{ config, pkgs, ... }: let cids = import ../modules/staticids.nix; domain = "ns.cloonar.com"; adblockLocalZones = pkgs.stdenv.mkDerivation { name = "unbound-zones-adblock"; src = (pkgs.fetchFromGitHub { owner = "StevenBlack"; repo = "hosts"; rev = "3.0.0"; sha256 = "01g6pc9s1ah2w1cbf6bvi424762hkbpbgja9585a0w99cq0n6bxv"; } + "/hosts"); phases = [ "installPhase" ]; installPhase = '' ${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out ''; }; cfg = { remote-control.control-enable = true; server = { include = [ "\"${adblockLocalZones}\"" ]; interface = [ "0.0.0.0" "::0" ]; interface-automatic = "yes"; access-control = [ "127.0.0.0/8 allow" "10.42.96.0/24 allow" "10.42.97.0/24 allow" "10.42.98.0/24 allow" "10.42.99.0/24 allow" "10.42.101.0/24 allow" "0.0.0.0/0 allow" ]; tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; local-zone = "\"cloonar.com\" transparent"; local-data = [ "\"localhost A 127.0.0.1\"" "\"localhost.cloonar.com A 127.0.0.1\"" "\"localhost AAAA ::1\"" "\"localhost.cloonar.com AAAA ::1\"" "\"fw.cloonar.com A 10.42.97.1\"" "\"fw A 10.42.97.1\"" "\"pc.cloonar.com IN A 10.42.96.5\"" "\"omada.cloonar.com IN A 10.42.97.2\"" "\"switch.cloonar.com IN A 10.42.97.10\"" "\"mopidy.cloonar.com IN A 10.42.97.21\"" "\"deconz.cloonar.com IN A 10.42.97.22\"" "\"brn30055c566237.cloonar.com IN A 10.42.96.100\"" "\"snapcast.cloonar.com IN A 10.42.97.21\"" "\"home-assistant.cloonar.com IN A 10.42.97.20\"" "\"web-02.cloonar.com IN A 10.42.97.5\"" "\"support.cloonar.com IN A 10.42.97.5\"" "\"git.cloonar.com IN A 10.42.97.50\"" "\"sync.cloonar.com IN A 10.42.97.51\"" "\"feeds.cloonar.com IN A 188.34.191.144\"" # "\"paraclub.cloonar.dev IN A 49.12.244.139\"" # "\"api.paraclub.cloonar.dev IN A 49.12.244.139\"" # "\"module.paraclub.cloonar.dev IN A 49.12.244.139\"" # "\"tandem.paraclub.cloonar.dev IN A 49.12.244.139\"" "\"stage.wsw.at IN A 10.254.235.22\"" "\"prod.wsw.at IN A 10.254.217.23\"" "\"piwik.wohnservice-wien.at IN A 10.254.240.109\"" "\"wohnservice-wien.at IN A 10.254.240.109\"" "\"mieterhilfe.at IN A 10.254.240.109\"" "\"wohnpartner-wien.at IN A 10.254.240.109\"" "\"new.wohnberatung-wien.at IN A 10.254.240.109\"" "\"wohnberatung-wien.at IN A 10.254.240.109\"" "\"wienbautvor.at IN A 10.254.240.109\"" "\"wienwohntbesser.at IN A 10.254.240.109\"" "\"b.wohnservice-wien.at IN A 10.254.240.109\"" "\"b.mieterhilfe.at IN A 10.254.240.109\"" "\"b.wohnpartner-wien.at IN A 10.254.240.109\"" "\"b.wohnberatung-wien.at IN A 10.254.240.109\"" "\"b.wienbautvor.at IN A 10.254.240.109\"" "\"b.wienwohntbesser.at IN A 10.254.240.109\"" "\"a.wohnservice-wien.at IN A 10.254.240.109\"" "\"a.wohnpartner-wien.at IN A 10.254.240.109\"" "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\"" "\"a.stage.mieterhilfe.at IN A 10.254.240.110\"" "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\"" "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\"" "\"a.stage.wienbautvor.at IN A 10.254.240.110\"" "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\"" "\"b.stage.wohnservice-wien.at IN A 10.254.240.110\"" "\"b.stage.mieterhilfe.at IN A 