diff options
| -rw-r--r-- | modules/nixos/services/unbound/default.nix | 55 | ||||
| -rw-r--r-- | systems/x86_64-linux/copenhagen/default.nix | 2 |
2 files changed, 57 insertions, 0 deletions
diff --git a/modules/nixos/services/unbound/default.nix b/modules/nixos/services/unbound/default.nix new file mode 100644 index 0000000..a926b55 --- /dev/null +++ b/modules/nixos/services/unbound/default.nix @@ -0,0 +1,55 @@ +{ options, config, lib, namespace, pkgs, ... }: + +with lib; with lib.${namespace}; let + cfg = config.${namespace}.services.unbound; + impermanence = config.${namespace}.system.impermanence; +in { + options.${namespace}.services.unbound = with types; { + enable = mkEnableOption "unbound dns server"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + + services.unbound = { + enable = true; + settings = { + server = { + logfile = "unbound.log"; + verbosity = 3; + + interface = [ + "0.0.0.0" + "::0" + ]; + access-control = [ + "10.0.0.0/8 allow" + "192.168.0.0/16 allow" + "2001:DB8::/64 allow" + ]; + + do-not-query-localhost = false; + + local-zone = ''"cxl.sh." redirect''; + local-data = [ + ''"cxl.sh. 30 IN A 192.168.254.11"'' + ]; + }; + + forward-zone = [{ + name = "."; + # sobbing + # forward-addr = [ + # "1.1.1.1@853#cloudflare-dns.com" + # "1.0.0.1@853#cloudflare-dns.com" + # ]; + forward-addr = [ + "1.1.1.1" + "1.0.0.1" + ]; + }]; + }; + }; + }; +} diff --git a/systems/x86_64-linux/copenhagen/default.nix b/systems/x86_64-linux/copenhagen/default.nix index 3fc6f53..d0659c6 100644 --- a/systems/x86_64-linux/copenhagen/default.nix +++ b/systems/x86_64-linux/copenhagen/default.nix @@ -63,6 +63,8 @@ with lib; with lib.${namespace}; { adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDO8JxqS7B2n3YlNtlVMZGARi+GG/z7wLiiyl52qSZc caroline@larimo.re"; host = "git.cxl.sh"; }; + + unbound.enable = true; }; }; |