{ config, pkgs, ... }: let cids = import ../modules/staticids.nix; domain = "ns.cloonar.com"; cfg = { remote-control.control-enable = true; server = { interface = [ "0.0.0.0" "::0" ]; interface-automatic = "yes"; access-control = [ "127.0.0.0/8 allow" "10.42.96.0/24 allow" "10.42.97.0/24 allow" "10.42.98.0/24 allow" "10.42.99.0/24 allow" "10.42.101.0/24 allow" "0.0.0.0/0 allow" ]; # tls-cert-bundle = "/var/lib/acme/ns.cloonar.com/fullchain.pem"; local-zone = "\"cloonar.com\" transparent"; local-data = [ "\"localhost A 127.0.0.1\"" "\"localhost.cloonar.com A 127.0.0.1\"" "\"localhost AAAA ::1\"" "\"localhost.cloonar.com AAAA ::1\"" "\"fw.cloonar.com A 10.42.97.1\"" "\"fw A 10.42.97.1\"" "\"omada.cloonar.com IN A 10.42.97.2\"" "\"switch.cloonar.com IN A 10.42.97.10\"" "\"mopidy.cloonar.com IN A 10.42.97.21\"" "\"deconz.cloonar.com IN A 10.42.97.22\"" "\"snapcast.cloonar.com IN A 10.42.97.21\"" "\"home-assistant.cloonar.com IN A 10.42.97.20\"" "\"git.cloonar.com IN A 10.42.97.50\"" "\"stage.wsw.at IN A 10.254.235.22\"" "\"prod.wsw.at IN A 10.254.217.23\"" "\"piwik.wohnservice-wien.at IN A 10.254.240.109\"" "\"wohnservice-wien.at IN A 10.254.240.109\"" "\"mieterhilfe.at IN A 10.254.240.109\"" "\"wohnpartner-wien.at IN A 10.254.240.109\"" "\"wohnberatung-wien.at IN A 10.254.240.109\"" "\"wienbautvor.at IN A 10.254.240.109\"" "\"wienwohntbesser.at IN A 10.254.240.109\"" "\"b.wohnservice-wien.at IN A 10.254.240.109\"" "\"b.mieterhilfe.at IN A 10.254.240.109\"" "\"b.wohnpartner-wien.at IN A 10.254.240.109\"" "\"b.wohnberatung-wien.at IN A 10.254.240.109\"" "\"b.wienbautvor.at IN A 10.254.240.109\"" "\"b.wienwohntbesser.at IN A 10.254.240.109\"" "\"a.wohnservice-wien.at IN A 10.254.240.109\"" "\"a.wohnpartner-wien.at IN A 10.254.240.109\"" "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\"" "\"a.stage.mieterhilfe.at IN A 10.254.240.110\"" "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\"" "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\"" "\"a.stage.wienbautvor.at IN A 10.254.240.110\"" "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\"" "\"b.stage.wohnservice-wien.at IN A 10.254.240.110\"" "\"b.stage.mieterhilfe.at IN A 10.254.240.110\"" "\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\"" "\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\"" "\"b.stage.wienbautvor.at IN A 10.254.240.110\"" "\"b.stage.wienwohntbesser.at IN A 10.254.240.110\"" "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\"" "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\"" "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\"" "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\"" "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\"" "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" "\"deconz.cloonar.multimedia IN A 10.42.97.22\"" "\"metz.cloonar.multimedia IN A 10.42.99.10\"" # "\"ps5.cloonar.multimedia IN A 10.42.99.12\"" "\"xbox.cloonar.multimedia IN A 10.42.99.13\"" # "\"switch.cloonar.multimedia IN A 10.42.99.14\"" #living room "\"shellycolorbulb-livingroom-1.cloonar.smart IN A 10.42.100.2\"" "\"shellycolorbulb-livingroom-2.cloonar.smart IN A 10.42.100.3\"" "\"shellycolorbulb-livingroom-3.cloonar.smart IN A 10.42.100.4\"" "\"shellycolorbulb-livingroom-4.cloonar.smart IN A 10.42.100.5\"" "\"shellycolorbulb-livingroom-5.cloonar.smart IN A 10.42.100.6\"" "\"shellycolorbulb-livingroom-6.cloonar.smart IN A 10.42.100.7\"" "\"shellyuni-livingroom-1.cloonar.smart IN A 10.42.100.8\"" "\"shellyswitch25-livingroom-1.cloonar.smart IN A 10.42.100.9\"" "\"shellyplug-s-living-1.cloonar.smart IN A 10.42.100.10\"" "\"shellyplug-s-living-2.cloonar.smart IN A 10.42.100.11\"" # kitchen "\"shellyplug-s-kitchen-1.cloonar.smart IN A 10.42.100.17\"" "\"shellyrgbw2-kitchen-1.cloonar.smart IN A 10.42.100.18\"" #bedroom "\"shelly1-bedroom-1.cloonar.smart IN A 10.42.100.33\"" "\"shellybutton1-bedroom-1.cloonar.smart IN A 10.42.100.34\"" "\"shellybutton1-bedroom-2.cloonar.smart IN A 10.42.100.35\"" # todo "\"shellyrgbw2-bedroom-1.cloonar.smart IN A 10.42.100.36\"" "\"shellyrgbw2-bedroom-2.cloonar.smart IN A 10.42.100.37\"" "\"shellyrgbw2-bedroom-3.cloonar.smart IN A 10.42.100.38\"" # bath "\"shellyswitch25-bath-1.cloonar.smart IN A 10.42.100.49\"" "\"shellybulbduo-bath-1.cloonar.smart IN A 10.42.100.50\"" "\"shellybulbduo-bath-2.cloonar.smart IN A 10.42.100.51\"" "\"shelly1pm-bath-1.cloonar.smart IN A 10.42.100.52\"" "\"shellyht-bath-1.cloonar.smart IN A 10.42.100.53\"" # todo # hallway "\"shelly1-hallway-1.cloonar.smart IN A 10.42.100.65\"" "\"shellycolorbulb-hallway-1.cloonar.smart IN A 10.42.100.66\"" "\"shellycolorbulb-hallway-2.cloonar.smart IN A 10.42.100.67\"" "\"shellycolorbulb-hallway-3.cloonar.smart IN A 10.42.100.68\"" "\"shellycolorbulb-hallway-4.cloonar.smart IN A 10.42.100.69\"" "\"shellyem3.cloonar.smart IN A 10.42.100.70\"" "\"shellypro-1.cloonar.smart IN A 10.42.100.71\"" "\"shellypro-2.cloonar.smart IN A 10.42.100.72\"" # toilet "\"shelly1-toilet-1.cloonar.smart IN A 10.42.100.81\"" "\"shellybulbduo-toilet-1.cloonar.smart IN A 10.42.100.82\"" # storage "\"shelly1-storage-1.cloonar.smart IN A 10.42.100.97\"" "\"ddl-warez.to IN A 172.67.184.30\"" "\"cdnjs.cloudflare.com IN A 104.17.24.14\"" ]; local-data-ptr = [ "\"127.0.0.1 localhost\"" "\"::1 localhost\"" "\"10.42.97.1 fw.cloonar.com\"" "\"10.42.97.20 home-assistant.cloonar.com\"" "\"10.42.97.21 snapcast.cloonar.com\"" "\"10.42.97.22 deconz.cloonar.com\"" "\"10.42.97.50 git.cloonar.com\"" "\"10.254.235.22 stage.wsw.at\"" "\"10.254.217.23 prod.wsw.at\"" "\"10.254.240.109 wohnservice-wien.at\"" "\"10.254.240.110 a.stage.wohnservice-wien.at\"" "\"172.67.184.30 ddl-warez.to\"" "\"104.17.24.14 cdnjs.cloudflare.com\"" ]; # ssl-upstream = "yes"; }; forward-zone = [ { name = "ghetto.at.local."; forward-addr = [ "10.43.97.1" ]; } { name = "epicenter.works."; forward-addr = [ "10.50.60.1" ]; } { name = "akvorrat.at."; forward-addr = [ "10.50.60.1" ]; } { name = "epicenter.intra."; forward-addr = [ "10.14.1.1" ]; } { name = "intra.epicenter.works."; forward-addr = [ "10.14.1.1" ]; } { name = "."; # forward-addr = "104.16.248.249@853#cloudflare-dns.com"; forward-addr = [ # "9.9.9.9@853#dns9.quad9.net" # "149.112.112.11@853#dns11.quad9.net" # "9.9.9.9@853" # "149.112.112.11@853" "9.9.9.9" "149.112.112.11" ]; } ]; }; in { users.users.unbound = { group = "unbound"; isSystemUser = true; uid = cids.uids.unbound; }; users.groups.unbound = { gid = cids.gids.unbound; }; security.acme.certs."${domain}" = { group = "unbound"; }; security.acme.certs."fw.cloonar.com" = { group = "unbound"; }; services.unbound = { enable = true; settings = cfg; }; systemd.services.unbound-sync = { enable = true; path = with pkgs; [ unbound inotify-tools ]; script = '' function readFile() { if [[ "''\$2" == "A" ]] ; then cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context do echo "''\${address},''\${hostname}" done else cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source do echo "''\${address},''\${hostname}" done fi } function readFileUnique() { readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname do if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then echo ''\${hostname} ''\$2 ''\${address} unbound-control local_data ''\${hostname} ''\$2 ''\${address} if [[ "''\$2" == "A" ]] ; then echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 do unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} done fi else if [[ "''\$2" == "A" ]] ; then echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 do if [[ "''\${hostname}" != "" ]]; then domain=cloonar.com if [[ "''\${ip2}" == 99 ]]; then domain=cloonar.multimedia fi if [[ "''\${ip2}" == 100 ]]; then domain=cloonar.smart fi if [[ "''\${hostname}" != *. ]]; then unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} else unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} fi fi unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} done fi fi done } function syncFile() { # readFileUnique "''\$1" "''\$2" while true; do readFileUnique "''\$1" "''\$2" sleep 10 done } syncFile "/var/lib/kea/dhcp4.leases" A & # syncFile "/var/lib/kea/dhcp6.leases" AAAA & wait ''; wants = [ "network-online.target" "unbound.service" ]; after = [ "network-online.target" "unbound.service" ]; partOf = [ "unbound.service" ]; wantedBy = [ "multi-user.target" ]; }; networking.firewall.allowedUDPPorts = [ 53 5353 ]; }