From 6ea7bced385977aef244b74e54b1fd7d8b5a07df Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Sat, 19 Nov 2022 00:56:37 +0100
Subject: [PATCH] Set up local VPN on wireguard network

---
 modules/base/network/wireguard.nix | 28 ++++++++++++++++++++++++++++
 modules/services/mail/default.nix  |  2 +-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix
index 6b3895a7..90efd9a0 100644
--- a/modules/base/network/wireguard.nix
+++ b/modules/base/network/wireguard.nix
@@ -41,6 +41,32 @@ in
     networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
     networking.firewall.trustedInterfaces = [ "wg0" ];
     boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
+    services.unbound = lib.mkIf config.chvp.base.network.wireguard.server {
+      enable = true;
+      resolveLocalQueries = true;
+      settings = {
+        server = {
+          interface = [ "wg0" "127.0.0.1" "::1" ];
+          access-control = [
+            "127.0.0.0/8 allow"
+            "10.240.0.0/24 allow"
+          ];
+          private-domain = "vpn";
+          local-zone = builtins.map (name: ''"${name}.vpn" redirect'') (builtins.attrNames data);
+          local-data = builtins.map (name: ''"${name}.vpn IN A ${data.${name}.ip}"'') (builtins.attrNames data);
+        };
+        forward-zone = {
+          name = ''"."'';
+          forward-addr = [
+            "1.1.1.1@853"
+            "1.0.0.1@853"
+            "2606:4700:4700::1111@853"
+            "2606:4700:4700::1001@853"
+          ];
+          forward-tls-upstream = "yes";
+        };
+      };
+    };
     systemd.network = {
       netdevs.wg0 = {
         enable = true;
@@ -81,6 +107,8 @@ in
         enable = true;
         name = "wg0";
         address = [ "${data.${config.networking.hostName}.ip}/32" ];
+        domains = [ "vpn" ];
+        dns = [ data.lasting-integrity.ip ];
         routes = [{
           routeConfig =
             if config.chvp.base.network.wireguard.server then {
diff --git a/modules/services/mail/default.nix b/modules/services/mail/default.nix
index 74c19d91..044f4fa4 100644
--- a/modules/services/mail/default.nix
+++ b/modules/services/mail/default.nix
@@ -11,7 +11,6 @@ in
     chvp.base.zfs.systemLinks = [
       { path = "/var/lib/dhparams"; type = "cache"; }
       { path = "/var/lib/dovecot"; type = "cache"; }
-      { path = "/var/lib/knot-resolver"; type = "cache"; }
       { path = "/var/lib/opendkim"; type = "cache"; }
       { path = "/var/lib/postfix"; type = "cache"; }
       { path = "/var/lib/redis-rspamd"; type = "cache"; }
@@ -21,6 +20,7 @@ in
       enable = true;
       fqdn = "mail.vanpetegem.me";
       domains = [ "vanpetegem.me" "cvpetegem.be" "chvp.be" "accentor.tech" "toekomstlabo.be" ];
+      localDnsResolver = false;
       loginAccounts = {
         "charlotte@vanpetegem.me" = {
           hashedPasswordFile = config.age.secrets."passwords/services/mail/charlotte@vanpetegem.me".path;