configuration
flake
hosts
_iso
aluminium
astatine
backup-4
beryllium
carbon
configuration.nix
dns.nix
hardware-configuration.nix
mdns.nix
net-dsl.nix
net-gastnetz.nix
net-heimnetz.nix
net-iot.nix
net-lte.nix
net-mgmt.nix
net-printer.nix
net-voip.nix
ntp.nix
ppp.nix
scan-to-gpg.nix
secrets.json
ssh.pub
wg-clerie.nix
clerie-backup
dn42-il-gw1
dn42-il-gw5
dn42-il-gw6
dn42-ildix-clerie
dn42-ildix-service
gatekeeper
hydra-1
hydra-2
krypton
mail-2
monitoring-3
nonat
osmium
palladium
porter
storage-2
tungsten
web-2
zinc
lib
modules
pkgs
profiles
users
.gitignore
README.md
flake.lock
flake.nix
35 lines
840 B
Nix
35 lines
840 B
Nix
{ ... }:
|
|
|
|
{
|
|
|
|
# Loopbacks for DNS resolver IPs
|
|
networking.interfaces.lo.ipv6.addresses = [
|
|
{ address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
|
|
];
|
|
networking.interfaces.lo.ipv4.addresses = [
|
|
{ address = "10.152.0.1"; prefixLength = 32; } # Anycast
|
|
];
|
|
|
|
networking.firewall.allowedUDPPorts = [ 53 ];
|
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
|
|
|
services.unbound = {
|
|
enable = true;
|
|
resolveLocalQueries = false;
|
|
settings = {
|
|
server = {
|
|
interface = [ "fd00:152:152::1" "10.152.0.1" ];
|
|
access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
|
|
prefer-ip6 = true;
|
|
prefetch = true;
|
|
serve-expired = true;
|
|
serve-expired-ttl-reset = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
# Use Anycast Nameservers
|
|
networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ];
|
|
|
|
}
|