dotfiles/nixos/systems/hela/dns.nix
magic_rb f550fab8ab
hela: implement captive DNS
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-11-14 16:23:28 +01:00

102 lines
2 KiB
Nix

{
lib,
config,
...
}: let
in {
services.bind = {
enable = true;
forward = "only";
forwarders = [
"127.0.0.1 port 5300"
];
directory = "/var/lib/bind";
cacheNetworks = [
"127.0.0.0/8"
"10.1.0.0/19"
"10.0.0.1/32" # needed due to SNAT when redirecting DNS in border
"192.168.1.0/24"
];
extraConfig = ''
logging {
channel stderr_chan {
print-category yes;
print-severity yes;
severity dynamic;
stderr;
};
${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };")
[
"client"
"cname"
"config"
"database"
"default"
"dispatch"
"dnssec"
"dnstap"
"edns-disabled"
"general"
"lame-servers"
"network"
"notify"
"nsid"
"queries"
"query-errors"
"rate-limit"
"resolver"
"rpz"
"rpz-passthru"
"security"
"serve-stale"
"spill"
"sslkeylog"
"trust-anchor-telemetry"
"unmatched"
"update"
"update-security"
"xfer-in"
"xfer-out"
"zoneload"
]}
};
'';
extraOptions = ''
dnssec-validation auto;
max-cache-size 512M;
max-ncache-ttl 1M;
allow-query-cache { cachenetworks; };
'';
};
systemd.services.bind.serviceConfig = {
StandardError = "journal";
};
services.dnscrypt-proxy2 = {
enable = true;
upstreamDefaults = true;
settings = {
listen_addresses = lib.singleton "127.0.0.1:5300";
dnscrypt_servers = false;
doh_servers = true;
odoh_servers = false;
block_ipv6 = true;
static."mullvad".stamp = "sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kbnMubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ";
sources = {};
max_clients = 256;
cache_size = 128;
};
};
}