this repo has no description
feat(wolumonde): setup unbound for internal use [skip ci]
+51
+51
hosts/wolumonde/modules/unbound.nix
+51
hosts/wolumonde/modules/unbound.nix
···
1
+
{config, lib, ...}: let
2
+
cfg = config.services.unbound.settings;
3
+
in {
4
+
services.unbound = {
5
+
enable = true;
6
+
enableRootTrustAnchor = false;
7
+
resolveLocalQueries = false;
8
+
checkconf = lib.mkForce true;
9
+
settings = {
10
+
server = {
11
+
interface = [ "0.0.0.0" ];
12
+
port = 7272;
13
+
14
+
access-control = [
15
+
"0.0.0.0/0 refuse" # lets explicitly refuse any queries
16
+
"100.84.0.0/16 allow" # only allow queries from netbird
17
+
];
18
+
19
+
hide-identity = true;
20
+
hide-version = true;
21
+
harden-glue = true;
22
+
harden-referral-path = true;
23
+
use-caps-for-id = true;
24
+
25
+
ratelimit = 10;
26
+
ratelimit-slabs = 4;
27
+
ratelimit-size = "4m";
28
+
29
+
unwanted-reply-threshold = 10000;
30
+
do-not-query-localhost = true;
31
+
deny-any = true;
32
+
33
+
prefetch = true;
34
+
prefetch-key = true;
35
+
};
36
+
forward-zone = [
37
+
{
38
+
name = ".";
39
+
forward-addr = [
40
+
"1.1.1.1"
41
+
"1.0.0.1"
42
+
];
43
+
}
44
+
];
45
+
};
46
+
};
47
+
networking.firewall = {
48
+
allowedTCPPorts = [cfg.server.port];
49
+
allowedUDPPorts = [cfg.server.port];
50
+
};
51
+
}