109 lines
3.1 KiB
Nix
109 lines
3.1 KiB
Nix
{ hostName, config, lib, pkgs, ... }:
|
|
|
|
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
|
services.unbound = {
|
|
enable = true;
|
|
settings = {
|
|
remote-control = {
|
|
control-enable = true;
|
|
control-use-cert = false;
|
|
};
|
|
server = {
|
|
num-threads = 4;
|
|
verbosity = 1;
|
|
prefetch = true;
|
|
prefetch-key = true;
|
|
serve-expired = true;
|
|
cache-min-ttl = 60;
|
|
cache-max-ttl = 3600;
|
|
infra-cache-slabs = "8";
|
|
key-cache-slabs = "8";
|
|
msg-cache-slabs = "8";
|
|
rrset-cache-slabs = "8";
|
|
msg-cache-size = "256m"; # half again 128m?
|
|
rrset-cache-size = "512m"; # half again 256m?
|
|
|
|
interface = [ "0.0.0.0" "'::0'" ];
|
|
# TODO: generate
|
|
access-control = [
|
|
"fd23:42:c3d2:500::/56 allow"
|
|
"2a00:8180:2000:37::1/128 allow"
|
|
"2a00:8180:2c00:200::/56 allow"
|
|
"::172.20.72.0/117 allow"
|
|
"::172.22.99.0/120 allow"
|
|
"::1/128 allow"
|
|
"172.20.72.0/21 allow"
|
|
"10.0.0.0/24 allow"
|
|
"10.200.0.0/15 allow"
|
|
"172.22.99.0/24 allow"
|
|
"127.0.0.0/8 allow"
|
|
"0.0.0.0/0 deny"
|
|
"::/0 deny"
|
|
];
|
|
# For DNS over TLS
|
|
tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
|
|
|
# allow reverse lookup of rfc1918 space, which includes the DN42 address space
|
|
unblock-lan-zones = true;
|
|
insecure-lan-zones = true;
|
|
|
|
domain-insecure = [
|
|
"dn42"
|
|
"d.f.ip6.arpa"
|
|
"ffdd"
|
|
];
|
|
};
|
|
|
|
forward-zone = let
|
|
mkFfddZone = name: {
|
|
inherit name;
|
|
forward-addr = [ "10.200.0.4" "10.200.0.16" ];
|
|
};
|
|
in [ {
|
|
name = ".";
|
|
forward-tls-upstream = true;
|
|
forward-addr = [
|
|
# Quad9
|
|
"2620:fe::fe@853#dns.quad9.net"
|
|
"9.9.9.9@853#dns.quad9.net"
|
|
"2620:fe::9@853#dns.quad9.net"
|
|
"149.112.112.112@853#dns.quad9.net"
|
|
# Cloudflare DNS
|
|
"2606:4700:4700::1111@853#cloudflare-dns.com"
|
|
"1.1.1.1@853#cloudflare-dns.com"
|
|
"2606:4700:4700::1001@853#cloudflare-dns.com"
|
|
"1.0.0.1@853#cloudflare-dns.com"
|
|
];
|
|
} ] ++
|
|
# Local networks
|
|
map ({ name, ... }: {
|
|
name = "${name}";
|
|
forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
|
|
map (hosts6: hosts6.dns)
|
|
(builtins.attrValues config.site.net.serv.hosts6);
|
|
}) config.site.dns.localZones
|
|
# Freifunk
|
|
++ (map mkFfddZone [
|
|
"ffdd"
|
|
"200.10.in-addr.arpa"
|
|
"201.10.in-addr.arpa"
|
|
]);
|
|
# DN42
|
|
stub-zone = let
|
|
mkDn42Zone = name: {
|
|
inherit name;
|
|
stub-prime = true;
|
|
stub-addr = [
|
|
"172.20.0.53" "fd42:d42:d42:54::1"
|
|
"172.23.0.53" "fd42:d42:d42:53::1"
|
|
];
|
|
};
|
|
in map mkDn42Zone [
|
|
"dn42" "d.f.ip6.arpa"
|
|
"20.172.in-addr.arpa" "21.172.in-addr.arpa"
|
|
"22.172.in-addr.arpa" "23.172.in-addr.arpa"
|
|
];
|
|
};
|
|
};
|
|
}
|