diff --git a/devices/oksys/default.nix b/devices/oksys/default.nix index 558d184..db9064d 100644 --- a/devices/oksys/default.nix +++ b/devices/oksys/default.nix @@ -18,6 +18,7 @@ "adm" "mlocate" "headscale" + "unbound" ]; }; home-manager.users = { diff --git a/devices/oksys/modules/unbound.nix b/devices/oksys/modules/unbound.nix new file mode 100644 index 0000000..64a4309 --- /dev/null +++ b/devices/oksys/modules/unbound.nix @@ -0,0 +1,75 @@ +{...}: { + # https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-1001879602 + boot.kernel.sysctl."net.core.rmem_max" = 1048576; + + services.unbound = { + enable = true; + enableRootTrustAnchor = true; + resolveLocalQueries = true; + + settings = { + server = { + interface = ["127.0.0.1"]; + port = 5335; + + # Custom DNS + local-zone = [ + "pve.lan redirect" + "headscale.nelim.org redirect" + "git.nelim.org redirect" + "mc.nelim.org transparent" + "cv.nelim.org transparent" + "mc2.nelim.org transparent" + "ota.nelim.org redirect" + "nelim.org redirect" + ]; + local-data = [ + "\"pve.lan IN A 100.64.0.2\"" + + "\"headscale.nelim.org. IN A 24.200.126.219\"" + + "\"git.nelim.org. IN A 24.200.126.219\"" + + "\"mc.nelim.org IN A 100.64.0.4\"" + "\"_minecraft._tcp.mc.nelim.org. 180 IN SRV 0 0 25569 mc.nelim.org.\"" + + "\"cv.nelim.org IN A 100.64.0.4\"" + "\"_minecraft._tcp.cv.nelim.org. 180 IN SRV 0 0 25566 cv.nelim.org.\"" + + "\"mc2.nelim.org IN A 100.64.0.4\"" + "\"_minecraft._tcp.mc2.nelim.org. 180 IN SRV 0 0 25560 mc2.nelim.org.\"" + + "\"ota.nelim.org. IN A 100.64.0.5\"" + + "\"nelim.org IN A 100.64.0.1\"" + ]; + # + + do-ip4 = true; + do-ip6 = false; + prefer-ip6 = false; + do-udp = true; + do-tcp = true; + + # Performance + prefetch = true; + num-threads = 1; + + private-address = [ + "172.16.0.0/12" + "10.0.0.0/8" + "100.64.0.0/8" + "fd00::/8" + "fe80::/10" + ]; + + # Default stuff + harden-glue = true; + harden-dnssec-stripped = true; + use-caps-for-id = false; + edns-buffer-size = 1232; + so-rcvbuf = "1m"; + }; + }; + }; +}