Cloonar/cloonar-assistant
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5de8b96816b2b8a78e7a45db0c8047239feef726
cloonar-assistant/modules/cloonar-assistant/networking/unbound.nix

143 lines
5.2 KiB
Nix
Raw Blame History

{ config, ... }: {
}
{ config, pkgs, ... }:
let
cfg = {
remote-control.control-enable = true;
server = {
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
"127.0.0.0/8 allow"
"${config.networkPrefix}.96.0/24 allow"
"${config.networkPrefix}.97.0/24 allow"
"${config.networkPrefix}.98.0/24 allow"
"${config.networkPrefix}.99.0/24 allow"
"${config.networkPrefix}.101.0/24 allow"
"0.0.0.0/0 allow"
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
local-zone = "\"${config.cloonar-assistant.domain}\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.${config.cloonar-assistant.domain} A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.${config.cloonar-assistant.domain} AAAA ::1\""
"\"fw.${config.cloonar-assistant.domain} A ${config.networkPrefix}.97.1\""
"\"fw A ${config.networkPrefix}.97.1\""
"\"mopidy.${config.cloonar-assistant.domain} IN A ${config.networkPrefix}.97.21\""
"\"snapcast.${config.cloonar-assistant.domain} IN A ${config.networkPrefix}.97.21\""
"\"home-assistant.${config.cloonar-assistant.domain} IN A ${config.networkPrefix}.97.20\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"${config.networkPrefix}.97.1 fw.${config.cloonar-assistant.domain}\""
"\"${config.networkPrefix}.97.20 home-assistant.${config.cloonar-assistant.domain}\""
"\"${config.networkPrefix}.97.21 snapcast.${config.cloonar-assistant.domain}\""
];
# ssl-upstream = "yes";
};
forward-zone = [
{
name = ".";
forward-tls-upstream = "yes";
forward-first = "no";
forward-addr = [
"9.9.9.9@853#dns9.quad9.net"
"149.112.112.11@853#dns11.quad9.net"
];
}
];
};
in {
users.users.unbound = {
group = "unbound";
isSystemUser = true;
extraGroups = [ "ssl-users" ];
};
users.groups.unbound = { };
services.resolved.enable = false;
services.unbound = {
enable = true;
settings = cfg;
};
systemd.services.unbound-sync = lib.mkIf config.cloonar-assistant.firewall.enable {
enable = true;
path = with pkgs; [ unbound inotify-tools ];
script = ''
function readFile() {
if [[ "''\$2" == "A" ]] ; then
cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
do
echo "''\${address},''\${hostname}"
done
else
cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
do
echo "''\${address},''\${hostname}"
done
fi
}
function readFileUnique() {
readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
do
if echo "''\${1}" | grep -Eq '.*\.(${config.cloonar-assistant.domain})'; then
echo ''\${hostname} ''\$2 ''\${address}
unbound-control local_data ''\${hostname} ''\$2 ''\${address} > /dev/null 2>&1
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} > /dev/null 2>&1
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} > /dev/null 2>&1
done
fi
else
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
if [[ "''\${hostname}" != "" ]]; then
domain=${config.cloonar-assistant.domain}
if [[ "''\${hostname}" != *. ]]; then
unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} > /dev/null 2>&1
else
unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} > /dev/null 2>&1
fi
fi
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} > /dev/null 2>&1
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} > /dev/null 2>&1
done
fi
fi
done
}
function syncFile() {
# readFileUnique "''\$1" "''\$2"
while true; do
readFileUnique "''\$1" "''\$2"
sleep 10
done
}
syncFile "/var/lib/kea/dhcp4.leases" A &
# syncFile "/var/lib/kea/dhcp6.leases" AAAA &
wait
'';
wants = [ "network-online.target" "unbound.service" ];
after = [ "network-online.target" "unbound.service" ];
partOf = [ "unbound.service" ];
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedUDPPorts = [ 53 5353 ];
}
Reference in New Issue View Git Blame Copy Permalink