nixos-configs/configurations/cluster/modules/unbound.nix

98 lines
2.5 KiB
Nix
Raw Normal View History

{
config,
lib,
mainUser,
...
}: let
inherit (lib) foldl isList mapAttrsToList mergeAttrsWithFunc remove unique;
mergeAttrsList = list:
foldl (mergeAttrsWithFunc (a: b:
if isList a && isList b
then unique (a ++ b)
else b)) {}
list;
inherit (config.networking) hostName;
serviviIP = "100.64.0.7";
caddyIp =
if hostName == "thingone"
then "100.64.0.8"
else "100.64.0.9";
in {
2023-11-29 10:29:06 -05:00
# https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602
boot.kernel.sysctl."net.core.rmem_max" = 1048576;
users.users.${mainUser}.extraGroups = ["unbound"];
2023-11-29 10:29:06 -05:00
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
2023-12-20 03:52:42 -05:00
resolveLocalQueries = false;
2023-11-29 10:29:06 -05:00
settings = {
server = let
mkLocalEntry = domain: ip: {
local-zone = ["${domain} redirect"];
local-data = ["\"${domain} IN A ${ip}\""];
};
2023-11-29 10:29:06 -05:00
mkMinecraftEntry = domain: port: {
local-zone = ["${domain} transparent"];
local-data = [
"\"${domain} IN A ${serviviIP}\""
"\"_minecraft._tcp.${domain}. 180 IN SRV 0 0 ${toString port} ${domain}.\""
];
};
2023-11-29 10:29:06 -05:00
forceResolveEntry = domain: {
local-zone = ["${domain} always_transparent"];
};
publicApps = remove "nelim.org" (mapAttrsToList (n: v: v.hostName) config.services.caddy.virtualHosts);
in
mergeAttrsList (
2024-12-21 19:07:46 -05:00
[(mkLocalEntry "cache-apt.nelim.org" "100.64.0.10")]
++ (map forceResolveEntry publicApps)
++ [
(mkMinecraftEntry "mc.nelim.org" 25569)
(mkMinecraftEntry "mc2.nelim.org" 25560)
(mkMinecraftEntry "cv.nelim.org" 25566)
2023-11-29 10:29:06 -05:00
(mkLocalEntry "nelim.org" caddyIp)
2023-11-29 10:29:06 -05:00
{
interface = ["127.0.0.1"];
port = 5335;
2023-11-29 10:29:06 -05:00
do-ip4 = true;
do-ip6 = false;
prefer-ip6 = false;
do-udp = true;
do-tcp = true;
2023-11-29 10:29:06 -05:00
# Performance
prefetch = true;
num-threads = 1;
2023-11-29 10:29:06 -05:00
private-address = [
"172.16.0.0/12"
"10.0.0.0/8"
"100.64.0.0/8"
"fd00::/8"
"fe80::/10"
];
2023-11-29 10:29:06 -05:00
# Default stuff
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
so-rcvbuf = "1m";
}
]
);
2023-11-29 10:29:06 -05:00
};
};
}