forked from clan/clan-infra
use unbound
This commit is contained in:
parent
ac170ab190
commit
1dc9adebf1
@ -1,8 +1,4 @@
|
||||
{ config
|
||||
, pkgs
|
||||
, inputs
|
||||
, ...
|
||||
}:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
mailPassword =
|
||||
{ service }:
|
||||
@ -26,6 +22,8 @@ in
|
||||
fqdn = "mail.clan.lol";
|
||||
domains = [ "clan.lol" ];
|
||||
enablePop3 = true;
|
||||
# kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
|
||||
localDnsResolver = false;
|
||||
|
||||
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
||||
config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
|
||||
@ -33,6 +31,21 @@ in
|
||||
config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
||||
};
|
||||
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
settings.server = {
|
||||
prefetch = "yes";
|
||||
prefetch-key = true;
|
||||
qname-minimisation = true;
|
||||
# Too many broken dnssec setups even at big companies such as amazon.
|
||||
# Breaks my email setup. Better rely on tls for security.
|
||||
val-permissive-mode = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
# use local unbound as dns resolver
|
||||
networking.nameservers = [ "127.0.0.1" ];
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };
|
||||
|
Loading…
Reference in New Issue
Block a user