vidhar: knot-resolverflakes

author: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-21 23:10:47 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-21 23:10:47 +0100
commit: f4291b152510eb13b31b59c97c3a49ec83adf528 (patch)
tree: ee2d370623163a3306f0c36c44d30b0d89d065d2 /hosts/vidhar/dns/default.nix
parent: d1cf2303f41e69fb32b043597ff10603befe1eb3 (diff)
download: nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.gz
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.bz2
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.xz
nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.zip
1 files changed, 26 insertions, 63 deletions
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
index 11e6f55f..14d212e7 100644
--- a/hosts/vidhar/dns/default.nix
+++ b/hosts/vidhar/dns/default.nix
@@ -12,73 +12,36 @@ let
  in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
 in {
  config = {
-    services.unbound = {
+    services.knot-resolver = {
      enable = true;
-      resolveLocalQueries = false;
-      stateDir = "/var/lib/unbound";
-      localControlSocketPath = "/run/unbound/unbound.ctl";
-      enableRootTrustAnchor = false;
      settings = {
-        server = {
+        network.listen = [
-          interface = ["lo" "lan"];
+          { interface = "lo"; }
-          prefer-ip6 = true;
+          { interface = "lan"; freebind = true; }
-          access-control = ["0.0.0.0/0 allow" "::/0 allow"];
+        ];
-          root-hints = "${pkgs.dns-root-data}/root.hints";
+        forward = [
-          trust-anchor-file = "${pkgs.dns-root-data}/root.key";
+          {
-          trust-anchor-signaling = false;
+            subtree = "yggdrasil.";
-          ip-dscp = 20;
+            servers = [ { address = "::1@5353"; } ];
+            options.dnssec = false;
-          num-threads = 12;
+          }
-          so-reuseport = true;
+          {
-          msg-cache-slabs = 16;
+            subtree = "141.10.in-addr.arpa.";
-          rrset-cache-slabs = 16;
+            servers = [ { address = "::1@5353"; } ];
-          infra-cache-slabs = 16;
+            options.dnssec = false;
-          key-cache-slabs = 16;
+          }
+          {
-          rrset-cache-size = "100m";
+            subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
-          msg-cache-size = "50m";
+            servers = [ { address = "::1@5353"; } ];
-          outgoing-range = 8192;
+            options.dnssec = false;
-          num-queries-per-thread = 4096;
+          }
+        ];
-          so-rcvbuf = "4m";
-          so-sndbuf = "4m";
-          # serve-expired = true;
-          # serve-expired-ttl = 86400;
-          # serve-expired-reply-ttl = 0;
-          prefetch = true;
-          prefetch-key = true;
-          minimal-responses = false;
-          extended-statistics = true;
-          rrset-roundrobin = true;
-          use-caps-for-id = true;
-          do-not-query-localhost = false;
-          local-zone = [
-            "141.10.in-addr.arpa. transparent"
-            "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
-            "yggdrasil. transparent"
-          ];
-          domain-insecure = [
-            "141.10.in-addr.arpa."
-            "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
-            "yggdrasil."
-          ];
-        };
-        stub-zone = map (name: {
-          inherit name;
-          stub-addr = "127.0.0.1@5353";
-          stub-first = true;
-          stub-no-cache = true;
-          stub-prime = false;
-        }) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
      };
    };
+    fileSystems."/var/cache/knot-resolver" = {
+      fsType = "tmpfs";
+      options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
+    };
    systemd.services.knot = {
      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
author	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-21 23:10:47 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-21 23:10:47 +0100
commit	f4291b152510eb13b31b59c97c3a49ec83adf528 (patch)
tree	ee2d370623163a3306f0c36c44d30b0d89d065d2 /hosts/vidhar/dns/default.nix
parent	d1cf2303f41e69fb32b043597ff10603befe1eb3 (diff)
download	nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.gz nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.bz2 nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.tar.xz nixos-f4291b152510eb13b31b59c97c3a49ec83adf528.zip

diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index 11e6f55f..14d212e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix
@@ -12,73 +12,36 @@ let
12	in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));	12	in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
13	in {	13	in {
14	config = {	14	config = {
15	services.unbound = {	15	services.knot-resolver = {
16	enable = true;	16	enable = true;
17	resolveLocalQueries = false;
18	stateDir = "/var/lib/unbound";
19	localControlSocketPath = "/run/unbound/unbound.ctl";
20	enableRootTrustAnchor = false;
21	settings = {	17	settings = {
22	server = {	18	network.listen = [
23	interface = ["lo" "lan"];	19	{ interface = "lo"; }
24	prefer-ip6 = true;	20	{ interface = "lan"; freebind = true; }
25	access-control = ["0.0.0.0/0 allow" "::/0 allow"];	21	];
26	root-hints = "${pkgs.dns-root-data}/root.hints";	22	forward = [
27	trust-anchor-file = "${pkgs.dns-root-data}/root.key";	23	{
28	trust-anchor-signaling = false;	24	subtree = "yggdrasil.";
29	ip-dscp = 20;	25	servers = [ { address = "::1@5353"; } ];
30		26	options.dnssec = false;
31	num-threads = 12;	27	}
32	so-reuseport = true;	28	{
33	msg-cache-slabs = 16;	29	subtree = "141.10.in-addr.arpa.";
34	rrset-cache-slabs = 16;	30	servers = [ { address = "::1@5353"; } ];
35	infra-cache-slabs = 16;	31	options.dnssec = false;
36	key-cache-slabs = 16;	32	}
37		33	{
38	rrset-cache-size = "100m";	34	subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
39	msg-cache-size = "50m";	35	servers = [ { address = "::1@5353"; } ];
40	outgoing-range = 8192;	36	options.dnssec = false;
41	num-queries-per-thread = 4096;	37	}
42		38	];
43	so-rcvbuf = "4m";
44	so-sndbuf = "4m";
45
46	# serve-expired = true;
47	# serve-expired-ttl = 86400;
48	# serve-expired-reply-ttl = 0;
49
50	prefetch = true;
51	prefetch-key = true;
52
53	minimal-responses = false;
54
55	extended-statistics = true;
56
57	rrset-roundrobin = true;
58	use-caps-for-id = true;
59
60	do-not-query-localhost = false;
61	local-zone = [
62	"141.10.in-addr.arpa. transparent"
63	"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
64	"yggdrasil. transparent"
65	];
66	domain-insecure = [
67	"141.10.in-addr.arpa."
68	"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
69	"yggdrasil."
70	];
71	};
72
73	stub-zone = map (name: {
74	inherit name;
75	stub-addr = "127.0.0.1@5353";
76	stub-first = true;
77	stub-no-cache = true;
78	stub-prime = false;
79	}) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
80	};	39	};
81	};	40	};
		41	fileSystems."/var/cache/knot-resolver" = {
		42	fsType = "tmpfs";
		43	options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
		44	};
82		45
83	systemd.services.knot = {	46	systemd.services.knot = {
84	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];	47	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];