hswaw/customs: improve unbound config
Change-Id: Ic616033897b87f692ee92a106b417423a09d630b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1456
Reviewed-by: informatic <informatic@hackerspace.pl>
diff --git a/hswaw/machines/customs.hackerspace.pl/configuration.nix b/hswaw/machines/customs.hackerspace.pl/configuration.nix
index 6f880d2..45cd64f 100644
--- a/hswaw/machines/customs.hackerspace.pl/configuration.nix
+++ b/hswaw/machines/customs.hackerspace.pl/configuration.nix
@@ -497,27 +497,47 @@
};
};
- services.unbound = {
+ services.unbound = let
+ local-zones = [ "waw.hackerspace.pl." "api.eye.fi." "api.ustream.tv." "i." ];
+ in {
enable = true;
+ #enableRootTrustAnchor = false;
+
settings = {
server = {
interface = [
networks.lan.ipv4
+ networks.lan.ipv6
"127.0.0.1"
"::1"
- # networks.lan.ipv6 TODO
];
access-control = [
+ "::1/128 allow"
"127.0.0.1/8 allow"
"10.0.0.0/8 allow"
+ "${networks.lan.ipv6}/64 allow"
+ "${networks.lan.ipv4}/8 allow"
+ ];
+
+ # disable DNSSEC on locally resolved domains
+ domain-insecure = local-zones;
+
+ # allow LAN adresses only for local domains
+ private-domain = local-zones;
+ private-address = [
+ "10.0.0.0/8"
+ "${networks.lan.ipv6}/64"
];
};
+ # authoritative DNS servers
stub-zone = map (name: {
- name = name;
+ inherit name;
stub-addr = networks.uplink.ipv4;
- }) [ "waw.hackerspace.pl" "api.eye.fi" "api.ustream.tv" "i" ];
+ }) local-zones;
+
+ # recursive DNS servers
forward-zone = {
name = ".";
forward-addr = "185.236.240.1";