nixos/magi: Add unbound configuration
This commit is contained in:
parent
0e86a6cf0f
commit
b1cca37523
SSH key fingerprint:
SHA256:21QyD2Meiot7jOUVitIR5YkGB/XuXdCvLW1hE6dsri0
1 changed files with 71 additions and 0 deletions
|
|
@ -156,4 +156,75 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.unbound = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
package = pkgs.unbound-with-systemd.override {
|
||||||
|
withDoH = true;
|
||||||
|
withECS = true;
|
||||||
|
withTFO = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
enableRootTrustAnchor = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
module-config = "subnetcache validator iterator";
|
||||||
|
server = let
|
||||||
|
acmeDir = config.security.acme.certs."resolve.nyantec.com".directory;
|
||||||
|
num-threads = 16;
|
||||||
|
in {
|
||||||
|
inherit num-threads;
|
||||||
|
|
||||||
|
interface = [
|
||||||
|
"::1@53"
|
||||||
|
"127.0.0.1@53"
|
||||||
|
|
||||||
|
"::@443"
|
||||||
|
"0.0.0.0@443"
|
||||||
|
|
||||||
|
"::@853"
|
||||||
|
"0.0.0.0@853"
|
||||||
|
];
|
||||||
|
|
||||||
|
so-reuseport = true;
|
||||||
|
ip-dscp = 20;
|
||||||
|
outgoing-range = 8192;
|
||||||
|
edns-buffer-size = 1472;
|
||||||
|
udp-upstream-without-downstream = true;
|
||||||
|
num-queries-per-thread = 4096;
|
||||||
|
incoming-num-tcp = 1024;
|
||||||
|
outgoing-num-tcp = 16;
|
||||||
|
stream-wait-size = "64m";
|
||||||
|
msg-cache-size = "128m";
|
||||||
|
msg-cache-slabs = num-threads;
|
||||||
|
rrset-cache-size = "256m";
|
||||||
|
rrset-cache-slabs = num-threads;
|
||||||
|
infra-cache-slabs = num-threads;
|
||||||
|
key-cache-slabs = num-threads;
|
||||||
|
cache-min-ttl = 60;
|
||||||
|
cache-max-negative-ttl = 360;
|
||||||
|
prefer-ip6 = true;
|
||||||
|
tls-service-pem = "${acmeDir}/fullchain.pem";
|
||||||
|
tls-service-key = "${acmeDir}/key.pem";
|
||||||
|
https-port = 443;
|
||||||
|
http-query-buffer-size = "64m";
|
||||||
|
http-response-buffer-size = "64m";
|
||||||
|
access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
|
||||||
|
harden-dnssec-stripped = true;
|
||||||
|
hide-identity = true;
|
||||||
|
hide-version = true;
|
||||||
|
prefetch = true;
|
||||||
|
prefetch-key = true;
|
||||||
|
serve-expired-client-timeout = 1800;
|
||||||
|
|
||||||
|
# ECS
|
||||||
|
send-client-subnet = [ "::/0" "0.0.0.0/0" ];
|
||||||
|
max-client-subnet-ipv6 = 36;
|
||||||
|
max-client-subnet-ipv4 = 20;
|
||||||
|
max-ecs-tree-size-ipv6 = 128;
|
||||||
|
max-ecs-tree-size-ipv4 = 128;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue