diff --git a/machines/valkyrie/unbound/default.nix b/machines/valkyrie/unbound/default.nix index 5a87e04..d3d8706 100644 --- a/machines/valkyrie/unbound/default.nix +++ b/machines/valkyrie/unbound/default.nix @@ -1,68 +1,82 @@ { - services.unbound = { - enable = true; - localControlSocketPath = "/run/unbound/unbound.ctl"; - settings = { - server = { - # Setting logfile to an empty string outputs to stderr - log-queries = false; - verbosity = 1; + services = { + unbound = { + enable = true; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + # Setting logfile to an empty string outputs to stderr + log-queries = false; + verbosity = 1; - port = 5335; - do-ip4 = true; - do-ip6 = true; - do-udp = true; - do-tcp = true; - prefer-ip6 = true; + port = 5335; + do-ip4 = true; + do-ip6 = true; + do-udp = true; + do-tcp = true; + prefer-ip6 = true; - hide-identity = true; - hide-version = true; + hide-identity = true; + hide-version = true; - # Trust glue only if it is within the server's authority - harden-glue = true; + # Trust glue only if it is within the server's authority + harden-glue = true; - # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS - harden-dnssec-stripped = true; + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped = true; - harden-referral-path = true; + harden-referral-path = true; - # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes - # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details - use-caps-for-id = false; + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id = false; - # Reduce EDNS reassembly buffer size. - # Suggested by the unbound man page to reduce fragmentation reassembly problems - edns-buffer-size = 1472; + # Reduce EDNS reassembly buffer size. + # Suggested by the unbound man page to reduce fragmentation reassembly problems + edns-buffer-size = 1472; - # Perform prefetching of close to expired message cache entries - # This only applies to domains that have been frequently queried - prefetch = true; - prefetch-key = true; + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch = true; + prefetch-key = true; - # This attempts to reduce latency by serving the outdated record before - # updating it instead of the other way around. Alternative is to increase - # cache-min-ttl to e.g. 3600. - cache-min-ttl = 0; - serve-expired = true; + # This attempts to reduce latency by serving the outdated record before + # updating it instead of the other way around. Alternative is to increase + # cache-min-ttl to e.g. 3600. + cache-min-ttl = 0; + serve-expired = true; - rrset-cache-size = "256m"; - msg-cache-size = "128m"; - msg-cache-slabs = 4; - # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. - num-threads = 2; + rrset-cache-size = "256m"; + msg-cache-size = "128m"; + msg-cache-slabs = 4; + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads = 2; - # Ensure kernel buffer is large enough to not lose messages in traffic spikes - so-rcvbuf = "1m"; + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf = "8m"; - # Ensure privacy of local IP ranges - private-address = [ - "192.168.0.0/16" - "169.254.0.0/16" - "172.16.0.0/12" - "10.0.0.0/8" - "fd00::/8" - "fe80::/10" - ]; + # Ensure privacy of local IP ranges + private-address = [ + "192.168.0.0/16" + "169.254.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + "fd00::/8" + "fe80::/10" + ]; + }; + }; + }; + + prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + + unbound = { + enable = true; + unbound.host = "unix:///run/unbound/unbound.ctl"; }; }; };