From bacaf6d5b63596d1bdaf2a2bd1fccbfa6a077554 Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Sat, 19 Jul 2025 17:45:17 +0200
Subject: [PATCH] setup unbound dns

---
 machines/crocus/configuration.nix |   2 +
 machines/genepi/configuration.nix |   6 +-
 machines/genepi/network.nix       |   2 +-
 modules/unbound-auth.nix          |  30 +++++++++
 modules/unbound.nix               | 100 ++++++++++++++++++++++++++++++
 5 files changed, 135 insertions(+), 5 deletions(-)
 create mode 100644 modules/unbound-auth.nix
 create mode 100644 modules/unbound.nix

diff --git a/machines/crocus/configuration.nix b/machines/crocus/configuration.nix
index eee7dda..c5ac230 100644
--- a/machines/crocus/configuration.nix
+++ b/machines/crocus/configuration.nix
@@ -13,6 +13,8 @@
     ../../modules/remote-builder.nix
     ../../modules/borgbackup.nix
     ./topology.nix
+    ../../modules/unbound.nix
+    ../../modules/unbound-auth.nix
     self.nixosModules.gitea
   ];
 
diff --git a/machines/genepi/configuration.nix b/machines/genepi/configuration.nix
index 34c5a05..813397a 100644
--- a/machines/genepi/configuration.nix
+++ b/machines/genepi/configuration.nix
@@ -20,10 +20,8 @@
     ./topology.nix
 
     ../../system
-    ../../modules/borgbackup.nix
-
-    self.inputs.clan-core.clanModules.state-version
-    self.inputs.clan-core.clanModules.trusted-nix-caches
+    ../../modules/unbound.nix
+    ../../modules/unbound-auth.nix
 
     self.inputs.home-manager.nixosModules.home-manager
     {
diff --git a/machines/genepi/network.nix b/machines/genepi/network.nix
index 49b5992..e6225ef 100644
--- a/machines/genepi/network.nix
+++ b/machines/genepi/network.nix
@@ -1,6 +1,6 @@
 {
   # Tailscale seems to break when not using resolved
-  services.resolved.enable = true;
+  # services.resolved.enable = true;
   networking.useDHCP = true;
   networking.interfaces.tailscale0.useDHCP = false;
 }
diff --git a/modules/unbound-auth.nix b/modules/unbound-auth.nix
new file mode 100644
index 0000000..2c5eab9
--- /dev/null
+++ b/modules/unbound-auth.nix
@@ -0,0 +1,30 @@
+{
+  services.unbound = {
+    settings = {
+      auth-zone = [
+        {
+          name = "home.rpqt.fr.";
+          zonefile = builtins.toFile "home.rpqt.fr.zone" ''
+            $TTL 3600 ; 1 Hour
+            $ORIGIN home.rpqt.fr.
+            home.rpqt.fr. IN SOA ns1 admin.rpqt.fr. (
+            	2025063000 ; serial
+            	10800 ; refresh
+            	3600 ; retry
+            	604800 ; expire
+            	300 ; minimum
+            )
+
+            @ 1D IN NS ns1.home.rpqt.fr.
+
+            ns1 10800 IN CNAME crocus.home.rpqt.fr.
+            ns2 10800 IN CNAME genepi.home.rpqt.fr.
+
+            crocus 10800 IN AAAA fd80:150d:17cc:2ae:6999:9380:150d:17cc
+            genepi 10800 IN AAAA fd80:150d:17cc:2ae:6999:9358:3e0e:d738
+          '';
+        }
+      ];
+    };
+  };
+}
diff --git a/modules/unbound.nix b/modules/unbound.nix
new file mode 100644
index 0000000..8c4e5df
--- /dev/null
+++ b/modules/unbound.nix
@@ -0,0 +1,100 @@
+{
+  self,
+  config,
+  lib,
+  ...
+}:
+let
+  domain = "home.rpqt.fr";
+  machines = {
+    genepi = {
+      subdomains = [
+        "glance"
+        "grafana"
+        "images"
+        "rss"
+        "tw"
+      ];
+    };
+  };
+  zerotierInterface = "zts7mq7onf";
+  machinesZerotierIpRecords =
+    lib.map
+      (
+        host:
+        ''"${host}.infra.rpqt.fr. 10800 IN AAAA ${
+          self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
+        }"''
+      )
+      [
+        "crocus"
+        "genepi"
+      ];
+in
+{
+  services.resolved.enable = false;
+
+  networking.firewall.interfaces.${zerotierInterface} = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = true;
+    checkconf = true;
+
+    settings = {
+      server = {
+        interface = [
+          "127.0.0.1"
+          "::1"
+          "::0"
+        ];
+        access-control = [
+          "127.0.0.1 allow"
+          "${config.clan.core.networking.zerotier.subnet} allow"
+        ];
+        local-zone = [
+          ''"*.home.rpqt.fr." redirect''
+        ];
+        local-data =
+          # machinesZerotierIpRecords ++
+          lib.concatMap (
+            host:
+            lib.map (
+              subdomain:
+              ''"${subdomain}.${domain}. 10800 IN AAAA ${
+                self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
+              }"''
+            ) machines.${host}.subdomains
+          ) (lib.attrNames machines);
+        private-address = [
+          "127.0.0.1/8"
+          "${config.clan.core.networking.zerotier.subnet}"
+        ];
+        private-domain = [
+          "home.rpqt.fr"
+        ];
+      };
+      forward-zone = [
+        {
+          name = ".";
+          forward-tls-upstream = true;
+          forward-addr = [
+            "9.9.9.9#dns.quad9.net"
+            "149.112.112.112#dns.quad9.net"
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+            "2606:4700:4700::1111@853#cloudflare-dns.com"
+            "2606:4700:4700::1001@853#cloudflare-dns.com"
+            "8.8.8.8#dns.google"
+            "8.8.4.4#dns.google"
+            "2001:4860:4860::8888#dns.google"
+            "2001:4860:4860::8844#dns.google"
+          ];
+        }
+      ];
+    };
+  };
+}