Set up local VPN on wireguard network

2022-11-19 00:56:37 +01:00 · 2022-11-19 00:56:37 +01:00 · 6ea7bced38
commit 6ea7bced38
parent d6619a35fa
2 changed files with 29 additions and 1 deletions
--- a/modules/base/network/wireguard.nix
+++ b/modules/base/network/wireguard.nix
@ -41,6 +41,32 @@ in
    networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
    networking.firewall.trustedInterfaces = [ "wg0" ];
    boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
+    services.unbound = lib.mkIf config.chvp.base.network.wireguard.server {
+      enable = true;
+      resolveLocalQueries = true;
+      settings = {
+        server = {
+          interface = [ "wg0" "127.0.0.1" "::1" ];
+          access-control = [
+            "127.0.0.0/8 allow"
+            "10.240.0.0/24 allow"
+          ];
+          private-domain = "vpn";
+          local-zone = builtins.map (name: ''"${name}.vpn" redirect'') (builtins.attrNames data);
+          local-data = builtins.map (name: ''"${name}.vpn IN A ${data.${name}.ip}"'') (builtins.attrNames data);
+        };
+        forward-zone = {
+          name = ''"."'';
+          forward-addr = [
+            "1.1.1.1@853"
+            "1.0.0.1@853"
+            "2606:4700:4700::1111@853"
+            "2606:4700:4700::1001@853"
+          ];
+          forward-tls-upstream = "yes";
+        };
+      };
+    };
    systemd.network = {
      netdevs.wg0 = {
        enable = true;
@ -81,6 +107,8 @@ in
        enable = true;
        name = "wg0";
        address = [ "${data.${config.networking.hostName}.ip}/32" ];
+        domains = [ "vpn" ];
+        dns = [ data.lasting-integrity.ip ];
        routes = [{
          routeConfig =
            if config.chvp.base.network.wireguard.server then {
--- a/modules/services/mail/default.nix
+++ b/modules/services/mail/default.nix
@ -11,7 +11,6 @@ in
    chvp.base.zfs.systemLinks = [
      { path = "/var/lib/dhparams"; type = "cache"; }
      { path = "/var/lib/dovecot"; type = "cache"; }
-      { path = "/var/lib/knot-resolver"; type = "cache"; }
      { path = "/var/lib/opendkim"; type = "cache"; }
      { path = "/var/lib/postfix"; type = "cache"; }
      { path = "/var/lib/redis-rspamd"; type = "cache"; }
@ -21,6 +20,7 @@ in
      enable = true;
      fqdn = "mail.vanpetegem.me";
      domains = [ "vanpetegem.me" "cvpetegem.be" "chvp.be" "accentor.tech" "toekomstlabo.be" ];
+      localDnsResolver = false;
      loginAccounts = {
        "charlotte@vanpetegem.me" = {
          hashedPasswordFile = config.age.secrets."passwords/services/mail/charlotte@vanpetegem.me".path;