blob: 5f42af783eb61ccb514e29443121de5e15d2097e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
{ config, lib, pkgs, ... }:
with lib;
let
knotKeys = let
dir = ./keys;
toKeyInfo = name: v:
if v == "regular" || v == "symlink"
then { path = dir + "/${name}"; inherit name; }
else null;
in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
in {
config = {
services.unbound = {
enable = true;
resolveLocalQueries = false;
stateDir = "/var/lib/unbound";
localControlSocketPath = "/run/unbound/unbound.ctl";
enableRootTrustAnchor = false;
settings = {
server = {
interface = ["lo" "lan"];
prefer-ip6 = true;
access-control = ["0.0.0.0/0 allow" "::/0 allow"];
root-hints = "${pkgs.dns-root-data}/root.hints";
trust-anchor-file = "${pkgs.dns-root-data}/root.key";
num-threads = 12;
so-reuseport = true;
msg-cache-slabs = 16;
rrset-cache-slabs = 16;
infra-cache-slabs = 16;
key-cache-slabs = 16;
rrset-cache-size = "100m";
msg-cache-size = "50m";
outgoing-range = 8192;
num-queries-per-thread = 4096;
so-rcvbuf = "4m";
so-sndbuf = "4m";
# serve-expired = true;
# serve-expired-ttl = 86400;
# serve-expired-reply-ttl = 0;
prefetch = true;
prefetch-key = true;
minimal-responses = false;
extended-statistics = true;
rrset-roundrobin = true;
use-caps-for-id = true;
do-not-query-localhost = false;
local-zone = [
"141.10.in-addr.arpa. transparent"
"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
"yggdrasil. transparent"
];
domain-insecure = [
"141.10.in-addr.arpa."
"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
"yggdrasil."
];
};
stub-zone = map (name: {
inherit name;
stub-addr = "127.0.0.1@5353";
stub-first = true;
stub-no-cache = true;
stub-prime = false;
}) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
};
};
services.knot = {
enable = true;
keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys;
extraConfig = ''
server:
listen: 127.0.0.1@5353
listen: ::1@5353
listen: 10.141.1.1@53
listen: 10.141.2.1@53
listen: 2a03:4000:52:ada:1:1::@53
acl:
- id: local_acl
key: local_key
action: update
template:
- id: local_zone
storage: /var/lib/knot
zonefile-sync: -1
zonefile-load: difference-no-serial
serial-policy: dateserial
journal-content: all
semantic-checks: on
acl: [local_acl]
zone:
- domain: yggdrasil
template: local_zone
file: ${./zones/yggdrasil.soa}
- domain: 141.10.in-addr.arpa
template: local_zone
file: ${./zones/arpa.in-addr.10.141.soa}
- domain: 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa
template: local_zone
file: ${./zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa}
'';
};
sops.secrets = listToAttrs (map ({name, path}: nameValuePair name {
format = "binary";
owner = "knot";
sopsFile = path;
}) knotKeys);
};
}
|