blob: 498162d13ccd129d34f338de3efee46707f416f6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
{ pkgs, lib, config, ... }:
with import <stockholm/lib>;
let
upstream-server = "8.8.8.8";
local_ip = "192.168.10.10";
extra-config = pkgs.writeText "local.conf" ''
server:
local-data: "piratebox. A ${local_ip}"
local-data: "store. A ${local_ip}"
local-data: "share. A ${local_ip}"
'';
# see https://github.com/zeropingheroes/lancache for full docs
lancache-dns = pkgs.stdenv.mkDerivation rec {
name = "lancache-dns-2017-06-28";
src = pkgs.fetchFromGitHub {
# forked: https://github.com/zeropingheroes/lancache-dns
repo = "lancache-dns";
owner = "zeropingheroes";
rev = "420aa62";
sha256 = "0ik7by7ripdv2avyy5kk9jp1i7rz9ksc8xmg7n9iik365q9pv94m";
};
phases = [ "unpackPhase" "installPhase" ];
# here we have the chance to edit `includes/proxy-cache-paths.conf`
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
};
stateDir = "/var/lib/unbound";
user = "unbound";
in {
services.unbound = {
enable = true;
allowedAccess = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
interfaces = ["0.0.0.0" "::" ];
forwardAddresses = [ upstream-server ];
extraConfig = ''
include: "${stateDir}/lancache/*.conf"
include: "${extra-config}"
'';
};
services.dnscrypt-proxy.enable = lib.mkForce false;
virtualisation.libvirtd.enable = lib.mkForce false;
systemd.services.dns-lancache-prepare = {
wantedBy = [ "unbound.service" ];
before = [ "unbound.service" ];
after = [ "network-online.target" ];
partOf= [ "unbound.service" ];
path = [ pkgs.gawk pkgs.iproute pkgs.gnused ];
script = ''
set -xeu
# current_ip=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}')
current_ip=${local_ip}
old_ip=10.1.1.250
mkdir -p ${stateDir}
rm -rvf ${stateDir}/lancache
cp -r ${lancache-dns}/upstreams-available ${stateDir}/lancache
sed -i "s/$old_ip/$current_ip/g" ${stateDir}/lancache/*.conf
chown -R unbound ${stateDir}
'';
};
networking.firewall.allowedUDPPorts = [ 53 ];
}
|