Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
5d0827848ef9221bff006eb8d251d67914ee2697
nixos/hosts/fw.cloonar.com/modules/unbound.nix
Dominik Polakovics 5d0827848e many changes
2024-06-03 13:49:35 +02:00

287 lines
11 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
cids = import ../modules/staticids.nix;
domain = "ns.cloonar.com";
cfg = {
remote-control.control-enable = true;
server = {
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
"127.0.0.0/8 allow"
"10.42.96.0/24 allow"
"10.42.97.0/24 allow"
"10.42.98.0/24 allow"
"10.42.99.0/24 allow"
"10.42.101.0/24 allow"
"0.0.0.0/0 allow"
];
# tls-cert-bundle = "/var/lib/acme/ns.cloonar.com/fullchain.pem";
local-zone = "\"cloonar.com\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.cloonar.com A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.cloonar.com AAAA ::1\""
"\"fw.cloonar.com A 10.42.97.1\""
"\"fw A 10.42.97.1\""
"\"omada.cloonar.com IN A 10.42.97.2\""
"\"switch.cloonar.com IN A 10.42.97.10\""
"\"mopidy.cloonar.com IN A 10.42.97.21\""
"\"deconz.cloonar.com IN A 10.42.97.22\""
"\"snapcast.cloonar.com IN A 10.42.97.21\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"git.cloonar.com IN A 10.42.97.50\""
"\"stage.wsw.at IN A 10.254.235.22\""
"\"prod.wsw.at IN A 10.254.217.23\""
"\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
"\"wohnservice-wien.at IN A 10.254.240.109\""
"\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\""
"\"wienwohntbesser.at IN A 10.254.240.109\""
"\"b.wohnservice-wien.at IN A 10.254.240.109\""
"\"b.mieterhilfe.at IN A 10.254.240.109\""
"\"b.wohnpartner-wien.at IN A 10.254.240.109\""
"\"b.wohnberatung-wien.at IN A 10.254.240.109\""
"\"b.wienbautvor.at IN A 10.254.240.109\""
"\"b.wienwohntbesser.at IN A 10.254.240.109\""
"\"a.wohnservice-wien.at IN A 10.254.240.109\""
"\"a.wohnpartner-wien.at IN A 10.254.240.109\""
"\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"a.stage.wienbautvor.at IN A 10.254.240.110\""
"\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"b.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"b.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.wienbautvor.at IN A 10.254.240.110\""
"\"b.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"deconz.cloonar.multimedia IN A 10.42.97.22\""
"\"metz.cloonar.multimedia IN A 10.42.99.10\""
# "\"ps5.cloonar.multimedia IN A 10.42.99.12\""
"\"xbox.cloonar.multimedia IN A 10.42.99.13\""
# "\"switch.cloonar.multimedia IN A 10.42.99.14\""
#living room
"\"shellycolorbulb-livingroom-1.cloonar.smart IN A 10.42.100.2\""
"\"shellycolorbulb-livingroom-2.cloonar.smart IN A 10.42.100.3\""
"\"shellycolorbulb-livingroom-3.cloonar.smart IN A 10.42.100.4\""
"\"shellycolorbulb-livingroom-4.cloonar.smart IN A 10.42.100.5\""
"\"shellycolorbulb-livingroom-5.cloonar.smart IN A 10.42.100.6\""
"\"shellycolorbulb-livingroom-6.cloonar.smart IN A 10.42.100.7\""
"\"shellyuni-livingroom-1.cloonar.smart IN A 10.42.100.8\""
"\"shellyswitch25-livingroom-1.cloonar.smart IN A 10.42.100.9\""
"\"shellyplug-s-living-1.cloonar.smart IN A 10.42.100.10\""
"\"shellyplug-s-living-2.cloonar.smart IN A 10.42.100.11\""
# kitchen
"\"shellyplug-s-kitchen-1.cloonar.smart IN A 10.42.100.17\""
"\"shellyrgbw2-kitchen-1.cloonar.smart IN A 10.42.100.18\""
#bedroom
"\"shelly1-bedroom-1.cloonar.smart IN A 10.42.100.33\""
"\"shellybutton1-bedroom-1.cloonar.smart IN A 10.42.100.34\""
"\"shellybutton1-bedroom-2.cloonar.smart IN A 10.42.100.35\"" # todo
"\"shellyrgbw2-bedroom-1.cloonar.smart IN A 10.42.100.36\""
"\"shellyrgbw2-bedroom-2.cloonar.smart IN A 10.42.100.37\""
"\"shellyrgbw2-bedroom-3.cloonar.smart IN A 10.42.100.38\""
# bath
"\"shellyswitch25-bath-1.cloonar.smart IN A 10.42.100.49\""
"\"shellybulbduo-bath-1.cloonar.smart IN A 10.42.100.50\""
"\"shellybulbduo-bath-2.cloonar.smart IN A 10.42.100.51\""
"\"shelly1pm-bath-1.cloonar.smart IN A 10.42.100.52\""
