diff --git a/modules/nixos/services/nameservers/recursive.nix b/modules/nixos/services/nameservers/recursive.nix new file mode 100644 index 0000000..dd807a0 --- /dev/null +++ b/modules/nixos/services/nameservers/recursive.nix @@ -0,0 +1,70 @@ +{ + config, + lib, + allHosts, + ... +}: +let + cfg = config.custom.services.recursive-nameserver; + netCfg = config.custom.networking; + + privateNameservers = + allHosts + |> lib.attrValues + |> lib.filter (host: host.config.custom.services.private-nameserver.enable); +in +{ + options.custom.services.recursive-nameserver = { + enable = lib.mkEnableOption ""; + port = lib.mkOption { + type = lib.types.port; + default = 53; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services = { + unbound = { + enable = true; + settings.server = { + interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ]; + access-control = [ "${toString netCfg.overlay.networkCidr} allow" ]; + }; + }; + + nebula.networks.mesh.firewall.inbound = lib.singleton { + inherit (cfg) port; + proto = "any"; + host = "any"; + }; + }; + + systemd.services.unbound = { + requires = [ netCfg.overlay.systemdUnit ]; + after = [ netCfg.overlay.systemdUnit ]; + }; + } + + (lib.mkIf (privateNameservers != [ ]) { + services.unbound.settings = { + server = { + local-zone = ''"${netCfg.overlay.domain}." nodefault''; + domain-insecure = netCfg.overlay.domain; + }; + + stub-zone = lib.singleton { + name = netCfg.overlay.domain; + stub-addr = + privateNameservers + |> lib.map ( + host: + "${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}" + ); + }; + }; + }) + ] + ); +}