From ec76c147b6ee18cc89a73cd857197d15ca96fd1e Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Sun, 29 Sep 2024 17:02:00 +0200 Subject: [PATCH] knot-resolver: treesitter highlighting --- hosts/delta/knot-resolver.nix | 62 ++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/hosts/delta/knot-resolver.nix b/hosts/delta/knot-resolver.nix index 680302f..844a0ad 100644 --- a/hosts/delta/knot-resolver.nix +++ b/hosts/delta/knot-resolver.nix @@ -39,38 +39,40 @@ "159.69.4.2:443" "[2a01:4f8:1c0c:70d1::1]:443" ]; - extraConfig = '' - -- TLS certificate for DoT and DoH - -- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html - net.tls( - "${config.security.acme.certs."caspervk.net".directory}/fullchain.pem", - "${config.security.acme.certs."caspervk.net".directory}/key.pem" - ) - -- Cache is stored in /var/cache/knot-resolver, which is mounted as - -- tmpfs. Allow using 75% of the partition for caching. - -- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html - cache.size = math.floor(cache.fssize() * 0.75) - -- The predict module helps to keep the cache hot by prefetching - -- records. Any time the resolver answers with records that are about to - -- expire, they get refreshed. - -- https://knot-resolver.readthedocs.io/en/stable/modules-predict.html - modules.load("predict") - -- Block spam and advertising domains - -- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones - policy.add( - policy.rpz( - policy.ANSWER({ [kres.type.A] = {rdata=kres.str2ip("0.0.0.0"), ttl = 600} }), - "${pkgs.runCommand "stevenblack-blocklist-rpz" {} ''grep '^0\.0\.0\.0' ${pkgs.stevenblack-blocklist}/hosts | awk '{print $2 " 600 IN CNAME .\n*." $2 " 600 IN CNAME ."}' > $out''}" + extraConfig = + # lua + '' + -- TLS certificate for DoT and DoH + -- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html + net.tls( + "${config.security.acme.certs."caspervk.net".directory}/fullchain.pem", + "${config.security.acme.certs."caspervk.net".directory}/key.pem" ) - ) - -- Test domain to verify DNS server is being used - policy.add( - policy.domains( - policy.ANSWER({ [kres.type.A] = {rdata = kres.str2ip("192.0.2.0"), ttl = 5} }), - policy.todnames({"test.dns.caspervk.net"}) + -- Cache is stored in /var/cache/knot-resolver, which is mounted as + -- tmpfs. Allow using 75% of the partition for caching. + -- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html + cache.size = math.floor(cache.fssize() * 0.75) + -- The predict module helps to keep the cache hot by prefetching + -- records. Any time the resolver answers with records that are about to + -- expire, they get refreshed. + -- https://knot-resolver.readthedocs.io/en/stable/modules-predict.html + modules.load("predict") + -- Block spam and advertising domains + -- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones + policy.add( + policy.rpz( + policy.ANSWER({ [kres.type.A] = {rdata=kres.str2ip("0.0.0.0"), ttl = 600} }), + "${pkgs.runCommand "stevenblack-blocklist-rpz" {} ''grep '^0\.0\.0\.0' ${pkgs.stevenblack-blocklist}/hosts | awk '{print $2 " 600 IN CNAME .\n*." $2 " 600 IN CNAME ."}' > $out''}" + ) ) - ) - ''; + -- Test domain to verify DNS server is being used + policy.add( + policy.domains( + policy.ANSWER({ [kres.type.A] = {rdata = kres.str2ip("192.0.2.0"), ttl = 5} }), + policy.todnames({"test.dns.caspervk.net"}) + ) + ) + ''; }; networking.firewall = {