diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-15 16:32:23 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-15 16:32:23 +0100 |
commit | 3d4845954b273f08cd120a1d11b032d635c19ef0 (patch) | |
tree | e0922de1bcafd1132324b6418a21ed0c87b2fe99 | |
parent | 1a7e085b40623312537f9ccc42a05ccaab74863e (diff) | |
download | nixos-3d4845954b273f08cd120a1d11b032d635c19ef0.tar nixos-3d4845954b273f08cd120a1d11b032d635c19ef0.tar.gz nixos-3d4845954b273f08cd120a1d11b032d635c19ef0.tar.bz2 nixos-3d4845954b273f08cd120a1d11b032d635c19ef0.tar.xz nixos-3d4845954b273f08cd120a1d11b032d635c19ef0.zip |
surtr: unbound
-rw-r--r-- | hosts/surtr/dns/default.nix | 58 |
1 files changed, 55 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index abb5d50e..87ab922c 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -20,8 +20,8 @@ | |||
20 | remote: | 20 | remote: |
21 | - id: inwx_notify | 21 | - id: inwx_notify |
22 | address: 185.181.104.96@53 | 22 | address: 185.181.104.96@53 |
23 | - id: google | 23 | - id: recursive |
24 | address: ["8.8.8.8"] | 24 | address: 127.0.0.1@5353 |
25 | 25 | ||
26 | acl: | 26 | acl: |
27 | - id: inwx_acl | 27 | - id: inwx_acl |
@@ -40,7 +40,7 @@ | |||
40 | 40 | ||
41 | submission: | 41 | submission: |
42 | - id: validating-resolver | 42 | - id: validating-resolver |
43 | parent: google | 43 | parent: recursive |
44 | 44 | ||
45 | policy: | 45 | policy: |
46 | - id: rsa2048 | 46 | - id: rsa2048 |
@@ -106,5 +106,57 @@ | |||
106 | file: ${./zones/org.rheperire.soa} | 106 | file: ${./zones/org.rheperire.soa} |
107 | ''; | 107 | ''; |
108 | }; | 108 | }; |
109 | |||
110 | |||
111 | fileSystems."/var/lib/unbound" = | ||
112 | { device = "surtr/safe/var-lib-unbound"; | ||
113 | fsType = "zfs"; | ||
114 | }; | ||
115 | |||
116 | systemd.services.unbound.unitConfig.RequiresMountFor = [ "/var/lib/unbound" ]; | ||
117 | |||
118 | services.unbound = { | ||
119 | enable = true; | ||
120 | resolveLocalQueries = false; | ||
121 | stateDir = "/var/lib/unbound"; | ||
122 | localControlSocketPath = "/run/unbound/unbound.ctl"; | ||
123 | |||
124 | settings = { | ||
125 | server = { | ||
126 | interface = ["127.0.0.1:5353" "::0:5353"]; | ||
127 | access-control = ["127.0.0.0/8 allow" "::0/128 allow"]; | ||
128 | root-hints = "${pkgs.dns-root-data}/root.hints"; | ||
129 | |||
130 | num-threads = 12; | ||
131 | so-reuseport = true; | ||
132 | msg-cache-slabs = 16; | ||
133 | rrset-cache-slabs = 16; | ||
134 | infra-cache-slabs = 16; | ||
135 | key-cache-slabs = 16; | ||
136 | |||
137 | rrset-cache-size = "100m"; | ||
138 | msg-cache-size = "50m"; | ||
139 | outgoing-range = 8192; | ||
140 | num-queries-per-thread = 4096; | ||
141 | |||
142 | so-rcvbuf = "4m"; | ||
143 | so-sndbuf = "4m"; | ||
144 | |||
145 | # serve-expired = true; | ||
146 | # serve-expired-ttl = 86400; | ||
147 | # serve-expired-reply-ttl = 0; | ||
148 | |||
149 | prefetch = true; | ||
150 | prefetch-key = true; | ||
151 | |||
152 | minimal-responses = false; | ||
153 | |||
154 | extended-statistics = true; | ||
155 | |||
156 | rrset-roundrobin = true; | ||
157 | use-caps-for-id = true; | ||
158 | }; | ||
159 | }; | ||
160 | }; | ||
109 | }; | 161 | }; |
110 | } | 162 | } |