{ depot, lib, config, ... }: { options.my.coredns.bind = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; }; config = { environment.etc."coredns-zones" = { source = "${./zones}"; }; networking.firewall.allowedTCPPorts = [ 53 # DNS ]; networking.firewall.allowedUDPPorts = [ 53 # DNS ]; systemd.services.coredns.unitConfig.StartLimitIntervalSec = "0"; services.coredns = { enable = true; config = let zones = [ "as205479.net" "28.118.92.in-addr.arpa" "29.118.92.in-addr.arpa" "30.118.92.in-addr.arpa" "31.118.92.in-addr.arpa" "0.4.4.a.9.0.a.2.ip6.arpa" "1.4.4.a.9.0.a.2.ip6.arpa" "2.4.4.a.9.0.a.2.ip6.arpa" "3.4.4.a.9.0.a.2.ip6.arpa" "4.4.4.a.9.0.a.2.ip6.arpa" "5.4.4.a.9.0.a.2.ip6.arpa" "6.4.4.a.9.0.a.2.ip6.arpa" "7.4.4.a.9.0.a.2.ip6.arpa" ]; mkZone = zone: '' ${zone} { import zonehdr file /etc/coredns-zones/db.${zone} ${zone} } ''; in '' (global) { bind ${lib.concatStringsSep " " config.my.coredns.bind} } . { import global chaos log errors acl { allow net 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 100.64.0.0/10 allow net 92.118.28.0/22 allow net 2a09:a440::/29 ::1/128 block } forward . 2001:4860:4860::8888 2001:4860:4860::8844 8.8.8.8 8.8.4.4 } (zonehdr) { import global prometheus log errors loadbalance round_robin } ${lib.concatMapStringsSep "\n" mkZone zones} ''; }; }; }