forked from Deuxfleurs/nixcfg
Improve DNS configuration
Add Unbound server that separates queries between those going to Consul and those going elsewhere. This allows us to have DNS working even if Consul fails for some reason. This way we can also remove the secondary `nameserver` entry in /etc/resolv.conf, thus fixing a bug where certain containers (Alpine-based images?) were using the secondary resolver some of the time, making them unable to access .consul hosts.
This commit is contained in:
parent
e81716e41e
commit
6ec9aad801
1 changed files with 38 additions and 4 deletions
|
@ -165,9 +165,46 @@ in
|
||||||
interface = cfg.network_interface;
|
interface = cfg.network_interface;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Configure Unbound DNS to redirect to Consul queries under .consul
|
||||||
|
# and to pass directly to public DNS resolver all others
|
||||||
|
services.unbound = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
interface = [ "127.0.0.1" "${cfg.lan_ip}" ];
|
||||||
|
domain-insecure = [ "consul." ];
|
||||||
|
local-zone = [ "consul. nodefault" ];
|
||||||
|
log-servfail = true;
|
||||||
|
access-control = [
|
||||||
|
"127.0.0.0/8 allow"
|
||||||
|
"${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow"
|
||||||
|
"172.17.0.0/16 allow"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
forward-zone = [
|
||||||
|
# Forward .consul queries to Consul daemon
|
||||||
|
{
|
||||||
|
name = "consul.";
|
||||||
|
forward-addr = "${cfg.lan_ip}@8600";
|
||||||
|
forward-no-cache = true;
|
||||||
|
forward-tcp-upstream = false;
|
||||||
|
forward-tls-upstream = false;
|
||||||
|
}
|
||||||
|
# Forward all queries to our ISP's nameserver
|
||||||
|
{
|
||||||
|
name = ".";
|
||||||
|
forward-addr = cfg.nameservers;
|
||||||
|
forward-first = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
resolveLocalQueries = false; # don't overwrite our resolv.conf
|
||||||
|
};
|
||||||
|
# Reach Unbound through the IP of our LAN interface,
|
||||||
|
# instead of 127.0.0.1 (this will also work in Docker containers)
|
||||||
networking.nameservers = [
|
networking.nameservers = [
|
||||||
cfg.lan_ip
|
cfg.lan_ip
|
||||||
] ++ cfg.nameservers;
|
];
|
||||||
|
|
||||||
# Configure Wireguard VPN between all nodes
|
# Configure Wireguard VPN between all nodes
|
||||||
networking.wireguard.interfaces.wg0 = {
|
networking.wireguard.interfaces.wg0 = {
|
||||||
|
@ -212,14 +249,11 @@ in
|
||||||
ports = {
|
ports = {
|
||||||
http = -1;
|
http = -1;
|
||||||
https = 8501;
|
https = 8501;
|
||||||
dns = 53;
|
|
||||||
};
|
};
|
||||||
performance = {
|
performance = {
|
||||||
rpc_hold_timeout = "70s";
|
rpc_hold_timeout = "70s";
|
||||||
};
|
};
|
||||||
|
|
||||||
recursors = [ cfg.nameservers ];
|
|
||||||
|
|
||||||
ca_file = "/var/lib/consul/pki/consul-ca.crt";
|
ca_file = "/var/lib/consul/pki/consul-ca.crt";
|
||||||
cert_file = "/var/lib/consul/pki/consul2022.crt";
|
cert_file = "/var/lib/consul/pki/consul2022.crt";
|
||||||
key_file = "/var/lib/consul/pki/consul2022.key";
|
key_file = "/var/lib/consul/pki/consul2022.key";
|
||||||
|
|
Loading…
Reference in a new issue