diff options
| -rw-r--r-- | hosts/surtr/dns/default.nix | 58 |
1 files changed, 55 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index abb5d50e..87ab922c 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -20,8 +20,8 @@ | |||
| 20 | remote: | 20 | remote: |
| 21 | - id: inwx_notify | 21 | - id: inwx_notify |
| 22 | address: 185.181.104.96@53 | 22 | address: 185.181.104.96@53 |
| 23 | - id: google | 23 | - id: recursive |
| 24 | address: ["8.8.8.8"] | 24 | address: 127.0.0.1@5353 |
| 25 | 25 | ||
| 26 | acl: | 26 | acl: |
| 27 | - id: inwx_acl | 27 | - id: inwx_acl |
| @@ -40,7 +40,7 @@ | |||
| 40 | 40 | ||
| 41 | submission: | 41 | submission: |
| 42 | - id: validating-resolver | 42 | - id: validating-resolver |
| 43 | parent: google | 43 | parent: recursive |
| 44 | 44 | ||
| 45 | policy: | 45 | policy: |
| 46 | - id: rsa2048 | 46 | - id: rsa2048 |
| @@ -106,5 +106,57 @@ | |||
| 106 | file: ${./zones/org.rheperire.soa} | 106 | file: ${./zones/org.rheperire.soa} |
| 107 | ''; | 107 | ''; |
| 108 | }; | 108 | }; |
| 109 | |||
| 110 | |||
| 111 | fileSystems."/var/lib/unbound" = | ||
| 112 | { device = "surtr/safe/var-lib-unbound"; | ||
| 113 | fsType = "zfs"; | ||
| 114 | }; | ||
| 115 | |||
| 116 | systemd.services.unbound.unitConfig.RequiresMountFor = [ "/var/lib/unbound" ]; | ||
| 117 | |||
| 118 | services.unbound = { | ||
| 119 | enable = true; | ||
| 120 | resolveLocalQueries = false; | ||
| 121 | stateDir = "/var/lib/unbound"; | ||
| 122 | localControlSocketPath = "/run/unbound/unbound.ctl"; | ||
| 123 | |||
| 124 | settings = { | ||
| 125 | server = { | ||
| 126 | interface = ["127.0.0.1:5353" "::0:5353"]; | ||
| 127 | access-control = ["127.0.0.0/8 allow" "::0/128 allow"]; | ||
| 128 | root-hints = "${pkgs.dns-root-data}/root.hints"; | ||
| 129 | |||
| 130 | num-threads = 12; | ||
| 131 | so-reuseport = true; | ||
| 132 | msg-cache-slabs = 16; | ||
| 133 | rrset-cache-slabs = 16; | ||
| 134 | infra-cache-slabs = 16; | ||
| 135 | key-cache-slabs = 16; | ||
| 136 | |||
| 137 | rrset-cache-size = "100m"; | ||
| 138 | msg-cache-size = "50m"; | ||
| 139 | outgoing-range = 8192; | ||
| 140 | num-queries-per-thread = 4096; | ||
| 141 | |||
| 142 | so-rcvbuf = "4m"; | ||
| 143 | so-sndbuf = "4m"; | ||
| 144 | |||
| 145 | # serve-expired = true; | ||
| 146 | # serve-expired-ttl = 86400; | ||
| 147 | # serve-expired-reply-ttl = 0; | ||
| 148 | |||
| 149 | prefetch = true; | ||
| 150 | prefetch-key = true; | ||
| 151 | |||
| 152 | minimal-responses = false; | ||
| 153 | |||
| 154 | extended-statistics = true; | ||
| 155 | |||
| 156 | rrset-roundrobin = true; | ||
| 157 | use-caps-for-id = true; | ||
| 158 | }; | ||
| 159 | }; | ||
| 160 | }; | ||
| 109 | }; | 161 | }; |
| 110 | } | 162 | } |