os/hosts/frikandel/unbound.nix

138 lines
4.7 KiB
Nix

{
flake,
config,
pkgs,
lib,
...
}: {
age.secrets."unbound_control.key" = {
file = "${flake.self}/secrets/unbound_control.key.age";
mode = "400";
owner = "unbound";
};
age.secrets."unbound_control.pem" = {
file = "${flake.self}/secrets/unbound_control.pem.age";
mode = "400";
owner = "unbound";
};
age.secrets."unbound_server.key" = {
file = "${flake.self}/secrets/unbound_server.key.age";
mode = "400";
owner = "unbound";
};
age.secrets."unbound_server.pem" = {
file = "${flake.self}/secrets/unbound_server.pem.age";
mode = "400";
owner = "unbound";
};
networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ];
services.resolved.enable = false;
services.unbound = {
enable = true;
settings = {
server = {
include = [
"\"${pkgs.adlist.unbound-adblockStevenBlack}\""
];
interface = [
"127.0.0.1"
"::1"
"10.13.12.7"
"fd00:b12f:acab:1312:acab:7::"
];
access-control = [
"127.0.0.1/32 allow"
# Allow from wireguard
"10.13.12.0/24 allow"
"fd00:b12f:acab:1312::/64 allow"
];
local-zone = [
"\"b12f.io\" transparent"
];
local-data = [
"\"stroopwafel.b12f.io. 10800 IN A 10.13.12.5\""
"\"stroopwafel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:5::\""
"\"chocolatebar.b12f.io. 10800 IN A 10.13.12.8\""
"\"chocolatebar.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:8::\""
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"backup.b12f.io. 10800 IN A 10.13.12.3\""
"\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"media.b12f.io. 10800 IN A 10.13.12.3\""
"\"media.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"pie.b12f.io. 10800 IN A 10.13.12.2\""
"\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"firefly.b12f.io. 10800 IN A 10.13.12.2\""
"\"firefly.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"firefly-importer.b12f.io. 10800 IN A 10.13.12.2\""
"\"firefly-importer.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"paperless.b12f.io. 10800 IN A 10.13.12.2\""
"\"paperless.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"invoicing.b12f.io. 10800 IN A 10.13.12.2\""
"\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"auth.b12f.io. 10800 IN A 10.13.12.2\""
"\"auth.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
"\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
"\"frikandel.b12f.io. 10800 IN A 10.13.12.7\""
"\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"b12f.io. 10800 IN A 10.13.12.7\""
"\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.b12f.io. 10800 IN A 10.13.12.7\""
"\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mezza.biz. 10800 IN A 10.13.12.7\""
"\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.mezza.biz. 10800 IN A 10.13.12.7\""
"\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
"\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
forward-zone = [
{
name = ".";
forward-addr = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
];
forward-tls-upstream = "yes";
}
];
remote-control = {
control-enable = true;
control-key-file = config.age.secrets."unbound_control.key".path;
server-cert-file = config.age.secrets."unbound_server.pem".path;
server-key-file = config.age.secrets."unbound_server.key".path;
control-cert-file = config.age.secrets."unbound_control.pem".path;
};
};
};
}