nixos-config/configurations/okeanos/unbound.nix

{ extraInfo, ... }:
let
  localIps = extraInfo.hostsLocalIps;
in
{
  # Resolvconf
  networking.nameservers = [
    "127.0.0.1"
    "::1"
  ];

  # DNS resolver configuration
  services.adguardhome.enable = true;

  networking.firewall = {
    allowedUDPPorts = [ 53 ];
    allowedTCPPorts = [
      80
      443
    ];
  };

  services.unbound = {
    enable = true;
    settings = {
      server = {
        interface = [ "127.0.0.1" ];
        port = "5354";
        access-control = [ "127.0.0.0/8 allow" ];

        root-hints = "/var/lib/unbound/root.hints";

        do-ip4 = true;
        do-tcp = true;
        do-udp = true;

        do-ip6 = false;
        prefer-ip6 = false;

        harden-glue = true;
        harden-dnssec-stripped = true;
        use-caps-for-id = false;

        edns-buffer-size = 1232;
        prefetch = true;

        so-rcvbuf = "1m";
        private-address = [
          "192.168.0.0/16"
          "10.0.0.0/24"
        ];

        # Do not check DNSSEC for ntp.org, as RockPro64 has no BIOS battery
        domain-insecure = [ "ntp.org" ];

      };

      remote-control = {
        control-enable = true;
      };

      local-data = [
        "\"london A ${localIps.london}\""
        "\"camelot A ${localIps.camelot}\""
        "\"okeanos A ${localIps.okeanos}\""
        "\"fuyuki A ${localIps.fuyuki}\""
      ];

    };
  };
}
Switch to colmena + drop some options + introduce okeanos + reworks 2024-07-30 20:42:59 +02:00			`{ extraInfo, ... }:`
			`let`
			`localIps = extraInfo.hostsLocalIps;`
			`in`
			`{`
			`# Resolvconf`
			`networking.nameservers = [`
			`"127.0.0.1"`
			`"::1"`
			`];`

			`# DNS resolver configuration`
			`services.adguardhome.enable = true;`

			`networking.firewall = {`
			`allowedUDPPorts = [ 53 ];`
			`allowedTCPPorts = [`
			`80`
			`443`
			`];`
			`};`

			`services.unbound = {`
			`enable = true;`
			`settings = {`
			`server = {`
			`interface = [ "127.0.0.1" ];`
			`port = "5354";`
			`access-control = [ "127.0.0.0/8 allow" ];`

			`root-hints = "/var/lib/unbound/root.hints";`

			`do-ip4 = true;`
			`do-tcp = true;`
			`do-udp = true;`

			`do-ip6 = false;`
			`prefer-ip6 = false;`

			`harden-glue = true;`
			`harden-dnssec-stripped = true;`
			`use-caps-for-id = false;`

			`edns-buffer-size = 1232;`
			`prefetch = true;`

			`so-rcvbuf = "1m";`
			`private-address = [`
			`"192.168.0.0/16"`
			`"10.0.0.0/24"`
			`];`

			`# Do not check DNSSEC for ntp.org, as RockPro64 has no BIOS battery`
			`domain-insecure = [ "ntp.org" ];`

			`};`

			`remote-control = {`
			`control-enable = true;`
			`};`

			`local-data = [`
			`"\"london A ${localIps.london}\""`
			`"\"camelot A ${localIps.camelot}\""`
			`"\"okeanos A ${localIps.okeanos}\""`
			`"\"fuyuki A ${localIps.fuyuki}\""`
			`];`

			`};`
			`};`
			`}`