fix: don't use CNAME in unbound

Unbound does not support recursive DNS resolving via it's own configuration: https://github.com/NLnetLabs/unbound/issues/747 This commit changes the CNAME records to A/AAAA records.
2023-10-22 16:20:57 +02:00 · 2023-10-22 16:20:57 +02:00 · 6d3c677f18
parent 89a1792105
commit 6d3c677f18
3 changed files with 18 additions and 7 deletions
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -33,6 +33,8 @@ in {
    authorizedKeys = psCfg.user.publicKeys;
    hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
  };
+  # See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
+  boot.initrd.availableKernelModules = [ "genet" ];

  pub-solar.core.disk-encryption-active = false;

--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -34,7 +34,7 @@
  # Caddy reverse proxy for local services like cups
  services.caddy = {
    globalConfig = ''
-      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2::
+      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:acab:1312:acab:2::
      auto_https off
    '';
  };
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -14,8 +14,12 @@
          "::0"
        ];
        access-control = [
+          # Allow from local network
          "192.168.178.0/24 allow"
-          "2a02:908:5b1:e3c0::/64 allow"
+
+          # Allow from wireguard
+          "10.0.1.0/24 allow"
+          "fd00:acab:1312:acab::/48 allow"
        ];
        local-zone = [
          "\"b12f.io\" static"
@ -30,7 +34,8 @@

          "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
          "\"droppie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
-          "\"backup.b12f.io. 10800 IN CNAME droppie.b12f.io\""
+          "\"backup.b12f.io. 10800 IN A 10.0.1.3\""
+          "\"backup.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""

          "\"pie.local. 10800 IN A 192.168.178.2\""
          "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
@ -39,10 +44,14 @@

          "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
          "\"pie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
-          "\"firefly.b12f.io. 10800 IN CNAME pie.b12f.io\""
-          "\"firefly-importer.b12f.io. 10800 IN CNAME pie.b12f.io\""
-          "\"paperless.b12f.io. 10800 IN CNAME pie.b12f.io\""
-          "\"invoicing.b12f.io. 10800 IN CNAME pie.b12f.io\""
+          "\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"firefly.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
+          "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"firefly-importer.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
+          "\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"paperless.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
+          "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"invoicing.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""

          "\"fritz.box. 10800 IN A 192.168.178.1\""
          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""