mermet: unbound: provide a DNS cache for iodine users

[sourcephile-nix.git] / hosts / mermet / iodine.nix

{ pkgs, lib, config, credentials, host, ... }:
let
  domain = "i.sourcephile.fr";
  iface = "iode";
  gateway = config.networking.defaultGateway.interface;
in
{
systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = "password:${credentials}/iodine/password.secret";
systemd.sockets.iodined = {
  enable = true;
  listenDatagrams = [ "127.0.0.1:1053" ];
  socketConfig.BindToDevice = "lo";
  socketConfig.ReusePort = true;
  wantedBy = [ "sockets.target" ];
};
services.iodine.server = {
  enable = true;
  ip = "10.53.53.1/24";
  passwordFile = "$CREDENTIALS_DIRECTORY/password";
  inherit domain;
  extraConfig = "-4 -c -d ${iface} -i 1800 -n ${host.ipv4}";
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.ruleset = ''
  # Forwarding
  add rule inet filter forward iifname "${iface}" oifname "${gateway}" counter accept
  add rule inet filter forward iifname "${gateway}" oifname "${iface}" counter accept

  # Masquerading
  add rule inet nat postrouting iifname "${iface}" oifname "${gateway}" masquerade

  # Servicing
  add rule inet filter input iifname "${iface}" udp dport 53 counter accept comment "Unbound"
'';
services.unbound.settings.server = {
  interface = [ "10.53.53.1" ];
  access-control = [ "10.53.53.0/24 allow" ];
};
}