router.home: enable unbound dns server

2024-04-26 19:29:13 +01:00 · 2024-04-26 19:29:13 +01:00 · 8fdd915e76
commit 8fdd915e76
parent 62d62500ae
5 changed files with 39 additions and 3 deletions
--- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
+++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
@ -90,5 +90,8 @@
        prismlauncher
      ];
    };
+
+    ## Networking
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
  };
 }
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@ -47,6 +47,7 @@
    services.iperf3.enable = true;
    services.iperf3.openFirewall = true;

+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
    networking.firewall.interfaces = {
      "eth0" = {
        allowedUDPPorts = [
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@ -161,7 +161,7 @@
                  }
                  {
                    name = "domain-name-servers";
-                    data = "1.1.1.1, 8.8.8.8";
+                    data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
                  }
                ];
                reservations = [
@ -202,7 +202,7 @@
                  }
                  {
                    name = "domain-name-servers";
-                    data = "1.1.1.1, 8.8.8.8";
+                    data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
                  }
                ];
                reservations = [
@ -224,6 +224,36 @@
          };
        };
      };
+
+      unbound = {
+        enable = true;
+        settings = {
+          server = {
+            interface = [
+              "127.0.0.1"
+              "10.64.50.1"
+              "10.239.19.1"
+            ];
+            access-control = [
+              "10.64.50.0/24 allow"
+              "10.239.19.0/24 allow"
+            ];
+          };
+
+          forward-zone = [
+            {
+              name = ".";
+              forward-tls-upstream = "yes";
+              forward-addr = [
+                "1.1.1.1#cloudflare-dns.com"
+                "1.0.0.1#cloudflare-dns.com"
+                "8.8.8.8#dns.google"
+                "8.8.4.4#dns.google"
+              ];
+            }
+          ];
+        };
+      };
    };

    ## Tailscale
--- a/hosts/theon.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/theon.storage.ts.hillion.co.uk/default.nix
@ -23,6 +23,7 @@
    ## Networking
    systemd.network.enable = true;

+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
    networking.firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = lib.mkForce [
--- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
@ -211,7 +211,8 @@
      openFirewall = true;
    };

-    ## Firewall
+    ## Networking
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
    networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
      80 # Caddy (restic.tywin.storage.ts.)
      14002 # Storj Dashboard (d0.)