let
inherit (config.services) unbound;
inherit (config.users) users;
- stateDir = "/var/lib/unbound";
in
{
networking.resolvconf.useLocalResolver = true;
+# Avoid: warning: so-rcvbuf 1048576 was not granted. Got 425984.
+# To fix: start with root permissions(linux)
+# or sysctl bigger net.core.rmem_max(linux)
+# or kern.ipc.maxsockbuf(bsd) values.
+boot.kernel.sysctl."net.core.rmem_max" = 1048576;
services.unbound = {
enable = true;
# DOC: https://calomel.org/unbound_dns.html
server = {
log-queries = false;
verbosity = 1;
- interface = [ "127.0.0.1" "::1" ];
+ interface = [
+ "127.0.0.1"
+ "::1"
+ ];
+ access-control = [
+ "0.0.0.0/0 refuse"
+ "::0/0 refuse"
+ "127.0.0.0/8 allow"
+ "::1 allow"
+ ];
prefer-ip4 = !config.networking.enableIPv6;
port = 53;
};
};
networking.nftables.ruleset = ''
- add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
- add rule inet filter fw2net udp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
+ add rule inet filter fw2net meta l4proto { udp, tcp } th dport 53 skuid ${users.unbound.name} counter accept comment "Unbound"
'';
systemd.services.unbound = {
serviceConfig = {
- RuntimeDirectory = "unbound";
- RuntimeDirectoryMode = "0700";
+ #RuntimeDirectoryMode = "0700";
+ BindReadOnlyPaths = [
+ "${../../networking/named.root}:/var/lib/unbound/named.root"
+ ];
};
- preStart = ''
- install -m 444 \
- ${../../networking/named.root} \
- /var/lib/unbound/named.root
- '';
};
}