commit af5d3767d2f792d33b58699aaa724e3d468ffe25 · ptr.pet/ark

+51
hosts/wolumonde/modules/unbound.nix
···

       1
       1
       +
       {config, lib, ...}: let

     

       2
       2
       +
         cfg = config.services.unbound.settings;

     

       3
       3
       +
       in {

     

       4
       4
       +
         services.unbound = {

     

       5
       5
       +
           enable = true;

     

       6
       6
       +
           enableRootTrustAnchor = false;

     

       7
       7
       +
           resolveLocalQueries = false;

     

       8
       8
       +
           checkconf = lib.mkForce true;

     

       9
       9
       +
           settings = {

     

       10
       10
       +
             server = {

     

       11
       11
       +
               interface = [ "0.0.0.0" ];

     

       12
       12
       +
               port = 7272;

     

       13
       13
       +
       

     

       14
       14
       +
               access-control = [

     

       15
       15
       +
                 "0.0.0.0/0 refuse" # lets explicitly refuse any queries

     

       16
       16
       +
                 "100.84.0.0/16 allow" # only allow queries from netbird

     

       17
       17
       +
               ];

     

       18
       18
       +
       

     

       19
       19
       +
               hide-identity = true;

     

       20
       20
       +
               hide-version = true;

     

       21
       21
       +
               harden-glue = true;

     

       22
       22
       +
               harden-referral-path = true;

     

       23
       23
       +
               use-caps-for-id = true;

     

       24
       24
       +
       

     

       25
       25
       +
               ratelimit = 10;

     

       26
       26
       +
               ratelimit-slabs = 4;

     

       27
       27
       +
               ratelimit-size = "4m";

     

       28
       28
       +
       

     

       29
       29
       +
               unwanted-reply-threshold = 10000;

     

       30
       30
       +
               do-not-query-localhost = true;

     

       31
       31
       +
               deny-any = true;

     

       32
       32
       +
       

     

       33
       33
       +
               prefetch = true;

     

       34
       34
       +
               prefetch-key = true;

     

       35
       35
       +
             };

     

       36
       36
       +
             forward-zone = [

     

       37
       37
       +
               {

     

       38
       38
       +
                 name = ".";

     

       39
       39
       +
                 forward-addr = [

     

       40
       40
       +
                   "1.1.1.1"

     

       41
       41
       +
                   "1.0.0.1"

     

       42
       42
       +
                 ];

     

       43
       43
       +
               }

     

       44
       44
       +
             ];

     

       45
       45
       +
           };

     

       46
       46
       +
         };

     

       47
       47
       +
         networking.firewall = {

     

       48
       48
       +
           allowedTCPPorts = [cfg.server.port];

     

       49
       49
       +
           allowedUDPPorts = [cfg.server.port];

     

       50
       50
       +
         };

     

       51
       51
       +
       }