core/magicdns: init

core/default.nix

@@ -11,6 +11,7 @@ in
     (import ../nix).impermanence-nixos
     (import ../nix).sops-nixos
     ./aspell.nix
+    ./magicdns.nix
     ./nix.nix
     ./openssh.nix
     ./sudo.nix

core/magicdns.nix

@@ -0,0 +1,20 @@
+{ lib, ... }: {
+  networking = {
+    search = [ "meurer.org.beta.tailscale.net" ];
+    resolvconf.extraConfig = ''
+      search_domains='meurer.org.beta.tailscale.net'
+    '';
+  };
+
+  services.unbound = {
+    enableRootTrustAnchor = lib.mkForce false;
+    forwardAddresses = lib.mkForce [ "100.100.100.100" ];
+  };
+
+  services.resolved = {
+    dnssec = lib.mkForce "false";
+    extraConfig = ''
+      DNS=100.100.100.100
+    '';
+  };
+}

core/resolved.nix

@@ -6,7 +6,6 @@
     dnssec = "false";
     llmnr = "false";
     extraConfig = ''
-      DNS=100.100.100.100
       FallbackDNS=1.1.1.1 2606:4700:4700::1111 8.8.8.8 2001:4860:4860::8844
       Domains=meurer.org.beta.tailscale.net.
     '';

core/unbound.nix

@@ -1,15 +1,11 @@
 { lib, ... }: {
   networking.networkmanager.dns = "unbound";
-  networking.search = [ "meurer.org.beta.tailscale.net" ];
-  networking.resolvconf.extraConfig = ''
-    search_domains='meurer.org.beta.tailscale.net'
-  '';
 
   services.resolved.enable = lib.mkForce false;
   services.unbound = {
     enable = true;
-    enableRootTrustAnchor = false;
-    forwardAddresses = [ "100.100.100.100" ];
+    enableRootTrustAnchor = true;
+    forwardAddresses = [ "1.1.1.1" "2606:4700:4700::1111" "8.8.8.8" "2001:4860:4860::8844" ];
     extraConfig = ''
       # This is part of the server clause
       infra-cache-slabs: 16

default.nix

@@ -33,7 +33,7 @@ in
     };
 
     fourier = { ... }: {
-      host = "fourier";
+      host = "10.0.0.3";
       configuration = ./systems/fourier.nix;
     };