2022-09-27 14:05:24 +02:00
|
|
|
{ config, pkgs, lib, hosts, flat_hosts, ... }:
|
|
|
|
# DNS Module to set up Unbound DNS with all my hosts in the config
|
|
|
|
# Used for DNS Servers and my laptop
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
inherit (builtins) filter hasAttr attrNames;
|
|
|
|
domains = attrNames hosts;
|
|
|
|
ipv4Host = filter (hasAttr "ip") flat_hosts;
|
|
|
|
ipv6Hosts = filter (hasAttr "ip6") flat_hosts;
|
|
|
|
|
|
|
|
localData = { hostname, realm, ip, ... }: ''"${hostname}.${realm}. A ${ip}"'';
|
2023-05-04 13:08:10 +02:00
|
|
|
local6Data = { hostname, realm, ip6, ... }:
|
|
|
|
''"${hostname}.${realm}. AAAA ${ip6}"'';
|
2022-09-27 14:05:24 +02:00
|
|
|
ptrData = { hostname, realm, ip, ... }: ''"${ip} ${hostname}.${realm}"'';
|
|
|
|
ptr6Data = { hostname, realm, ip6, ... }: ''"${ip6} ${hostname}.${realm}"'';
|
|
|
|
|
|
|
|
cfg = config.services.v.dns;
|
2024-01-02 16:55:47 +01:00
|
|
|
in {
|
2022-09-27 14:05:24 +02:00
|
|
|
options.services.v.dns = {
|
|
|
|
enable = mkEnableOption "v.dns";
|
|
|
|
|
|
|
|
openFirewall = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2023-05-09 17:28:22 +02:00
|
|
|
description = lib.mdDoc ''
|
2022-09-27 14:05:24 +02:00
|
|
|
Whether to open port 53 in the firwall for unbound dns
|
2023-05-09 17:28:22 +02:00
|
|
|
And `services.prometheus.exporters.unbound.port` for metrics (if enabled).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
enableMetrics = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = cfg.mode == "server";
|
|
|
|
description = ''
|
|
|
|
Enable prometheus metrics
|
2022-09-27 14:05:24 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
mode = mkOption {
|
2024-01-02 16:55:47 +01:00
|
|
|
type = enum [ "server" "laptop" ];
|
2022-09-27 14:05:24 +02:00
|
|
|
default = "laptop";
|
|
|
|
description = ''
|
|
|
|
Whether to configure the DNS in server mode (listen on all interfaces) or laptop mode (just on localhost)
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2022-12-01 22:13:05 +01:00
|
|
|
networking.firewall = mkIf cfg.openFirewall {
|
2023-09-25 11:56:02 +02:00
|
|
|
allowedTCPPorts = [ 53 ];
|
2022-09-27 14:05:24 +02:00
|
|
|
allowedUDPPorts = [ 53 ];
|
|
|
|
};
|
2023-05-09 17:28:22 +02:00
|
|
|
services.prometheus.exporters.unbound = mkIf cfg.enableMetrics {
|
|
|
|
enable = true;
|
2023-05-11 09:48:16 +02:00
|
|
|
inherit (cfg) openFirewall;
|
|
|
|
inherit (config.services.unbound) group;
|
2023-05-09 17:28:22 +02:00
|
|
|
controlInterface = config.services.unbound.localControlSocketPath;
|
|
|
|
};
|
2022-09-27 14:05:24 +02:00
|
|
|
services.unbound = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.v.unbound;
|
2024-01-02 16:55:47 +01:00
|
|
|
localControlSocketPath =
|
|
|
|
mkIf cfg.enableMetrics "/run/unbound/unbound.socket";
|
2022-09-27 14:05:24 +02:00
|
|
|
settings = {
|
|
|
|
server = mkMerge [
|
|
|
|
{
|
|
|
|
use-syslog = "yes";
|
|
|
|
module-config = ''"validator iterator"'';
|
|
|
|
|
2023-05-04 13:08:10 +02:00
|
|
|
local-zone =
|
|
|
|
map (localdomain: ''"${localdomain}}." transparent'') domains;
|
2022-09-27 14:05:24 +02:00
|
|
|
local-data = (map localData ipv4Host) ++ (map local6Data ipv6Hosts);
|
|
|
|
local-data-ptr = (map ptrData ipv4Host) ++ (map ptr6Data ipv6Hosts);
|
|
|
|
|
|
|
|
private-address = [
|
|
|
|
"127.0.0.0/8"
|
|
|
|
"10.0.0.0/8"
|
|
|
|
"::ffff:a00:0/104"
|
|
|
|
"172.16.0.0/12"
|
|
|
|
"::ffff:ac10:0/108"
|
|
|
|
"169.254.0.0/16"
|
|
|
|
"::ffff:a9fe:0/112"
|
|
|
|
"192.168.0.0/16"
|
|
|
|
"::ffff:c0a8:0/112"
|
|
|
|
"fd00::/8"
|
|
|
|
"fe80::/10"
|
|
|
|
];
|
|
|
|
}
|
|
|
|
(mkIf (cfg.mode == "server") {
|
|
|
|
interface-automatic = "yes";
|
|
|
|
interface = [ "0.0.0.0" "::0" ];
|
|
|
|
access-control = [
|
|
|
|
"127.0.0.1/32 allow_snoop"
|
|
|
|
"::1 allow_snoop"
|
|
|
|
"10.42.0.0/16 allow"
|
|
|
|
"127.0.0.0/8 allow"
|
|
|
|
"192.168.0.0/23 allow"
|
|
|
|
"192.168.2.0/24 allow"
|
|
|
|
"::1/128 allow"
|
|
|
|
];
|
|
|
|
})
|
|
|
|
(mkIf (cfg.mode == "laptop") {
|
|
|
|
interface = [ "127.0.0.1" "::1" ];
|
2023-05-04 13:08:10 +02:00
|
|
|
access-control = [ "127.0.0.1/32 allow_snoop" "::1 allow_snoop" ];
|
2022-09-27 14:05:24 +02:00
|
|
|
})
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|