mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-11 17:31:58 +01:00
f550fab8ab
Signed-off-by: magic_rb <magic_rb@redalder.org>
102 lines
2 KiB
Nix
102 lines
2 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}: let
|
|
in {
|
|
services.bind = {
|
|
enable = true;
|
|
forward = "only";
|
|
forwarders = [
|
|
"127.0.0.1 port 5300"
|
|
];
|
|
|
|
directory = "/var/lib/bind";
|
|
|
|
cacheNetworks = [
|
|
"127.0.0.0/8"
|
|
"10.1.0.0/19"
|
|
"10.0.0.1/32" # needed due to SNAT when redirecting DNS in border
|
|
"192.168.1.0/24"
|
|
];
|
|
|
|
extraConfig = ''
|
|
logging {
|
|
channel stderr_chan {
|
|
print-category yes;
|
|
print-severity yes;
|
|
|
|
severity dynamic;
|
|
|
|
stderr;
|
|
};
|
|
${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };")
|
|
[
|
|
"client"
|
|
"cname"
|
|
"config"
|
|
"database"
|
|
"default"
|
|
"dispatch"
|
|
"dnssec"
|
|
"dnstap"
|
|
"edns-disabled"
|
|
"general"
|
|
"lame-servers"
|
|
"network"
|
|
"notify"
|
|
"nsid"
|
|
"queries"
|
|
"query-errors"
|
|
"rate-limit"
|
|
"resolver"
|
|
"rpz"
|
|
"rpz-passthru"
|
|
"security"
|
|
"serve-stale"
|
|
"spill"
|
|
"sslkeylog"
|
|
"trust-anchor-telemetry"
|
|
"unmatched"
|
|
"update"
|
|
"update-security"
|
|
"xfer-in"
|
|
"xfer-out"
|
|
"zoneload"
|
|
]}
|
|
};
|
|
'';
|
|
extraOptions = ''
|
|
dnssec-validation auto;
|
|
max-cache-size 512M;
|
|
max-ncache-ttl 1M;
|
|
allow-query-cache { cachenetworks; };
|
|
|
|
'';
|
|
};
|
|
|
|
systemd.services.bind.serviceConfig = {
|
|
StandardError = "journal";
|
|
};
|
|
|
|
services.dnscrypt-proxy2 = {
|
|
enable = true;
|
|
upstreamDefaults = true;
|
|
settings = {
|
|
listen_addresses = lib.singleton "127.0.0.1:5300";
|
|
|
|
dnscrypt_servers = false;
|
|
doh_servers = true;
|
|
odoh_servers = false;
|
|
|
|
block_ipv6 = true;
|
|
|
|
static."mullvad".stamp = "sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kbnMubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ";
|
|
sources = {};
|
|
|
|
max_clients = 256;
|
|
|
|
cache_size = 128;
|
|
};
|
|
};
|
|
}
|