diff options
Diffstat (limited to 'modules/unbound.nix')
| -rw-r--r-- | modules/unbound.nix | 125 |
1 files changed, 87 insertions, 38 deletions
diff --git a/modules/unbound.nix b/modules/unbound.nix index b8de321..c38c25b 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -6,22 +6,21 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.unbound; in { options.nixfiles.modules.unbound = { - enable = mkEnableOption "Unbound"; + enable = lib.mkEnableOption "Unbound"; - domain = mkOption { + domain = lib.mkOption { description = "Domain name sans protocol scheme."; - type = with types; str; + type = lib.types.str; default = config.networking.domain; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { ark.directories = [ config.services.unbound.stateDir ]; nixfiles.modules.redis.enable = true; @@ -31,6 +30,7 @@ in enable = true; package = pkgs.unbound-with-systemd.override { + withDNSTAP = true; withRedis = true; withTFO = true; }; @@ -47,17 +47,18 @@ in ipv6.address ]; - local-zone = concatLists ( - mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations - ); - local-data = concatLists ( - mapAttrsToList ( + local-zone = + lib.my.configurations + |> lib.mapAttrsToList (x: _: [ ''"${x}.${cfg.domain}" redirect'' ]) + |> lib.concatLists; + local-data = lib.concatLists ( + lib.mapAttrsToList ( hostname: let domain = "${hostname}.${cfg.domain}"; in attr: - (optionals (hasAttr "wireguard" attr) ( + (lib.optionals (lib.hasAttr "wireguard" attr) ( with attr.wireguard; [ "\"${domain} 604800 IN A ${ipv4.address}\"" @@ -65,36 +66,36 @@ in "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ] - ++ (optionals (hasAttr "domains" attr) ( - concatMap (domain: [ + ++ (lib.optionals (lib.hasAttr "domains" attr) ( + lib.concatMap (domain: [ "\"${domain}. A ${ipv4.address}\"" "\"${domain}. AAAA ${ipv6.address}\"" ]) attr.domains )) )) - ) my.configurations + ) lib.my.configurations ); - local-data-ptr = concatLists ( - mapAttrsToList ( + local-data-ptr = lib.concatLists ( + lib.mapAttrsToList ( hostname: let domain = "${hostname}.${cfg.domain}"; in attr: - (optionals (hasAttr "wireguard" attr) ( + (lib.optionals (lib.hasAttr "wireguard" attr) ( with attr.wireguard; [ "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ] - ++ (optionals (hasAttr "domains" attr) ( - concatMap (domain: [ + ++ (lib.optionals (lib.hasAttr "domains" attr) ( + lib.concatMap (domain: [ "\"${ipv4.address} ${domain}\"" "\"${ipv6.address} ${domain}\"" ]) attr.domains )) )) - ) my.configurations + ) lib.my.configurations ); private-domain = map (domain: "${domain}.") [ @@ -116,6 +117,7 @@ in ]; cache-min-ttl = 0; + cache-max-ttl = 60 * 60 * 24; serve-expired = true; serve-expired-reply-ttl = 0; @@ -123,8 +125,8 @@ in prefetch = true; prefetch-key = true; - hide-identity = true; - hide-version = true; + hide-identity = false; + hide-version = false; extended-statistics = true; @@ -132,14 +134,14 @@ in log-tag-queryreply = false; log-local-actions = false; - verbosity = 0; + verbosity = 1; }; forward-zone = [ { name = "."; forward-tls-upstream = true; - forward-addr = dns.mkDoT dns.const.quad9.ecs; + forward-addr = lib.dns.mkDoT lib.dns.const.quad9.ecs; } ]; @@ -149,37 +151,84 @@ in redis-server-port = port; }; - rpz = { - name = "hagezi.pro"; - zonefile = "hagezi.pro"; - url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; + dnstap = { + dnstap-enable = true; + dnstap-socket-path = "/run/dnstap-unbound/read.sock"; + dnstap-send-identity = true; + dnstap-send-version = true; + dnstap-log-resolver-query-messages = true; + dnstap-log-resolver-response-messages = true; + dnstap-log-client-query-messages = true; + dnstap-log-client-response-messages = true; + dnstap-log-forwarder-query-messages = true; + dnstap-log-forwarder-response-messages = true; }; + + rpz = [ + { + name = "hagezi-ultimate"; + zonefile = "hagezi-ultimate"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/ultimate.txt"; + } + { + name = "big-osid"; + zonefile = "big-osid"; + url = "https://big.oisd.nl/rpz"; + } + { + name = "nsfw-osid"; + zonefile = "nsfw-osid"; + url = "https://nsfw.oisd.nl/rpz"; + } + ]; }; enableRootTrustAnchor = true; - localControlSocketPath = "/run/unbound/unbound.socket"; + localControlSocketPath = "/run/unbound/control.sock"; }; prometheus.exporters.unbound = { enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; + listenAddress = lib.mkDefault this.wireguard.ipv4.address; port = 9167; inherit (config.services.unbound) group user; unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; }; }; - boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; + systemd = + let + in + { + services = { + unbound = { + after = [ "dnstap-unbound.service" ]; + requires = [ "dnstap-unbound.service" ]; + }; - topology = with cfg; { - nodes.${this.hostname}.services.unbound = { - name = "Unbound"; - icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; - details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( - filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface - ); + dnstap-unbound = { + serviceConfig = { + ExecStart = "${lib.getExe pkgs.dnstap} -u ${config.services.unbound.settings.dnstap.dnstap-socket-path}"; + User = config.services.unbound.user; + Group = config.services.unbound.group; + RuntimeDirectory = "dnstap-unbound"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; }; + + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = lib.mkOverride 200 3; + + topology.nodes.${this.hostname}.services.unbound = { + name = "Unbound"; + icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; + details.listen.text = + config.services.unbound.settings.server.interface + |> lib.filter (x: x != "127.0.0.1" && x != "::1") + |> map (x: "${x}:53") + |> lib.concatLines; }; }; } |