From 1dc9adebf10808340377a9e784200dc99452f573 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Mon, 10 Jun 2024 12:10:20 +0200
Subject: [PATCH] use unbound

---
 modules/mailserver.nix | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/modules/mailserver.nix b/modules/mailserver.nix
index 4c79b87..4902d1f 100644
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@@ -1,8 +1,4 @@
-{ config
-, pkgs
-, inputs
-, ...
-}:
+{ config, pkgs, ... }:
 let
   mailPassword =
     { service }:
@@ -26,6 +22,8 @@ in
     fqdn = "mail.clan.lol";
     domains = [ "clan.lol" ];
     enablePop3 = true;
+    # kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
+    localDnsResolver = false;
 
     loginAccounts."golem@clan.lol".hashedPasswordFile =
       config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
@@ -33,6 +31,21 @@ in
       config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
   };
 
+  services.unbound = {
+    enable = true;
+    settings.server = {
+      prefetch = "yes";
+      prefetch-key = true;
+      qname-minimisation = true;
+      # Too many broken dnssec setups even at big companies such as amazon.
+      # Breaks my email setup. Better rely on tls for security.
+      val-permissive-mode = "yes";
+    };
+  };
+
+  # use local unbound as dns resolver
+  networking.nameservers = [ "127.0.0.1" ];
+
   security.acme.acceptTerms = true;
 
   clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };