dotfiles/modules/nixos/services/bind.nix

88 lines
2.4 KiB
Nix
Raw Permalink Normal View History

2024-01-10 04:11:11 +00:00
# Bind is a DNS service. This allows me to resolve public domains locally so
# when I'm at home, I don't have to travel over the Internet to reach my
# server.
# To set this on all home machines, I point my router's DNS resolver to the
# local IP address of the machine running this service (swan).
{
config,
pkgs,
lib,
...
}:
2023-07-18 02:37:26 +00:00
2023-07-18 03:52:37 +00:00
let
2023-07-18 02:37:26 +00:00
2023-07-18 03:52:37 +00:00
localIp = "192.168.1.218";
localServices = [
config.hostnames.stream
config.hostnames.content
config.hostnames.books
config.hostnames.download
];
mkRecord = service: "${service} A ${localIp}";
localRecords = lib.concatLines (map mkRecord localServices);
in
{
2023-07-18 03:52:37 +00:00
config = lib.mkIf config.services.bind.enable {
2023-07-18 02:37:26 +00:00
2024-01-10 04:11:11 +00:00
# Normally I block all requests not coming from Cloudflare, so I have to also
# allow my local network.
2023-07-18 03:52:37 +00:00
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
2023-07-18 02:37:26 +00:00
2023-07-18 03:52:37 +00:00
services.bind = {
2024-01-10 04:11:11 +00:00
# Allow requests coming from these IPs. This way I don't somehow get
# spammed with DNS requests coming from the Internet.
cacheNetworks = [
"127.0.0.0/24"
"192.168.0.0/16"
"::1/128" # Required because IPv6 loopback now added to resolv.conf
# (see: https://github.com/NixOS/nixpkgs/pull/302228)
];
2024-01-10 04:11:11 +00:00
# When making normal DNS requests, forward them to Cloudflare to resolve.
forwarders = [
"1.1.1.1"
"1.0.0.1"
];
2024-01-10 04:11:11 +00:00
ipv4Only = false;
2023-07-18 02:37:26 +00:00
# Use rpz zone as an override
extraOptions = ''response-policy { zone "rpz"; };'';
zones = {
rpz = {
master = true;
file = pkgs.writeText "db.rpz" ''
$TTL 60 ; 1 minute
@ IN SOA localhost. root.localhost. (
2023071800 ; serial
1h ; refresh
30m ; retry
1w ; expire
30m ; minimum ttl
)
IN NS localhost.
localhost A 127.0.0.1
2023-07-18 03:52:37 +00:00
${localRecords}
2023-07-18 02:37:26 +00:00
'';
};
};
};
2024-01-10 04:11:11 +00:00
# We must allow DNS traffic to hit our machine as well
2023-07-18 03:52:37 +00:00
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
# Set our own nameservers to ourselves
networking.nameservers = [
"127.0.0.1"
"::1"
];
2023-07-18 02:37:26 +00:00
};
}