remove unbound dns auth-zone

This was moved to coredns to avoid confusion between the authoritative server and the local resolver.
2025-11-24 17:11:04 +01:00
parent 09f57a1e6f
commit b84078220c
2 changed files with 0 additions and 143 deletions
--- a/modules/unbound-auth.nix
+++ b/modules/unbound-auth.nix
@@ -1,35 +0,0 @@
 {
  services.unbound = {
    settings = {
      auth-zone = [
        {
          name = "home.rpqt.fr.";
          zonefile = builtins.toFile "home.rpqt.fr.zone" ''
            $TTL 3600 ; 1 Hour
            $ORIGIN home.rpqt.fr.
            home.rpqt.fr. IN SOA ns1 admin.rpqt.fr. (
            	2025063000 ; serial
            	10800 ; refresh
            	3600 ; retry
            	604800 ; expire
            	300 ; minimum
            )
            @ 1D IN NS ns1.home.rpqt.fr.
            @ 1D IN NS ns2.home.rpqt.fr.
            @ 1D IN NS ns3.home.rpqt.fr.
            ns1 10800 IN CNAME crocus.home.rpqt.fr.
            ns2 10800 IN CNAME genepi.home.rpqt.fr.
            ns3 10800 IN CNAME verbena.home.rpqt.fr.
            crocus 10800 IN AAAA fd80:150d:17cc:2ae:6999:9380:150d:17cc
            genepi 10800 IN AAAA fd80:150d:17cc:2ae:6999:9358:3e0e:d738
            verbena 10800 IN AAAA fd80:150d:17cc:2ae:6999:9306:9a0e:c197
            haze 10800 IN AAAA fd80:150d:17cc:2ae:6999:935a:e8:b04d
          '';
        }
      ];
    };
  };
 }
--- a/modules/unbound.nix
+++ b/modules/unbound.nix
@@ -1,108 +0,0 @@
 {
  self,
  config,
  lib,
  ...
 }:
 let
  domain = "home.rpqt.fr";
  machines = {
    genepi = {
      subdomains = [
        "actual"
        "assistant"
        "glance"
        "grafana"
        "images"
        "lounge"
        "pinchflat"
        "rss"
      ];
    };
    crocus = {
      subdomains = [
        "cloud"
      ];
    };
  };
  zerotierInterface = "zts7mq7onf";
  machinesZerotierIpRecords =
    lib.map
      (
        host:
        ''"${host}.infra.rpqt.fr. 10800 IN AAAA ${
          self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
        }"''
      )
      [
        "crocus"
        "genepi"
      ];
 in
 {
  services.resolved.enable = false;
  networking.firewall.interfaces.${zerotierInterface} = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };
  services.unbound = {
    enable = true;
    resolveLocalQueries = true;
    checkconf = true;
    settings = {
      server = {
        interface = [
          "127.0.0.1"
          "::1"
          "::0"
        ];
        access-control = [
          "127.0.0.1 allow"
          "${config.clan.core.networking.zerotier.subnet} allow"
        ];
        local-zone = [
          ''"*.home.rpqt.fr." redirect''
        ];
        local-data =
          # machinesZerotierIpRecords ++
          lib.concatMap (
            host:
            lib.map (
              subdomain:
              ''"${subdomain}.${domain}. 10800 IN AAAA ${
                self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
              }"''
            ) machines.${host}.subdomains
          ) (lib.attrNames machines);
        private-address = [
          "127.0.0.1/8"
          "${config.clan.core.networking.zerotier.subnet}"
        ];
        private-domain = [
          "home.rpqt.fr"
        ];
      };
      forward-zone = [
        {
          name = ".";
          forward-tls-upstream = true;
          forward-addr = [
            "9.9.9.9#dns.quad9.net"
            "149.112.112.112#dns.quad9.net"
            "1.1.1.1@853#cloudflare-dns.com"
            "1.0.0.1@853#cloudflare-dns.com"
            "2606:4700:4700::1111@853#cloudflare-dns.com"
            "2606:4700:4700::1001@853#cloudflare-dns.com"
            "8.8.8.8#dns.google"
            "8.8.4.4#dns.google"
            "2001:4860:4860::8888#dns.google"
            "2001:4860:4860::8844#dns.google"
          ];
        }
      ];
    };
  };
 }