forked from clan/clan-infra
use unbound
This commit is contained in:
parent
ac170ab190
commit
1dc9adebf1
@ -1,8 +1,4 @@
|
|||||||
{ config
|
{ config, pkgs, ... }:
|
||||||
, pkgs
|
|
||||||
, inputs
|
|
||||||
, ...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
mailPassword =
|
mailPassword =
|
||||||
{ service }:
|
{ service }:
|
||||||
@ -26,6 +22,8 @@ in
|
|||||||
fqdn = "mail.clan.lol";
|
fqdn = "mail.clan.lol";
|
||||||
domains = [ "clan.lol" ];
|
domains = [ "clan.lol" ];
|
||||||
enablePop3 = true;
|
enablePop3 = true;
|
||||||
|
# kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
|
||||||
|
localDnsResolver = false;
|
||||||
|
|
||||||
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
||||||
config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
|
config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
|
||||||
@ -33,6 +31,21 @@ in
|
|||||||
config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.unbound = {
|
||||||
|
enable = true;
|
||||||
|
settings.server = {
|
||||||
|
prefetch = "yes";
|
||||||
|
prefetch-key = true;
|
||||||
|
qname-minimisation = true;
|
||||||
|
# Too many broken dnssec setups even at big companies such as amazon.
|
||||||
|
# Breaks my email setup. Better rely on tls for security.
|
||||||
|
val-permissive-mode = "yes";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# use local unbound as dns resolver
|
||||||
|
networking.nameservers = [ "127.0.0.1" ];
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };
|
clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };
|
||||||
|
Loading…
Reference in New Issue
Block a user