diff options
| author | Azat Bahawi <azat@bahawi.net> | 2024-03-31 21:29:27 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2024-03-31 21:29:27 +0300 |
| commit | 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 (patch) | |
| tree | f28beec29deeea36038615a8fb98a810891940b5 /modules/nixos/unbound.nix | |
| parent | 2024-03-19 (diff) | |
2024-03-31
Diffstat (limited to '')
| -rw-r--r-- | modules/nixos/unbound.nix | 151 |
1 files changed, 90 insertions, 61 deletions
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix index 5aaf104..e71d48c 100644 --- a/modules/nixos/unbound.nix +++ b/modules/nixos/unbound.nix @@ -5,9 +5,11 @@ this, ... }: -with lib; let +with lib; +let cfg = config.nixfiles.modules.unbound; -in { +in +{ options.nixfiles.modules.unbound = { enable = mkEnableOption "Unbound"; @@ -18,11 +20,12 @@ in { }; }; - config = let - adblock-conf = "${config.services.unbound.stateDir}/adblock.conf"; - in + config = + let + adblock-conf = "${config.services.unbound.stateDir}/adblock.conf"; + in mkIf cfg.enable { - ark.directories = [config.services.unbound.stateDir]; + ark.directories = [ config.services.unbound.stateDir ]; nixfiles.modules.redis.enable = true; @@ -45,40 +48,51 @@ in { ipv6.address ]; - local-zone = - concatLists - (mapAttrsToList (h: _: ["\"${h}.${cfg.domain}\" redirect"]) - my.configurations); - local-data = concatLists (mapAttrsToList (hostname: let - domain = "${hostname}.${cfg.domain}"; - in - attr: (optionals (hasAttr "wireguard" attr) (with attr.wireguard; - [ - "\"${domain} 604800 IN A ${ipv4.address}\"" - "\"${domain} 604800 IN AAAA ${ipv6.address}\"" - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ] - ++ concatMap (domain: [ - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ]) - attr.domains))) - my.configurations); - local-data-ptr = concatLists (mapAttrsToList (hostname: let - domain = "${hostname}.${cfg.domain}"; - in - attr: (optionals (hasAttr "wireguard" attr) (with attr.wireguard; - [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ] - ++ concatMap (domain: [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ]) - attr.domains))) - my.configurations); + local-zone = concatLists ( + mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations + ); + local-data = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard" attr) ( + with attr.wireguard; + [ + "\"${domain} 604800 IN A ${ipv4.address}\"" + "\"${domain} 604800 IN AAAA ${ipv6.address}\"" + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ] + ++ concatMap (domain: [ + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ]) attr.domains + )) + ) my.configurations + ); + local-data-ptr = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard" attr) ( + with attr.wireguard; + [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ] + ++ concatMap (domain: [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ]) attr.domains + )) + ) my.configurations + ); private-domain = map (domain: "${domain}.") [ cfg.domain @@ -124,9 +138,19 @@ in { { name = "."; forward-tls-upstream = true; - forward-addr = let - mkDnsOverTls = ips: auth: map (ip: concatStrings [ip "@" auth]) ips; - in + forward-addr = + let + mkDnsOverTls = + ips: auth: + map ( + ip: + concatStrings [ + ip + "@" + auth + ] + ) ips; + in mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net"; } ]; @@ -154,40 +178,45 @@ in { systemd = { services = { - unbound.after = ["unbound-adblock-update.service"]; + unbound.after = [ "unbound-adblock-update.service" ]; unbound-adblock-update = { serviceConfig = with config.services.unbound; { Type = "oneshot"; User = user; Group = group; - ExecStart = getExe (pkgs.writeShellApplication { - name = "unbound-adblock-update"; - runtimeInputs = [pkgs.curl package]; - text = '' - curl \ - -s \ - -o ${adblock-conf} \ - "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf" - - if [[ -f "${localControlSocketPath}" ]]; then - unbound-control reload - fi - ''; - }); + ExecStart = getExe ( + pkgs.writeShellApplication { + name = "unbound-adblock-update"; + runtimeInputs = [ + pkgs.curl + package + ]; + text = '' + curl \ + -s \ + -o ${adblock-conf} \ + "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf" + + if [[ -f "${localControlSocketPath}" ]]; then + unbound-control reload + fi + ''; + } + ); }; }; }; timers.unbound-adblock-update = { - requires = ["network-online.target"]; - after = ["network-online.target"]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; timerConfig = { OnCalendar = "daily"; Persistent = true; Unit = "unbound-adblock-update.service"; }; - wantedBy = ["timers.target"]; + wantedBy = [ "timers.target" ]; }; }; |