hswaw
/
hscloud
mirror of https://gerrit.hackerspace.pl/hscloud
4
0
Fork 2
Code Actions

hswaw/customs: improve unbound config 

Change-Id: Ic616033897b87f692ee92a106b417423a09d630b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1456
Reviewed-by: informatic <informatic@hackerspace.pl>
changes/56/1456/2
vuko 2022-12-31 02:52:24 +01:00
parent ee8f1d5e2c
commit 3125aa1186
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
hswaw/machines/customs.hackerspace.pl/configuration.nix
View File

@ -497,27 +497,47 @@ in {
};
};
services.unbound = {
services.unbound = let
local-zones = [ "waw.hackerspace.pl." "api.eye.fi." "api.ustream.tv." "i." ];
in {
enable = true;
#enableRootTrustAnchor = false;
settings = {
server = {
interface = [
networks.lan.ipv4
networks.lan.ipv6
"127.0.0.1"
"::1"
# networks.lan.ipv6 TODO
];
access-control = [
"::1/128 allow"
"127.0.0.1/8 allow"
"10.0.0.0/8 allow"
"${networks.lan.ipv6}/64 allow"
"${networks.lan.ipv4}/8 allow"
];
# disable DNSSEC on locally resolved domains
domain-insecure = local-zones;
# allow LAN adresses only for local domains
private-domain = local-zones;
private-address = [
"10.0.0.0/8"
"${networks.lan.ipv6}/64"
];
};
# authoritative DNS servers
stub-zone = map (name: {
name = name;
inherit name;
stub-addr = networks.uplink.ipv4;
}) [ "waw.hackerspace.pl" "api.eye.fi" "api.ustream.tv" "i" ];
}) local-zones;
# recursive DNS servers
forward-zone = {
name = ".";
forward-addr = "185.236.240.1";