diff options
| author | Tim Keller <tjk@tjkeller.xyz> | 2025-12-30 23:38:51 -0600 |
|---|---|---|
| committer | Tim Keller <tjk@tjkeller.xyz> | 2025-12-30 23:38:51 -0600 |
| commit | d4db2f41db471ee25a03d9cdae37f55301b98f22 (patch) | |
| tree | f83cef60d485837f490b9ede4fec7e18055b9bd8 /archetypes/profiles/router/unbound.nix | |
| parent | 39180d50fd978a3a2106ce1d060e847e14eae38f (diff) | |
| download | nixos-d4db2f41db471ee25a03d9cdae37f55301b98f22.tar.xz nixos-d4db2f41db471ee25a03d9cdae37f55301b98f22.zip | |
unbound config in router profile is now services/router/dns.nix. unbound + dnsmasq config for local resolution and dhcp
Diffstat (limited to 'archetypes/profiles/router/unbound.nix')
| -rw-r--r-- | archetypes/profiles/router/unbound.nix | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/archetypes/profiles/router/unbound.nix b/archetypes/profiles/router/unbound.nix deleted file mode 100644 index 1322193..0000000 --- a/archetypes/profiles/router/unbound.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ - services.unbound = { - enable = true; - _blocklists = { - enable = true; - blocklists = { - hageziNSFW = [ - "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt" - "https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt" - "https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt" - ]; - hageziPro = [ - "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt" - "https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt" - "https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt" - ]; - }; - }; - settings = { - server = { - # Listen on all interfaces (or specify specific IPs) - interface = [ "0.0.0.0" "::0" ]; - - # Allow queries from local networks - access-control = [ - "127.0.0.0/8 allow" - "192.168.0.0/16 allow" - "10.0.0.0/8 allow" - "172.16.0.0/12 allow" - ]; - - ## Enable DNSSEC validation - #auto-trust-anchor-file: "/var/unbound/root.key" - - # Harden against out-of-zone data - harden-referral-path = true; - harden-dnssec-stripped = true; - - # Privacy options - qname-minimisation = true; - - # Cache settings - cache-min-ttl = 300; - cache-max-ttl = 86400; - - # Hide version - hide-identity = true; - hide-version = true; - - # Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound - harden-glue = true; - use-caps-for-id = false; - prefetch = true; - edns-buffer-size = 1232; - }; - # Forward unknown to public resolver via DoT - forward-zone = [ - { - name = "."; - forward-addr = [ - "9.9.9.9#dns.quad9.net" - "149.112.112.112#dns.quad9.net" - ]; - forward-tls-upstream = true; # Encrypted DNS - } - ]; - remote-control.control-enable = true; - }; - }; -} |