138 lines
4.7 KiB
Nix
138 lines
4.7 KiB
Nix
{
|
|
flake,
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
age.secrets."unbound_control.key" = {
|
|
file = "${flake.self}/secrets/unbound_control.key.age";
|
|
mode = "400";
|
|
owner = "unbound";
|
|
};
|
|
|
|
age.secrets."unbound_control.pem" = {
|
|
file = "${flake.self}/secrets/unbound_control.pem.age";
|
|
mode = "400";
|
|
owner = "unbound";
|
|
};
|
|
|
|
age.secrets."unbound_server.key" = {
|
|
file = "${flake.self}/secrets/unbound_server.key.age";
|
|
mode = "400";
|
|
owner = "unbound";
|
|
};
|
|
|
|
age.secrets."unbound_server.pem" = {
|
|
file = "${flake.self}/secrets/unbound_server.pem.age";
|
|
mode = "400";
|
|
owner = "unbound";
|
|
};
|
|
|
|
networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ];
|
|
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ];
|
|
services.resolved.enable = false;
|
|
|
|
services.unbound = {
|
|
enable = true;
|
|
settings = {
|
|
server = {
|
|
include = [
|
|
"\"${pkgs.adlist.unbound-adblockStevenBlack}\""
|
|
];
|
|
interface = [
|
|
"127.0.0.1"
|
|
"::1"
|
|
|
|
"10.13.12.7"
|
|
"fd00:b12f:acab:1312:acab:7::"
|
|
];
|
|
access-control = [
|
|
"127.0.0.1/32 allow"
|
|
|
|
# Allow from wireguard
|
|
"10.13.12.0/24 allow"
|
|
"fd00:b12f:acab:1312::/64 allow"
|
|
];
|
|
local-zone = [
|
|
"\"b12f.io\" transparent"
|
|
];
|
|
local-data = [
|
|
"\"stroopwafel.b12f.io. 10800 IN A 10.13.12.5\""
|
|
"\"stroopwafel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:5::\""
|
|
|
|
"\"chocolatebar.b12f.io. 10800 IN A 10.13.12.8\""
|
|
"\"chocolatebar.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:8::\""
|
|
|
|
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
|
|
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
|
|
|
|
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
|
|
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
|
|
"\"backup.b12f.io. 10800 IN A 10.13.12.3\""
|
|
"\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
|
|
"\"media.b12f.io. 10800 IN A 10.13.12.3\""
|
|
"\"media.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
|
|
|
|
"\"pie.b12f.io. 10800 IN A 10.13.12.2\""
|
|
"\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
|
"\"firefly.b12f.io. 10800 IN A 10.13.12.2\""
|
|
"\"firefly.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
|
"\"firefly-importer.b12f.io. 10800 IN A 10.13.12.2\""
|
|
"\"firefly-importer.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
|
"\"paperless.b12f.io. 10800 IN A 10.13.12.2\""
|
|
"\"paperless.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
|
"\"invoicing.b12f.io. 10800 IN A 10.13.12.2\""
|
|
"\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
|
"\"auth.b12f.io. 10800 IN A 10.13.12.2\""
|
|
"\"auth.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
|
|
|
|
"\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
|
|
"\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
|
|
|
|
"\"frikandel.b12f.io. 10800 IN A 10.13.12.7\""
|
|
"\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
"\"b12f.io. 10800 IN A 10.13.12.7\""
|
|
"\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
"\"mail.b12f.io. 10800 IN A 10.13.12.7\""
|
|
"\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
|
|
"\"mezza.biz. 10800 IN A 10.13.12.7\""
|
|
"\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
"\"mail.mezza.biz. 10800 IN A 10.13.12.7\""
|
|
"\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
|
|
"\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
|
|
"\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
|
|
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
|
|
];
|
|
|
|
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
|
|
};
|
|
|
|
forward-zone = [
|
|
{
|
|
name = ".";
|
|
forward-addr = [
|
|
"193.110.81.0#dns0.eu"
|
|
"2a0f:fc80::#dns0.eu"
|
|
"185.253.5.0#dns0.eu"
|
|
"2a0f:fc81::#dns0.eu"
|
|
];
|
|
forward-tls-upstream = "yes";
|
|
}
|
|
];
|
|
|
|
remote-control = {
|
|
control-enable = true;
|
|
control-key-file = config.age.secrets."unbound_control.key".path;
|
|
server-cert-file = config.age.secrets."unbound_server.pem".path;
|
|
server-key-file = config.age.secrets."unbound_server.key".path;
|
|
control-cert-file = config.age.secrets."unbound_control.pem".path;
|
|
};
|
|
};
|
|
};
|
|
|
|
}
|