1234567891011121314151617181920212223242526272829303132 |
- { config, pkgs, ... }:
- let
- local-dns = pkgs.runCommand "local-dns" {} ''
- mkdir -p $out/bin
- cp ${./local-dns} $out/bin/local-dns
- '';
- in
- {
- environment.systemPackages = [ local-dns ];
- services.unbound = {
- enable = true;
- enableRootTrustAnchor = false;
- extraConfig = ''
- include: /var/lib/unbound/unbound-resolvconf.conf
- remote-control:
- control-enable: yes
- control-interface: /var/lib/unbound/unbound.sock
- '';
- };
- # make unbound use unbound group instead so that the control socket is secure
- # instead of being in nogroup
- users.users.unbound.group = "unbound";
- users.groups.unbound = {};
- # actually have openresolv update our DNS
- networking.resolvconf.extraConfig = ''
- unbound_conf=/var/lib/unbound/unbound-resolvconf.conf
- unbound_restart="${pkgs.unbound}/bin/unbound-control -c /var/lib/unbound/unbound.conf reload || true"
- '';
- }
|