Sanitize DNS configuration

- get rid of outside nameserver, unbound does the recursive resolving
  itself (and it checks DNSSEC)
- remove CAP_NET_BIND_SERVICE for Consul as it is no longer binding on
  port 53 (was already obsolete)
- make unbound config independant of LAN IPv4 address

cluster/staging/site/bespin.nix

@@ -6,7 +6,6 @@
   deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1";
   deuxfleurs.lan_ip_prefix_length = 24;
   deuxfleurs.ipv6_prefix_length = 64;
-  deuxfleurs.nameservers = [ "192.168.5.254" ];
   deuxfleurs.cname_target = "bespin.site.staging.deuxfleurs.org.";
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];

cluster/staging/site/corrin.nix

@@ -6,7 +6,6 @@
   deuxfleurs.ipv6_default_gateway = "fe80::7ec1:77ff:fe3e:bb90";
   deuxfleurs.lan_ip_prefix_length = 24;
   deuxfleurs.ipv6_prefix_length = 64;
-  deuxfleurs.nameservers = [ "192.168.1.1" ];
   deuxfleurs.cname_target = "corrin.site.staging.deuxfleurs.org.";
   deuxfleurs.public_ipv4 = "82.120.233.78";
 

cluster/staging/site/jupiter.nix

@@ -6,7 +6,6 @@
   deuxfleurs.ipv6_default_gateway = "fe80::9038:202a:73a0:e73b";
   deuxfleurs.lan_ip_prefix_length = 24;
   deuxfleurs.ipv6_prefix_length = 64;
-  deuxfleurs.nameservers = [ "192.168.1.1" ];
   deuxfleurs.cname_target = "jupiter.site.staging.deuxfleurs.org.";
 
   # no public ipv4 is used for the staging cluster on Jupiter

cluster/staging/site/neptune.nix

@@ -6,7 +6,6 @@
   deuxfleurs.ipv6_default_gateway = "2001:910:1204:1::1";
   deuxfleurs.lan_ip_prefix_length = 24;
   deuxfleurs.ipv6_prefix_length = 64;
-  deuxfleurs.nameservers = [ "192.168.1.1" ];
   deuxfleurs.cname_target = "neptune.site.staging.deuxfleurs.org.";
 
   # no public ipv4 is used for the staging cluster on Neptune,

nix/deuxfleurs.nix

@@ -96,10 +96,6 @@ in
       type = types.nullOr types.str;
       default = null;
     };
-    nameservers = mkOption {
-      description = "External DNS servers to use";
-      type = types.listOf types.str;
-    };
 
     # Parameters common to all nodes
     cluster_name = mkOption {
@@ -190,47 +186,36 @@ in
       };
     };
 
-    # Configure Unbound DNS to redirect to Consul queries under .consul
+    # Configure Unbound as a central DNS server for everything
-    # and to pass directly to public DNS resolver all others
+    # - is its own recursor (applies DNSSec) for everything,
+    #   no need to declare an outside nameserver
+    # - redirects to Consul queries under .consul
     services.unbound = {
       enable = true;
-      enableRootTrustAnchor = false;  # disable DNSSEC as it causes issues
       settings = {
         server = {
-          interface = [ "127.0.0.1" "${cfg.lan_ip}" "172.17.0.1" ];
+          interface = [ "127.0.0.1" "172.17.0.1" ];
           domain-insecure = [ "consul." ];
           local-zone = [ "consul. nodefault" ];
           log-servfail = true;
           access-control = [
             "127.0.0.0/8 allow"
-            "${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow"
             "172.17.0.0/16 allow"
           ];
         };
-        forward-zone = [
+        stub-zone = [
           # Forward .consul queries to Consul daemon
           {
             name = "consul.";
-            forward-addr = "${cfg.lan_ip}@8600";
+            stub-addr = "${cfg.cluster_ip}@8600";
-            forward-no-cache = true;
+            stub-no-cache = true;
-            forward-tcp-upstream = false;
+            stub-tcp-upstream = false;
-            forward-tls-upstream = false;
+            stub-tls-upstream = false;
-          }
-          # Forward all queries to our ISP's nameserver
-          {
-            name = ".";
-            forward-addr = cfg.nameservers;
-            forward-first = true;
           }
         ];
       };
       resolveLocalQueries = true;
     };
-    # Reach Unbound through the IP of our LAN interface,
-    # instead of 127.0.0.1 (this will also work in Docker containers)
-    networking.nameservers = [  # TODO remove this ?
-      cfg.lan_ip
-    ];
     services.resolved.enable = false;
 
     # Configure Wireguard VPN between all nodes
@@ -321,9 +306,6 @@ in
       verify_outgoing = true;
       verify_server_hostname = true;
     };
-    systemd.services.consul.serviceConfig = { # TODO remove this ?
-      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-    };
 
     services.nomad.enable = true;
     systemd.services.nomad.after = [ "wg-quick-wg0.service" ];