10.254.240.110\"" "\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\"" "\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\"" "\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\"" "\"b.stage.wienbautvor.at IN A 10.254.240.110\"" "\"b.stage.wienwohntbesser.at IN A 10.254.240.110\"" "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\"" "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\"" "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\"" "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\"" "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\"" "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" "\"conf.wrwks.at IN A 10.254.240.105\"" "\"web.hilgenberg-gmbh.de IN A 91.107.197.169\"" "\"deconz.cloonar.multimedia IN A 10.42.97.22\"" "\"metz.cloonar.multimedia IN A 10.42.99.10\"" # "\"ps5.cloonar.multimedia IN A 10.42.99.12\"" "\"xbox.cloonar.multimedia IN A 10.42.99.13\"" # "\"switch.cloonar.multimedia IN A 10.42.99.14\"" #living room "\"shellyuni-livingroom-1.cloonar.smart IN A 10.42.100.8\"" "\"shellyswitch25-livingroom-1.cloonar.smart IN A 10.42.100.9\"" "\"shellyplug-s-living-1.cloonar.smart IN A 10.42.100.10\"" "\"shellyplug-s-living-2.cloonar.smart IN A 10.42.100.11\"" # kitchen "\"shellyplug-s-kitchen-1.cloonar.smart IN A 10.42.100.17\"" "\"shellyrgbw2-kitchen-1.cloonar.smart IN A 10.42.100.18\"" #bedroom "\"shelly1-bedroom-1.cloonar.smart IN A 10.42.100.33\"" "\"shellybutton1-bedroom-1.cloonar.smart IN A 10.42.100.34\"" "\"shellybutton1-bedroom-2.cloonar.smart IN A 10.42.100.35\"" # todo "\"shellyrgbw2-bedroom-1.cloonar.smart IN A 10.42.100.36\"" "\"shellyrgbw2-bedroom-2.cloonar.smart IN A 10.42.100.37\"" "\"shellyrgbw2-bedroom-3.cloonar.smart IN A 10.42.100.38\"" # bath "\"shellyswitch25-bath-1.cloonar.smart IN A 10.42.100.49\"" "\"shellybulbduo-bath-1.cloonar.smart IN A 10.42.100.50\"" "\"shellybulbduo-bath-2.cloonar.smart IN A 10.42.100.51\"" "\"shelly1pm-bath-1.cloonar.smart IN A 10.42.100.52\"" "\"shellyht-bath-1.cloonar.smart IN A 10.42.100.53\"" # todo # hallway "\"shelly1-hallway-1.cloonar.smart IN A 10.42.100.65\"" "\"shellycolorbulb-hallway-1.cloonar.smart IN A 10.42.100.66\"" "\"shellycolorbulb-hallway-2.cloonar.smart IN A 10.42.100.67\"" "\"shellycolorbulb-hallway-3.cloonar.smart IN A 10.42.100.68\"" "\"shellycolorbulb-hallway-4.cloonar.smart IN A 10.42.100.69\"" "\"shellyem3.cloonar.smart IN A 10.42.100.70\"" "\"shellypro-1.cloonar.smart IN A 10.42.100.71\"" "\"shellypro-2.cloonar.smart IN A 10.42.100.72\"" # toilet "\"shelly1-toilet-1.cloonar.smart IN A 10.42.100.81\"" "\"shellybulbduo-toilet-1.cloonar.smart IN A 10.42.100.82\"" # storage "\"shelly1-storage-1.cloonar.smart IN A 10.42.100.97\"" "\"shellyplug-storage-1.cloonar.smart IN A 10.42.100.98\"" "\"brn30055c566237.cloonar.multimedia IN A 10.42.99.100\"" "\"ddl-warez.to IN A 172.67.184.30\"" "\"cdnjs.cloudflare.com IN A 104.17.24.14\"" ]; local-data-ptr = [ "\"127.0.0.1 localhost\"" "\"::1 localhost\"" "\"10.42.97.1 fw.cloonar.com\"" "\"10.42.97.20 home-assistant.cloonar.com\"" "\"10.42.97.21 snapcast.cloonar.com\"" "\"10.42.97.22 deconz.cloonar.com\"" "\"10.42.97.50 git.cloonar.com\"" "\"10.254.235.22 stage.wsw.at\"" "\"10.254.217.23 prod.wsw.at\"" "\"10.254.240.109 