diff options
Diffstat (limited to 'hosts/vidhar/dns')
| -rw-r--r-- | hosts/vidhar/dns/default.nix | 89 |
1 files changed, 26 insertions, 63 deletions
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index 11e6f55f..14d212e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix | |||
| @@ -12,73 +12,36 @@ let | |||
| 12 | in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); | 12 | in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); |
| 13 | in { | 13 | in { |
| 14 | config = { | 14 | config = { |
| 15 | services.unbound = { | 15 | services.knot-resolver = { |
| 16 | enable = true; | 16 | enable = true; |
| 17 | resolveLocalQueries = false; | ||
| 18 | stateDir = "/var/lib/unbound"; | ||
| 19 | localControlSocketPath = "/run/unbound/unbound.ctl"; | ||
| 20 | enableRootTrustAnchor = false; | ||
| 21 | settings = { | 17 | settings = { |
| 22 | server = { | 18 | network.listen = [ |
| 23 | interface = ["lo" "lan"]; | 19 | { interface = "lo"; } |
| 24 | prefer-ip6 = true; | 20 | { interface = "lan"; freebind = true; } |
| 25 | access-control = ["0.0.0.0/0 allow" "::/0 allow"]; | 21 | ]; |
| 26 | root-hints = "${pkgs.dns-root-data}/root.hints"; | 22 | forward = [ |
| 27 | trust-anchor-file = "${pkgs.dns-root-data}/root.key"; | 23 | { |
| 28 | trust-anchor-signaling = false; | 24 | subtree = "yggdrasil."; |
| 29 | ip-dscp = 20; | 25 | servers = [ { address = "::1@5353"; } ]; |
| 30 | 26 | options.dnssec = false; | |
| 31 | num-threads = 12; | 27 | } |
| 32 | so-reuseport = true; | 28 | { |
| 33 | msg-cache-slabs = 16; | 29 | subtree = "141.10.in-addr.arpa."; |
| 34 | rrset-cache-slabs = 16; | 30 | servers = [ { address = "::1@5353"; } ]; |
| 35 | infra-cache-slabs = 16; | 31 | options.dnssec = false; |
| 36 | key-cache-slabs = 16; | 32 | } |
| 37 | 33 | { | |
| 38 | rrset-cache-size = "100m"; | 34 | subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."; |
| 39 | msg-cache-size = "50m"; | 35 | servers = [ { address = "::1@5353"; } ]; |
| 40 | outgoing-range = 8192; | 36 | options.dnssec = false; |
| 41 | num-queries-per-thread = 4096; | 37 | } |
| 42 | 38 | ]; | |
| 43 | so-rcvbuf = "4m"; | ||
| 44 | so-sndbuf = "4m"; | ||
| 45 | |||
| 46 | # serve-expired = true; | ||
| 47 | # serve-expired-ttl = 86400; | ||
| 48 | # serve-expired-reply-ttl = 0; | ||
| 49 | |||
| 50 | prefetch = true; | ||
| 51 | prefetch-key = true; | ||
| 52 | |||
| 53 | minimal-responses = false; | ||
| 54 | |||
| 55 | extended-statistics = true; | ||
| 56 | |||
| 57 | rrset-roundrobin = true; | ||
| 58 | use-caps-for-id = true; | ||
| 59 | |||
| 60 | do-not-query-localhost = false; | ||
| 61 | local-zone = [ | ||
| 62 | "141.10.in-addr.arpa. transparent" | ||
| 63 | "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent" | ||
| 64 | "yggdrasil. transparent" | ||
| 65 | ]; | ||
| 66 | domain-insecure = [ | ||
| 67 | "141.10.in-addr.arpa." | ||
| 68 | "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa." | ||
| 69 | "yggdrasil." | ||
| 70 | ]; | ||
| 71 | }; | ||
| 72 | |||
| 73 | stub-zone = map (name: { | ||
| 74 | inherit name; | ||
| 75 | stub-addr = "127.0.0.1@5353"; | ||
| 76 | stub-first = true; | ||
| 77 | stub-no-cache = true; | ||
| 78 | stub-prime = false; | ||
| 79 | }) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."]; | ||
| 80 | }; | 39 | }; |
| 81 | }; | 40 | }; |
| 41 | fileSystems."/var/cache/knot-resolver" = { | ||
| 42 | fsType = "tmpfs"; | ||
| 43 | options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ]; | ||
| 44 | }; | ||
| 82 | 45 | ||
| 83 | systemd.services.knot = { | 46 | systemd.services.knot = { |
| 84 | unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | 47 | unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; |