setup unbound dns

2025-07-19 17:45:17 +02:00
parent c4cefeea54
commit bacaf6d5b6
5 changed files with 135 additions and 5 deletions
--- a/modules/unbound-auth.nix
+++ b/modules/unbound-auth.nix
@@ -0,0 +1,30 @@
+{
+  services.unbound = {
+    settings = {
+      auth-zone = [
+        {
+          name = "home.rpqt.fr.";
+          zonefile = builtins.toFile "home.rpqt.fr.zone" ''
+            $TTL 3600 ; 1 Hour
+            $ORIGIN home.rpqt.fr.
+            home.rpqt.fr. IN SOA ns1 admin.rpqt.fr. (
+            	2025063000 ; serial
+            	10800 ; refresh
+            	3600 ; retry
+            	604800 ; expire
+            	300 ; minimum
+            )
+
+            @ 1D IN NS ns1.home.rpqt.fr.
+
+            ns1 10800 IN CNAME crocus.home.rpqt.fr.
+            ns2 10800 IN CNAME genepi.home.rpqt.fr.
+
+            crocus 10800 IN AAAA fd80:150d:17cc:2ae:6999:9380:150d:17cc
+            genepi 10800 IN AAAA fd80:150d:17cc:2ae:6999:9358:3e0e:d738
+          '';
+        }
+      ];
+    };
+  };
+}
--- a/modules/unbound.nix
+++ b/modules/unbound.nix
@@ -0,0 +1,100 @@
+{
+  self,
+  config,
+  lib,
+  ...
+}:
+let
+  domain = "home.rpqt.fr";
+  machines = {
+    genepi = {
+      subdomains = [
+        "glance"
+        "grafana"
+        "images"
+        "rss"
+        "tw"
+      ];
+    };
+  };
+  zerotierInterface = "zts7mq7onf";
+  machinesZerotierIpRecords =
+    lib.map
+      (
+        host:
+        ''"${host}.infra.rpqt.fr. 10800 IN AAAA ${
+          self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
+        }"''
+      )
+      [
+        "crocus"
+        "genepi"
+      ];
+in
+{
+  services.resolved.enable = false;
+
+  networking.firewall.interfaces.${zerotierInterface} = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = true;
+    checkconf = true;
+
+    settings = {
+      server = {
+        interface = [
+          "127.0.0.1"
+          "::1"
+          "::0"
+        ];
+        access-control = [
+          "127.0.0.1 allow"
+          "${config.clan.core.networking.zerotier.subnet} allow"
+        ];
+        local-zone = [
+          ''"*.home.rpqt.fr." redirect''
+        ];
+        local-data =
+          # machinesZerotierIpRecords ++
+          lib.concatMap (
+            host:
+            lib.map (
+              subdomain:
+              ''"${subdomain}.${domain}. 10800 IN AAAA ${
+                self.nixosConfigurations.${host}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value
+              }"''
+            ) machines.${host}.subdomains
+          ) (lib.attrNames machines);
+        private-address = [
+          "127.0.0.1/8"
+          "${config.clan.core.networking.zerotier.subnet}"
+        ];
+        private-domain = [
+          "home.rpqt.fr"
+        ];
+      };
+      forward-zone = [
+        {
+          name = ".";
+          forward-tls-upstream = true;
+          forward-addr = [
+            "9.9.9.9#dns.quad9.net"
+            "149.112.112.112#dns.quad9.net"
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+            "2606:4700:4700::1111@853#cloudflare-dns.com"
+            "2606:4700:4700::1001@853#cloudflare-dns.com"
+            "8.8.8.8#dns.google"
+            "8.8.4.4#dns.google"
+            "2001:4860:4860::8888#dns.google"
+            "2001:4860:4860::8844#dns.google"
+          ];
+        }
+      ];
+    };
+  };
+}