let
inherit (config.services) unbound;
inherit (config.users) users;
- stateDir = "/var/lib/unbound";
in
{
networking.resolvconf.useLocalResolver = true;
server = {
log-queries = false;
verbosity = 1;
- interface = [ "127.0.0.1" "::1" ];
+ interface = [
+ "127.0.0.1"
+ "::1"
+ ];
+ access-control = [
+ "0.0.0.0/0 refuse"
+ "::0/0 refuse"
+ "127.0.0.0/8 allow"
+ "::1 allow"
+ ];
prefer-ip4 = !config.networking.enableIPv6;
port = 53;
};
};
networking.nftables.ruleset = ''
- add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
- add rule inet filter fw2net udp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
+ table inet filter {
+ chain output-net {
+ skuid ${users.unbound.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ counter accept comment "unbound"
+ }
+ }
'';
systemd.services.unbound = {
serviceConfig = {
- RuntimeDirectory = "unbound";
- RuntimeDirectoryMode = "0700";
+ #RuntimeDirectoryMode = "0700";
+ BindReadOnlyPaths = [
+ "${../../networking/named.root}:/var/lib/unbound/named.root"
+ ];
};
- preStart = ''
- install -m 444 \
- ${../../networking/named.root} \
- /var/lib/unbound/named.root
- '';
};
}