unbound: initial setup

1 files changed, 55 insertions, 0 deletions

diff --git a/modules/nixos/services/unbound/default.nix b/modules/nixos/services/unbound/default.nix
new file mode 100644
index 0000000..a926b55
--- /dev/null
+++ b/modules/nixos/services/unbound/default.nix
@@ -0,0 +1,55 @@
+{ options, config, lib, namespace, pkgs, ... }:
+
+with lib; with lib.${namespace}; let
+  cfg = config.${namespace}.services.unbound;
+  impermanence = config.${namespace}.system.impermanence;
+in {
+  options.${namespace}.services.unbound = with types; {
+    enable = mkEnableOption "unbound dns server";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    services.unbound = {
+      enable = true;
+      settings = {
+        server = {
+          logfile = "unbound.log";
+          verbosity = 3;
+
+          interface = [ 
+            "0.0.0.0"
+            "::0"
+          ];
+          access-control = [
+            "10.0.0.0/8 allow"
+            "192.168.0.0/16 allow"
+            "2001:DB8::/64 allow"
+          ];
+
+          do-not-query-localhost = false;
+
+          local-zone = ''"cxl.sh." redirect'';
+          local-data = [
+            ''"cxl.sh. 30 IN A 192.168.254.11"''
+          ];
+        };
+
+        forward-zone = [{
+          name = ".";
+          # sobbing
+          # forward-addr = [
+          #   "1.1.1.1@853#cloudflare-dns.com"
+          #   "1.0.0.1@853#cloudflare-dns.com"
+          # ];
+          forward-addr = [
+            "1.1.1.1"
+            "1.0.0.1"
+          ];
+        }];
+      };
+    };
+  };
+}