wohnservice-wien.at\"" "\"10.254.240.110 a.stage.wohnservice-wien.at\"" "\"172.67.184.30 ddl-warez.to\"" "\"104.17.24.14 cdnjs.cloudflare.com\"" ]; # ssl-upstream = "yes"; }; forward-zone = [ { name = "local.ghetto.at."; forward-tls-upstream = "no"; forward-addr = [ "10.43.97.1" ]; } { name = "ghetto.at.local."; forward-tls-upstream = "no"; forward-addr = [ "10.43.97.1" ]; } { name = "epicenter.works."; forward-tls-upstream = "no"; forward-addr = [ "10.50.60.1" ]; } { name = "akvorrat.at."; forward-tls-upstream = "no"; forward-addr = [ "10.50.60.1" ]; } { name = "epicenter.intra."; forward-tls-upstream = "no"; forward-addr = [ "10.14.1.1" ]; } { name = "intra.epicenter.works."; forward-tls-upstream = "no"; forward-addr = [ "10.14.1.1" ]; } { name = "."; forward-tls-upstream = "yes"; forward-first = "no"; forward-addr = [ "9.9.9.9@853#dns9.quad9.net" "149.112.112.11@853#dns11.quad9.net" ]; } ]; }; in { users.users.unbound = { group = "unbound"; isSystemUser = true; uid = cids.uids.unbound; }; users.groups.unbound = { gid = cids.gids.unbound; }; security.acme.certs."${domain}" = { group = "unbound"; }; security.acme.certs."fw.cloonar.com" = { group = "unbound"; }; services.resolved.enable = false; services.unbound = { enable = true; settings = cfg; }; # systemd.services.unbound-sync = { # enable = true; # path = with pkgs; [ unbound inotify-tools ]; # script = '' # function readFile() { # if [[ "''\$2" == "A" ]] ; then # cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context # do # echo "''\${address},''\${hostname}" # done # else # cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source # do # echo "''\${address},''\${hostname}" # done # fi # } # # function readFileUnique() { # readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname # do # if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then # echo ''\${hostname} ''\$2 ''\${address} # unbound-control local_data ''\${hostname} ''\$2 ''\${address} # if [[ "''\$2" == "A" ]] ; then # echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 # do # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} # done # fi # else # if [[ "''\$2" == "A" ]] ; then # echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 # do # if [[ "''\${hostname}" != "" ]]; then # domain=cloonar.com # if [[ "''\${ip2}" == 99 ]]; then # domain=cloonar.multimedia # fi # if [[ "''\${ip2}" == 100 ]]; then # domain=cloonar.smart # fi # if [[ "''\${hostname}" != *. ]]; then # unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} # else # unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} # fi # # fi # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} # done # fi # fi # done # } # # function syncFile() { # # readFileUnique "''\$1" "''\$2" # while true; do # readFileUnique "''\$1" "''\$2" # sleep 10 # done # } # # syncFile "/var/lib/kea/dhcp4.leases" A & # # syncFile "/var/lib/kea/dhcp6.leases" AAAA & # wait # ''; # wants = [ "network-online.target" "unbound.service" ]; # after = [ "network-online.target" "unbound.service" ]; # partOf = [ "unbound.service" ]; # wantedBy = [ "multi-user.target" ]; # }; networking.firewall.allowedUDPPorts = [ 53 5353 ]; }