aboutsummaryrefslogtreecommitdiff
path: root/nix
diff options
context:
space:
mode:
Diffstat (limited to 'nix')
-rw-r--r--nix/deuxfleurs.nix42
1 files changed, 38 insertions, 4 deletions
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 20f0ebe..26c11b0 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -165,9 +165,46 @@ in
interface = cfg.network_interface;
};
+ # Configure Unbound DNS to redirect to Consul queries under .consul
+ # and to pass directly to public DNS resolver all others
+ services.unbound = {
+ enable = true;
+ settings = {
+ server = {
+ interface = [ "127.0.0.1" "${cfg.lan_ip}" ];
+ domain-insecure = [ "consul." ];
+ local-zone = [ "consul. nodefault" ];
+ log-servfail = true;
+ access-control = [
+ "127.0.0.0/8 allow"
+ "${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow"
+ "172.17.0.0/16 allow"
+ ];
+ };
+ forward-zone = [
+ # Forward .consul queries to Consul daemon
+ {
+ name = "consul.";
+ forward-addr = "${cfg.lan_ip}@8600";
+ forward-no-cache = true;
+ forward-tcp-upstream = false;
+ forward-tls-upstream = false;
+ }
+ # Forward all queries to our ISP's nameserver
+ {
+ name = ".";
+ forward-addr = cfg.nameservers;
+ forward-first = true;
+ }
+ ];
+ };
+ resolveLocalQueries = false; # don't overwrite our resolv.conf
+ };
+ # Reach Unbound through the IP of our LAN interface,
+ # instead of 127.0.0.1 (this will also work in Docker containers)
networking.nameservers = [
cfg.lan_ip
- ] ++ cfg.nameservers;
+ ];
# Configure Wireguard VPN between all nodes
networking.wireguard.interfaces.wg0 = {
@@ -212,14 +249,11 @@ in
ports = {
http = -1;
https = 8501;
- dns = 53;
};
performance = {
rpc_hold_timeout = "70s";
};
- recursors = [ cfg.nameservers ];
-
ca_file = "/var/lib/consul/pki/consul-ca.crt";
cert_file = "/var/lib/consul/pki/consul2022.crt";
key_file = "/var/lib/consul/pki/consul2022.key";