delta: unbound
This commit is contained in:
parent
f772ee3c93
commit
ed3851dbc6
3 changed files with 63 additions and 2 deletions
|
|
@ -1,7 +1,11 @@
|
||||||
{...}: {
|
{...}: {
|
||||||
security.acme.certs."caspervk.net" = {
|
security.acme.certs."caspervk.net" = {
|
||||||
domain = "*.caspervk.net";
|
domain = "*.caspervk.net";
|
||||||
reloadServices = []; # unbound.service
|
reloadServices = [
|
||||||
|
"unbound.service"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
users.groups.acme.members = []; # unbound
|
users.groups.acme.members = [
|
||||||
|
"unbound"
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@
|
||||||
./acme.nix
|
./acme.nix
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
./network.nix
|
./network.nix
|
||||||
|
./unbound.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "delta";
|
networking.hostName = "delta";
|
||||||
|
|
|
||||||
56
hosts/delta/unbound.nix
Normal file
56
hosts/delta/unbound.nix
Normal file
|
|
@ -0,0 +1,56 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
# Unbound is a validating, recursive, caching DNS resolver. It is designed to
|
||||||
|
# be fast and lean and incorporates modern features based on open standards.
|
||||||
|
# https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
|
||||||
|
# > nix shell nixpkgs#knot-dns
|
||||||
|
# > kdig -d @dns.caspervk.net example.com
|
||||||
|
# > kdig -d +https @dns.caspervk.net example.com
|
||||||
|
# > kdig -d +tls @dns.caspervk.net example.com
|
||||||
|
# TODO: adblock
|
||||||
|
services.resolved.enable = lib.mkForce false;
|
||||||
|
services.unbound = {
|
||||||
|
enable = true;
|
||||||
|
# Don't mess with resolvconf
|
||||||
|
# resolveLocalQueries = false;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
# Listen to DNS/DoH/DoT on all interfaces. Default is to listen to DNS
|
||||||
|
# on localhost only.
|
||||||
|
interface = [
|
||||||
|
"0.0.0.0@53"
|
||||||
|
"0.0.0.0@443"
|
||||||
|
"0.0.0.0@853"
|
||||||
|
"::0@53"
|
||||||
|
"::0@443"
|
||||||
|
"::0@853"
|
||||||
|
];
|
||||||
|
# Allow access from all netblocks. Default is to allow localhost only.
|
||||||
|
access-control = [
|
||||||
|
"0.0.0.0/0 allow"
|
||||||
|
"::0/0 allow"
|
||||||
|
];
|
||||||
|
# Provide DNS-over-TLS or DNS-over-HTTPS service
|
||||||
|
tls-service-key = "${config.security.acme.certs."caspervk.net".directory}/key.pem";
|
||||||
|
tls-service-pem = "${config.security.acme.certs."caspervk.net".directory}/fullchain.pem";
|
||||||
|
# TODO: Enable global ratelimiting of queries accepted per IP address
|
||||||
|
# ip-ratelimit = 50;
|
||||||
|
# Testing domain
|
||||||
|
local-zone = [
|
||||||
|
"\"test.dns.caspervk.net.\" redirect"
|
||||||
|
];
|
||||||
|
local-data = [
|
||||||
|
"\"test.dns.caspervk.net. A 192.0.2.0\""
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [443 853];
|
||||||
|
allowedUDPPorts = [53];
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue