# Masquerading
add rule inet nat postrouting iifname "${iface}" oifname "${gateway}" masquerade
+
+ # Servicing
+ add rule inet filter input iifname "${iface}" udp dport 53 counter accept comment "Unbound"
'';
+services.unbound.settings.server = {
+ interface = [ "10.53.53.1" ];
+ access-control = [ "10.53.53.0/24 allow" ];
+};
}
let
inherit (config.services) unbound;
inherit (config.users) users;
- stateDir = "/var/lib/unbound";
in
{
networking.resolvconf.useLocalResolver = true;
server = {
log-queries = false;
verbosity = 1;
- interface = [ "127.0.0.1" "::1" ];
+ interface = [
+ "127.0.0.1"
+ "::1"
+ ];
+ access-control = [
+ "0.0.0.0/0 refuse"
+ "::0/0 refuse"
+ "127.0.0.0/8 allow"
+ "::1 allow"
+ ];
prefer-ip4 = !config.networking.enableIPv6;
port = 53;
'';
systemd.services.unbound = {
serviceConfig = {
- RuntimeDirectory = "unbound";
- RuntimeDirectoryMode = "0700";
+ #RuntimeDirectoryMode = "0700";
+ BindReadOnlyPaths = [
+ "${../../networking/named.root}:/var/lib/unbound/named.root"
+ ];
};
- preStart = ''
- install -m 444 \
- ${../../networking/named.root} \
- /var/lib/unbound/named.root
- '';
};
}
sourcephile / git / sourcephile-nix.git / commitdiff