diff options
| author | Alex Auvolat <alex@adnab.me> | 2022-08-30 15:52:42 +0200 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2022-08-30 15:52:42 +0200 |
| commit | 6ec9aad801e1d87d0be9d795da1b3ba7883c32cd (patch) | |
| tree | 2ba9b0d47a62b2c5bc850a558be0140df31cbee0 /nix/deuxfleurs.nix | |
| parent | e81716e41eac813e12824e028ec72c3daeb57588 (diff) | |
| download | nixcfg-6ec9aad801e1d87d0be9d795da1b3ba7883c32cd.tar.gz nixcfg-6ec9aad801e1d87d0be9d795da1b3ba7883c32cd.zip | |
Improve DNS configuration
Add Unbound server that separates queries between those going to Consul
and those going elsewhere. This allows us to have DNS working even if
Consul fails for some reason. This way we can also remove the secondary
`nameserver` entry in /etc/resolv.conf, thus fixing a bug where certain
containers (Alpine-based images?) were using the secondary resolver some
of the time, making them unable to access .consul hosts.
Diffstat (limited to 'nix/deuxfleurs.nix')
| -rw-r--r-- | nix/deuxfleurs.nix | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index 20f0ebe..26c11b0 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -165,9 +165,46 @@ in interface = cfg.network_interface; }; + # Configure Unbound DNS to redirect to Consul queries under .consul + # and to pass directly to public DNS resolver all others + services.unbound = { + enable = true; + settings = { + server = { + interface = [ "127.0.0.1" "${cfg.lan_ip}" ]; + domain-insecure = [ "consul." ]; + local-zone = [ "consul. nodefault" ]; + log-servfail = true; + access-control = [ + "127.0.0.0/8 allow" + "${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow" + "172.17.0.0/16 allow" + ]; + }; + forward-zone = [ + # Forward .consul queries to Consul daemon + { + name = "consul."; + forward-addr = "${cfg.lan_ip}@8600"; + forward-no-cache = true; + forward-tcp-upstream = false; + forward-tls-upstream = false; + } + # Forward all queries to our ISP's nameserver + { + name = "."; + forward-addr = cfg.nameservers; + forward-first = true; + } + ]; + }; + resolveLocalQueries = false; # don't overwrite our resolv.conf + }; + # Reach Unbound through the IP of our LAN interface, + # instead of 127.0.0.1 (this will also work in Docker containers) networking.nameservers = [ cfg.lan_ip - ] ++ cfg.nameservers; + ]; # Configure Wireguard VPN between all nodes networking.wireguard.interfaces.wg0 = { @@ -212,14 +249,11 @@ in ports = { http = -1; https = 8501; - dns = 53; }; performance = { rpc_hold_timeout = "70s"; }; - recursors = [ cfg.nameservers ]; - ca_file = "/var/lib/consul/pki/consul-ca.crt"; cert_file = "/var/lib/consul/pki/consul2022.crt"; key_file = "/var/lib/consul/pki/consul2022.key"; |