Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

change unbound

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-12-04 15:22:32 +01:00
parent 1dbba8eac6
commit cb01ec7e4c
2 changed files with 173 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

295
hosts/fw.cloonar.com/modules/unbound.nix
View File

@@ -1,138 +1,177 @@
{ config, ... }: {
{ config, ... }:
let
domain = "ns.cloonar.com";
cfg = {
server = {
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
"127.0.0.0/8 allow"
"10.42.96.0/24 allow"
"10.42.97.0/24 allow"
"10.42.98.0/24 allow"
"10.42.99.0/24 allow"
"10.42.101.0/24 allow"
"0.0.0.0/0 allow"
];
tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem";
local-zone = "\"cloonar.com\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.cloonar.com A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.cloonar.com AAAA ::1\""
"\"fw.cloonar.com A 10.42.97.1\""
"\"fw A 10.42.97.1\""
"\"switch.cloonar.com IN A 10.42.97.10\""
"\"drone.cloonar.com IN A 10.42.97.118\""
"\"hv-02.cloonar.com IN A 10.42.97.3\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"home-assistant.cloonar.old IN A 10.44.97.20\""
"\"deconz.cloonar.com IN A 10.42.97.20\""
"\"mopidy.cloonar.com IN A 10.42.97.20\""
"\"snapcast.cloonar.com IN A 10.42.97.20\""
"\"cl-storage-01.cloonar.com IN A 10.42.97.9\""
"\"git.cloonar.com IN A 10.44.97.118\""
"\"stage.wsw.at IN A 10.254.235.22\""
"\"prod.wsw.at IN A 10.254.217.23\""
"\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
"\"wohnservice-wien.at IN A 10.254.240.109\""
"\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\""
"\"a.wohnservice-wien.at IN A 10.254.240.109\""
"\"a.wohnpartner-wien.at IN A 10.254.240.109\""
"\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"a.stage.wienbautvor.at IN A 10.254.240.110\""
"\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"testing.ebs.amz.at IN A 80.120.142.235\""
"\"api.testing-ebs.amz.at IN A 80.120.142.235\""
"\"metz.cloonar.com IN A 10.42.96.167\""
"\"firetv-living.cloonar.com IN A 10.42.96.175\""
"\"ps5-living.cloonar.com IN A 10.42.96.176\""
"\"ddl-warez.to IN A 172.67.184.30\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"10.42.97.10 switch.cloonar.com\""
"\"10.42.97.1 fw.cloonar.com\""
"\"10.42.97.118 drone.cloonar.com\""
"\"10.42.97.3 hv-02.cloonar.com\""
"\"10.42.97.20 home-assistant.cloonar.com\""
"\"10.42.97.9 cl-storage-01.cloonar.com\""
"\"10.42.97.118 git.cloonar.com\""
"\"10.254.235.22 stage.wsw.at\""
"\"10.254.217.23 prod.wsw.at\""
"\"10.254.240.109 wohnservice-wien.at\""
"\"10.254.240.110 a.stage.wohnservice-wien.at\""
"\"80.120.142.235 testing.ebs.amz.at\""
"\"172.67.184.30 ddl-warez.to\""
];
};
forward-zone = [
{
name = ".";
forward-addr = [
"10.44.96.1"
# "9.9.9.9#dns11.quad9.net"
# "149.112.112.112#dns11.quad9.net"
];
}
{
name = "ghetto.at.local.";
forward-addr = [
"10.43.97.1"
];
}
{
name = "epicenter.works.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "akvorrat.at.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "epicenter.intra.";
forward-addr = [
"10.14.1.1"
];
}
{
name = "intra.epicenter.works.";
forward-addr = [
"10.14.1.1"
];
}
];
};
in {
services.unbound = {
enable = true;
settings = {
settings = cfg // {
server = {
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
"127.0.0.0/8 allow"
"10.42.96.0/24 allow"
"10.42.97.0/24 allow"
"10.42.98.0/24 allow"