"\"shellyht-bath-1.cloonar.smart IN A 10.42.100.53\"" # todo
# hallway
"\"shelly1-hallway-1.cloonar.smart IN A 10.42.100.65\""
"\"shellycolorbulb-hallway-1.cloonar.smart IN A 10.42.100.66\""
"\"shellycolorbulb-hallway-2.cloonar.smart IN A 10.42.100.67\""
"\"shellycolorbulb-hallway-3.cloonar.smart IN A 10.42.100.68\""
"\"shellycolorbulb-hallway-4.cloonar.smart IN A 10.42.100.69\""
"\"shellyem3.cloonar.smart IN A 10.42.100.70\""
"\"shellypro-1.cloonar.smart IN A 10.42.100.71\""
"\"shellypro-2.cloonar.smart IN A 10.42.100.72\""
# toilet
"\"shelly1-toilet-1.cloonar.smart IN A 10.42.100.81\""
"\"shellybulbduo-toilet-1.cloonar.smart IN A 10.42.100.82\""
# storage
"\"shelly1-storage-1.cloonar.smart IN A 10.42.100.97\""
"\"ddl-warez.to IN A 172.67.184.30\""
"\"cdnjs.cloudflare.com IN A 104.17.24.14\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"10.42.97.1 fw.cloonar.com\""
"\"10.42.97.20 home-assistant.cloonar.com\""
"\"10.42.97.21 snapcast.cloonar.com\""
"\"10.42.97.22 deconz.cloonar.com\""
"\"10.42.97.50 git.cloonar.com\""
"\"10.254.235.22 stage.wsw.at\""
"\"10.254.217.23 prod.wsw.at\""
"\"10.254.240.109 wohnservice-wien.at\""
"\"10.254.240.110 a.stage.wohnservice-wien.at\""
"\"172.67.184.30 ddl-warez.to\""
"\"104.17.24.14 cdnjs.cloudflare.com\""
];
# ssl-upstream = "yes";
};
forward-zone = [
{
name = "ghetto.at.local.";
forward-addr = [
"10.43.97.1"
];
}
{
name = "epicenter.works.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "akvorrat.at.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "epicenter.intra.";
forward-addr = [
"10.14.1.1"
];
}
{
name = "intra.epicenter.works.";
forward-addr = [
"10.14.1.1"
];
}
{
name = ".";
# forward-addr = "104.16.248.249@853#cloudflare-dns.com";
forward-addr = [
# "9.9.9.9@853#dns9.quad9.net"
# "149.112.112.11@853#dns11.quad9.net"
# "9.9.9.9@853"
# "149.112.112.11@853"
"9.9.9.9"
"149.112.112.11"
];
}
];
};
in {
users.users.unbound = {
group = "unbound";
isSystemUser = true;
uid = cids.uids.unbound;
};
users.groups.unbound = {
gid = cids.gids.unbound;
};
security.acme.certs."${domain}" = {
group = "unbound";
};
security.acme.certs."fw.cloonar.com" = {
group = "unbound";
};
services.unbound = {
enable = true;
settings = cfg;
};
systemd.services.unbound-sync = {
enable = true;
path = with pkgs; [ unbound inotify-tools ];
script = ''
function readFile() {
if [[ "''\$2" == "A" ]] ; then
cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
do
echo "''\${address},''\${hostname}"
done
else
cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
do
echo "''\${address},''\${hostname}"
done
fi
}
function readFileUnique() {
readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
do
if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then
echo ''\${hostname} ''\$2 ''\${address}
unbound-control local_data ''\${hostname} ''\$2 ''\${address}
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
done
fi
else
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
if [[ "''\${hostname}" != "" ]]; then
domain=cloonar.com
if [[ "''\${ip2}" == 99 ]]; then
domain=cloonar.multimedia
fi
if [[ "''\${ip2}" == 100 ]]; then
domain=cloonar.smart
fi
if [[ "''\${hostname}" != *. ]]; then
unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address}
else
unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address}
fi
fi
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
done
fi
fi
done
}
function syncFile() {
# readFileUnique "''\$1" "''\$2"
while true; do
readFileUnique "''\$1" "''\$2"
sleep 10
done
}
syncFile "/var/lib/kea/dhcp4.leases" A &
# syncFile "/var/lib/kea/dhcp6.leases" AAAA &
wait
'';
wants = [ "network-online.target" "unbound.service" ];
after = [ "network-online.target" "unbound.service" ];
partOf = [ "unbound.service" ];
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedUDPPorts = [ 53 5353 ];
}
Reference in New Issue View Git Blame Copy Permalink