diff options
| author | Tim Keller <tjk@tjkeller.xyz> | 2025-12-30 18:29:25 -0600 |
|---|---|---|
| committer | Tim Keller <tjk@tjkeller.xyz> | 2025-12-30 18:29:25 -0600 |
| commit | 39180d50fd978a3a2106ce1d060e847e14eae38f (patch) | |
| tree | 8fa30dcb6e2c73584a55e77f773004f36c403fa2 /archetypes/profiles/router | |
| parent | 69c65f81b920574fe34fd603a2b3051a615ca7ae (diff) | |
| parent | 373376dc84112ae0bb8ce002af8d5d868f72b4ac (diff) | |
| download | nixos-39180d50fd978a3a2106ce1d060e847e14eae38f.tar.xz nixos-39180d50fd978a3a2106ce1d060e847e14eae38f.zip | |
Merge branch 'master' of publicgit:nixos
Diffstat (limited to 'archetypes/profiles/router')
| -rw-r--r-- | archetypes/profiles/router/default.nix | 15 | ||||
| -rw-r--r-- | archetypes/profiles/router/unbound.nix | 70 |
2 files changed, 85 insertions, 0 deletions
diff --git a/archetypes/profiles/router/default.nix b/archetypes/profiles/router/default.nix new file mode 100644 index 0000000..0818a6b --- /dev/null +++ b/archetypes/profiles/router/default.nix @@ -0,0 +1,15 @@ +{ lib, pkgs, ... }: let + mkRouter = lib.mkOverride 800; + + # TODO pass mkRouter + #imports = [ + # ./unbound.nix + #]; + + nixosConfig = {}; + + homeConfig = {}; +in { + imports = [ (lib._mkProfileArchetype "router" nixosConfig homeConfig) ]; +} + diff --git a/archetypes/profiles/router/unbound.nix b/archetypes/profiles/router/unbound.nix new file mode 100644 index 0000000..1322193 --- /dev/null +++ b/archetypes/profiles/router/unbound.nix @@ -0,0 +1,70 @@ +{ + services.unbound = { + enable = true; + _blocklists = { + enable = true; + blocklists = { + hageziNSFW = [ + "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt" + "https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt" + "https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt" + ]; + hageziPro = [ + "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt" + "https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt" + "https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt" + ]; + }; + }; + settings = { + server = { + # Listen on all interfaces (or specify specific IPs) + interface = [ "0.0.0.0" "::0" ]; + + # Allow queries from local networks + access-control = [ + "127.0.0.0/8 allow" + "192.168.0.0/16 allow" + "10.0.0.0/8 allow" + "172.16.0.0/12 allow" + ]; + + ## Enable DNSSEC validation + #auto-trust-anchor-file: "/var/unbound/root.key" + + # Harden against out-of-zone data + harden-referral-path = true; + harden-dnssec-stripped = true; + + # Privacy options + qname-minimisation = true; + + # Cache settings + cache-min-ttl = 300; + cache-max-ttl = 86400; + + # Hide version + hide-identity = true; + hide-version = true; + + # Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound + harden-glue = true; + use-caps-for-id = false; + prefetch = true; + edns-buffer-size = 1232; + }; + # Forward unknown to public resolver via DoT + forward-zone = [ + { + name = "."; + forward-addr = [ + "9.9.9.9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + ]; + forward-tls-upstream = true; # Encrypted DNS + } + ]; + remote-control.control-enable = true; + }; + }; +} |