"10.42.99.0/24 allow"
"10.42.101.0/24 allow"
"0.0.0.0/0 allow"
];
tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
local-zone = "\"cloonar.com\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.cloonar.com A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.cloonar.com AAAA ::1\""
"\"fw.cloonar.com A 10.42.97.1\""
"\"fw A 10.42.97.1\""
tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem";
}
};
};
security.acme.certs."fw.cloonar.com" = {
domain = "fw.cloonar.com";
};
"\"switch.cloonar.com IN A 10.42.97.10\""
"\"drone.cloonar.com IN A 10.42.97.118\""
"\"hv-02.cloonar.com IN A 10.42.97.3\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"home-assistant.cloonar.old IN A 10.44.97.20\""
"\"deconz.cloonar.com IN A 10.42.97.20\""
"\"mopidy.cloonar.com IN A 10.42.97.20\""
"\"snapcast.cloonar.com IN A 10.42.97.20\""
"\"cl-storage-01.cloonar.com IN A 10.42.97.9\""
"\"git.cloonar.com IN A 10.44.97.118\""
"\"stage.wsw.at IN A 10.254.235.22\""
"\"prod.wsw.at IN A 10.254.217.23\""
"\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
"\"wohnservice-wien.at IN A 10.254.240.109\""
"\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\""
"\"a.wohnservice-wien.at IN A 10.254.240.109\""
"\"a.wohnpartner-wien.at IN A 10.254.240.109\""
"\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"a.stage.wienbautvor.at IN A 10.254.240.110\""
"\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"testing.ebs.amz.at IN A 80.120.142.235\""
"\"api.testing-ebs.amz.at IN A 80.120.142.235\""
"\"metz.cloonar.com IN A 10.42.96.167\""
"\"firetv-living.cloonar.com IN A 10.42.96.175\""
"\"ps5-living.cloonar.com IN A 10.42.96.176\""
"\"ddl-warez.to IN A 172.67.184.30\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"10.42.97.10 switch.cloonar.com\""
"\"10.42.97.1 fw.cloonar.com\""
"\"10.42.97.118 drone.cloonar.com\""
"\"10.42.97.3 hv-02.cloonar.com\""
"\"10.42.97.20 home-assistant.cloonar.com\""
"\"10.42.97.9 cl-storage-01.cloonar.com\""
"\"10.42.97.118 git.cloonar.com\""
"\"10.254.235.22 stage.wsw.at\""
"\"10.254.217.23 prod.wsw.at\""
"\"10.254.240.109 wohnservice-wien.at\""
"\"10.254.240.110 a.stage.wohnservice-wien.at\""
"\"80.120.142.235 testing.ebs.amz.at\""
"\"172.67.184.30 ddl-warez.to\""
];
containers.unbound = {
autoStart = true;
ephemeral = true;
macvlans = [ "vserver" ];
bindMounts = {
"/var/lib/acme/unbound/" = {
hostPath = "${config.security.acme.certs.${domain}.directory}";
isReadOnly = true;
};
};
config = { lib, config, pkgs, ... }: {
networking = {
hostName = "ns";
interfaces.mv-vserver = {
useDHCP = true;
};
firewall = {
enable = true;
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 853 ];
};
services.unbound = {
enable = true;
settings = cfg;
};
};
forward-zone = [
{
name = ".";
forward-addr = [
"10.44.96.1"
# "9.9.9.9#dns11.quad9.net"
# "149.112.112.112#dns11.quad9.net"
];
}
{
name = "ghetto.at.local.";
forward-addr = [
"10.43.97.1"
];
}
{
name = "epicenter.works.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "akvorrat.at.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "epicenter.intra.";
forward-addr = [
"10.14.1.1"
];
}
{
name = "intra.epicenter.works.";
forward-addr = [
"10.14.1.1"
];
}
];
};
};
security.acme.certs."fw.cloonar.com" = {
domain = "fw.cloonar.com";
group = config.services.unbound.group;
security.acme.certs."${domain}" = {
domain = "${domain}";
};
}