67 lines
1.5 KiB
Nix
67 lines
1.5 KiB
Nix
{ config, inputs, lib, ... }:
|
|
|
|
let
|
|
utils = import ../../utils.nix { inherit inputs lib; };
|
|
inherit (utils) mkSplitDNS;
|
|
in
|
|
|
|
{
|
|
imports = [ ../modules/split-dns.nix ];
|
|
|
|
services.unbound = {
|
|
enable = true;
|
|
enableRootTrustAnchor = true;
|
|
settings = {
|
|
server = {
|
|
interface = [
|
|
"0.0.0.0"
|
|
"::"
|
|
];
|
|
access-control = [
|
|
"127.0.0.0/8 allow"
|
|
"192.168.0.0/16 allow"
|
|
"100.64.0.0/10 allow" # Tailscale CGNAT range
|
|
"::1/128 allow"
|
|
"fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
|
|
];
|
|
|
|
# Enable views for split DNS
|
|
access-control-view = [
|
|
"100.64.0.0/10 tailscale"
|
|
"fd7a:115c:a1e0::/48 tailscale"
|
|
"192.168.0.0/16 lan"
|
|
];
|
|
|
|
num-threads = 2;
|
|
msg-cache-size = "50m";
|
|
rrset-cache-size = "100m";
|
|
cache-min-ttl = 300;
|
|
cache-max-ttl = 86400;
|
|
prefetch = true;
|
|
prefetch-key = true;
|
|
hide-identity = true;
|
|
hide-version = true;
|
|
so-rcvbuf = "1m";
|
|
so-sndbuf = "1m";
|
|
};
|
|
# Split DNS views - automatically collected from all service files
|
|
view = mkSplitDNS config.services.splitDNS.entries;
|
|
|
|
forward-zone = [
|
|
{
|
|
name = ".";
|
|
forward-addr = [
|
|
"1.1.1.1@853#cloudflare-dns.com"
|
|
"1.0.0.1@853#cloudflare-dns.com"
|
|
];
|
|
forward-tls-upstream = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 53 ];
|
|
allowedUDPPorts = [ 53 ];
|
|
};
|
|
}
|