diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index 20f0ebe..26c11b0 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -165,9 +165,46 @@ in interface = cfg.network_interface; }; + # Configure Unbound DNS to redirect to Consul queries under .consul + # and to pass directly to public DNS resolver all others + services.unbound = { + enable = true; + settings = { + server = { + interface = [ "127.0.0.1" "${cfg.lan_ip}" ]; + domain-insecure = [ "consul." ]; + local-zone = [ "consul. nodefault" ]; + log-servfail = true; + access-control = [ + "127.0.0.0/8 allow" + "${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow" + "172.17.0.0/16 allow" + ]; + }; + forward-zone = [ + # Forward .consul queries to Consul daemon + { + name = "consul."; + forward-addr = "${cfg.lan_ip}@8600"; + forward-no-cache = true; + forward-tcp-upstream = false; + forward-tls-upstream = false; + } + # Forward all queries to our ISP's nameserver + { + name = "."; + forward-addr = cfg.nameservers; + forward-first = true; + } + ]; + }; + resolveLocalQueries = false; # don't overwrite our resolv.conf + }; + # Reach Unbound through the IP of our LAN interface, + # instead of 127.0.0.1 (this will also work in Docker containers) networking.nameservers = [ cfg.lan_ip - ] ++ cfg.nameservers; + ]; # Configure Wireguard VPN between all nodes networking.wireguard.interfaces.wg0 = { @@ -212,14 +249,11 @@ in ports = { http = -1; https = 8501; - dns = 53; }; performance = { rpc_hold_timeout = "70s"; }; - recursors = [ cfg.nameservers ]; - ca_file = "/var/lib/consul/pki/consul-ca.crt"; cert_file = "/var/lib/consul/pki/consul2022.crt"; key_file = "/var/lib/consul/pki/consul2022.key";