dnssec
This commit is contained in:
+13
-3
@@ -6,7 +6,10 @@
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [ nixosModules.packages.common ];
|
||||
imports = [
|
||||
nixosModules.packages.common
|
||||
nixosModules.dnsResolved
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
@@ -65,6 +68,7 @@
|
||||
systemd.network.wait-online.enable = false;
|
||||
services.resolved.enable = true;
|
||||
services.openssh.enable = true;
|
||||
my.dns.enable = true;
|
||||
|
||||
systemd.network.networks."10-wired" = {
|
||||
matchConfig.Name = [
|
||||
@@ -75,8 +79,14 @@
|
||||
DHCP = "yes";
|
||||
IPv6AcceptRA = true;
|
||||
};
|
||||
dhcpV4Config.RouteMetric = 100;
|
||||
ipv6AcceptRAConfig.RouteMetric = 100;
|
||||
dhcpV4Config = {
|
||||
RouteMetric = 100;
|
||||
UseDNS = false;
|
||||
};
|
||||
ipv6AcceptRAConfig = {
|
||||
RouteMetric = 100;
|
||||
UseDNS = false;
|
||||
};
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
mailServer = import ./mail-server;
|
||||
packages = import ./packages;
|
||||
zfsRoot = import ./zfs-root.nix;
|
||||
dnsResolved = import ./dns-resolved.nix;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
{ config, lib, options, ... }:
|
||||
let
|
||||
# Targets the custom options we created
|
||||
cfg = config.my.dns;
|
||||
|
||||
# Feature detection
|
||||
hasSettings = options.services.resolved ? settings;
|
||||
in
|
||||
{
|
||||
options.my.dns = {
|
||||
enable = lib.mkEnableOption "custom DNS setup with Cloudflare and LibreDNS";
|
||||
|
||||
strictDNSSEC = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "If true, enforces strict DNSSEC. If false, uses allow-downgrade.";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.nameservers = [
|
||||
"116.202.176.26#dot.libredns.gr"
|
||||
"1.1.1.1#cloudflare-dns.com"
|
||||
"1.0.0.1#cloudflare-dns.com"
|
||||
];
|
||||
|
||||
services.resolved = if hasSettings then {
|
||||
enable = true;
|
||||
settings.Resolve = {
|
||||
DNSOverTLS = "yes";
|
||||
DNSSEC = if cfg.strictDNSSEC then "yes" else "allow-downgrade";
|
||||
};
|
||||
} else {
|
||||
enable = true;
|
||||
dnsovertls = "true";
|
||||
dnssec = if cfg.strictDNSSEC then "true" else "allow-downgrade";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -9,6 +9,8 @@
|
||||
defaults.email = "postmaster@billenius.com";
|
||||
};
|
||||
|
||||
my.dns.strictDNSSEC = true;
|
||||
|
||||
imports = [
|
||||
./autodiscover.nix
|
||||
./mail.nix
|
||||
|
||||
Reference in New Issue
Block a user