Lucas/Homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DNS Server

Browse source
This commit is contained in:
Lucas Thelen 2025-09-26 04:19:40 +00:00
parent ac3f55966b
commit 4b1d75b0e0
7 changed files with 91 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -12,6 +12,7 @@
./packages.nix
./users.nix
./networking/ssh.nix
./networking/adblock.nix
];
};
};

21
hardware-configuration.nix
View file

@ -4,29 +4,27 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/887383a8-555c-4156-9b62-337ae007ce51";
fileSystems."/" = {
device = "/dev/disk/by-uuid/887383a8-555c-4156-9b62-337ae007ce51";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6979-163D";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6979-163D";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/3fc91af7-13f4-4088-bb9a-7d6c8adf6d73"; }
];
[{ device = "/dev/disk/by-uuid/3fc91af7-13f4-4088-bb9a-7d6c8adf6d73"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
@ -47,5 +45,6 @@
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

71
networking/adblock.nix Normal file
View file

@ -0,0 +1,71 @@
{ config, lib, pkgs, ... }:
let
adblockLocalZones = pkgs.stdenv.mkDerivation {
name = "unbound-zones-adblock";
src = (pkgs.fetchFromGitHub {
owner = "StevenBlack";
repo = "hosts";
rev = "3.16.20";
sha256 = "sha256-z3VWoF5/evd0n97AmrWgSskaNqVaad0Ex2pn53JHkSk=";
} + "/hosts");
phases = [ "installPhase" ];
installPhase = ''
${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out
'';
};
in {
services.resolved.enable = false;
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
services.unbound = {
enable = true;
settings = {
server = {
port = 53;
interface = [ "0.0.0.0" "127.0.0.1" ];
access-control = [
"127.0.0.0/8 allow"
"10.0.0.0/8 allow"
"172.16.0.0/12 allow"
"192.168.0.0/16 allow"
];
include = [ "${adblockLocalZones}" ];
num-threads = 2;
so-reuseport = "yes";
hide-identity = "yes";
hide-version = "yes";
qname-minimisation = "yes";
harden-dnssec-stripped = "yes";
prefetch = "yes";
serve-expired = "yes";
rrset-roundrobin = "yes";
do-ip6 = "no";
do-udp = "yes";
do-tcp = "yes";
};
forward-zone = [{
name = ".";
forward-tls-upstream = "yes";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
"8.8.8.8@853#dns.google"
"8.8.4.4@853#dns.google"
];
}];
};
};
networking.resolvconf.enable = false;
environment.etc."resolv.conf".text = ''
nameserver 127.0.0.1
options edns0
'';
}

3
networking/host.nix
View file

@ -10,9 +10,6 @@
};
};
# DNS server
services.resolved.enable = true;
networking = {
nameservers = [ "205.171.3.25" "8.8.8.8" ];

2
packages.nix
View file

@ -4,5 +4,7 @@
vimPlugins.LazyVim
git
wget
nixfmt-classic
btop
];
}

1
system.nix
View file

@ -2,4 +2,5 @@
# System boots
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nix.settings.experimental.features = [ "nix-commmand" "flakes" ];
}