ffdd"
domain-insecure: "200.10.in-addr.arpa"
domain-insecure: "201.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "99.22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
local-zone: "200.10.in-addr.arpa." nodefault
local-zone: "201.10.in-addr.arpa." nodefault
forward-zone:
name: "."
forward-tls-upstream: yes
# Quad9
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Cloudflare DNS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Local networks
forward-zone:
name: "zentralwerk.dn42"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "72.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "73.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "74.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "75.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "76.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "77.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "0.0.5.0.2.d.3.c.4.2.0.0.3.2.d.f.ip6.arpa"
forward-host: "dns.serv.zentralwerk.org"
# C3D2 reverse
forward-zone:
name: "99.22.172.in-addr.arpa"
forward-host: "ns.c3d2.de"
# Freifunk
forward-zone:
name: "ffdd"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "201.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
# DN42
stub-zone:
name: "dn42"
stub-prime: yes
stub-addr: 172.23.0.53
stub-zone:
name: "20.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.23.0.53
stub-zone:
name: "21.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.23.0.53
stub-zone:
name: "22.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.23.0.53
stub-zone:
name: "23.172.in-addr.arpa"
stub-prime: yes
stub-addr: 172.23.0.53
stub-zone:
name: "d.f.ip6.arpa"
stub-prime: yes
stub-addr: 172.23.0.53
'';
};
}