From 6ec9aad801e1d87d0be9d795da1b3ba7883c32cd Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Tue, 30 Aug 2022 15:52:42 +0200
Subject: [PATCH] Improve DNS configuration

Add Unbound server that separates queries between those going to Consul
and those going elsewhere.  This allows us to have DNS working even if
Consul fails for some reason. This way we can also remove the secondary
`nameserver` entry in /etc/resolv.conf, thus fixing a bug where certain
containers (Alpine-based images?) were using the secondary resolver some
of the time, making them unable to access .consul hosts.
---
 nix/deuxfleurs.nix | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 20f0ebe..26c11b0 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -165,9 +165,46 @@ in
       interface = cfg.network_interface;
     };
 
+    # Configure Unbound DNS to redirect to Consul queries under .consul
+    # and to pass directly to public DNS resolver all others
+    services.unbound = {
+      enable = true;
+      settings = {
+        server = {
+          interface = [ "127.0.0.1" "${cfg.lan_ip}" ];
+          domain-insecure = [ "consul." ];
+          local-zone = [ "consul. nodefault" ];
+          log-servfail = true;
+          access-control = [
+            "127.0.0.0/8 allow"
+            "${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow"
+            "172.17.0.0/16 allow"
+          ];
+        };
+        forward-zone = [
+          # Forward .consul queries to Consul daemon
+          {
+            name = "consul.";
+            forward-addr = "${cfg.lan_ip}@8600";
+            forward-no-cache = true;
+            forward-tcp-upstream = false;
+            forward-tls-upstream = false;
+          }
+          # Forward all queries to our ISP's nameserver
+          {
+            name = ".";
+            forward-addr = cfg.nameservers;
+            forward-first = true;
+          }
+        ];
+      };
+      resolveLocalQueries = false; # don't overwrite our resolv.conf
+    };
+    # Reach Unbound through the IP of our LAN interface,
+    # instead of 127.0.0.1 (this will also work in Docker containers)
     networking.nameservers = [
       cfg.lan_ip
-    ] ++ cfg.nameservers;
+    ];
 
     # Configure Wireguard VPN between all nodes
     networking.wireguard.interfaces.wg0 = {
@@ -212,14 +249,11 @@ in
       ports = {
         http = -1;
         https = 8501;
-        dns = 53;
       };
       performance = {
         rpc_hold_timeout = "70s";
       };
 
-      recursors = [ cfg.nameservers ];
-
       ca_file = "/var/lib/consul/pki/consul-ca.crt";
       cert_file = "/var/lib/consul/pki/consul2022.crt";
       key_file = "/var/lib/consul/pki/consul2022.key";