Add seperate server network and use unbound

common/etc/ssh/ssh_config

@@ -4,6 +4,7 @@ UpdateHostKeys yes
 VerifyHostKeyDNS ask
 HashKnownHosts yes
 AddKeysToAgent yes
+ExitOnForwardFailure yes
 Host home
   HostName home.strypsteen.com
 Host home-gw

desktop/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/x86_64/stable/defaults/pref/config.js

@@ -9,6 +9,7 @@ pref("browser.download.useDownloadDir", false);
 pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 pref("browser.privatebrowsing.autostart", true);
+pref("browser.urlbar.suggest.topsites", false);
 pref("browser.tabs.firefox-view", false);
 pref("browser.tabs.searchclipboardfor.middleclick", false);
 pref("browser.uidensity", 1);

laptop/etc/systemd/resolved.conf

@@ -1,5 +1,5 @@
 [Resolve]
-DNS=2620:fe::10#dns10.quad9.net 9.9.9.10#dns10.quad9.net
+DNS=2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
 FallbackDNS=
 DNSSEC=true
 DNSOverTLS=true

router/etc/sysconfig/nftables.conf

@@ -5,10 +5,12 @@ table inet filter {
     policy drop
     ct state established accept
     ct state related accept
-    iifname podman* accept
     iifname internal accept
     iifname wifi oifname external accept
     iifname untrusted oifname external accept
+    iifname server oifname external accept
+    iifname wifi oifname server accept
+    iifname untrusted oifname server accept
   }
 }
 table ip nat {

router/etc/systemd/network/internal.network

@@ -1,8 +1,9 @@
 [Match]
 Name=internal
+[Link]
+RequiredForOnline=false
 [Network]
 Address=192.168.255.1/24
-Address=fc00::1/128
 DHCPServer=true
 IPv6SendRA=true
 IPForward=true

router/etc/systemd/network/server.network

@@ -0,0 +1,17 @@
+[Match]
+Name=server
+[Link]
+RequiredForOnline=false
+[Network]
+Address=192.168.252.1/24
+DHCPServer=true
+IPv6SendRA=true
+IPForward=true
+IPMasquerade=ipv4
+DHCPPrefixDelegation=true
+[DHCPServer]
+DNS=_server_address
+[IPv6SendRA]
+DNS=_link_local
+[DHCPPrefixDelegation]
+SubnetId=3

router/etc/systemd/network/untrusted.network

@@ -1,8 +1,9 @@
 [Match]
 Name=untrusted
+[Link]
+RequiredForOnline=false
 [Network]
 Address=192.168.253.1/24
-Address=fc00::1/128
 DHCPServer=true
 IPv6SendRA=true
 IPForward=true

router/etc/systemd/network/wifi.network

@@ -1,8 +1,9 @@
 [Match]
 Name=wifi
+[Link]
+RequiredForOnline=false
 [Network]
 Address=192.168.254.1/24
-Address=fc00::1/128
 DHCPServer=true
 IPv6SendRA=true
 IPForward=true

router/etc/systemd/resolved.conf

@@ -1,7 +0,0 @@
-[Resolve]
-DNS=2620:fe::10#dns10.quad9.net 9.9.9.10#dns10.quad9.net
-FallbackDNS=
-DNSSEC=true
-DNSOverTLS=true
-DNSStubListenerExtra=0.0.0.0
-DNSStubListenerExtra=::

router/etc/systemd/system/hostapd.service.d/override.conf

@@ -0,0 +1,3 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target

router/etc/systemd/system/systemd-networkd-wait-online.service.d/override.conf

@@ -1,3 +0,0 @@
-[Service]
-ExecStart=
-ExecStart=/usr/lib/systemd/systemd-networkd-wait-online -i external

router/etc/unbound/unbound.conf

@@ -0,0 +1,14 @@
+server:
+  interface: 0.0.0.0
+  interface: ::
+  access-control: 192.168.0.0/16 allow
+  access-control: fe80::/10 allow
+  chroot: ""
+  tls-system-cert: yes
+  trust-anchor-file: /usr/etc/unbound/dnssec-root.key
+forward-zone:
+  name: .
+  forward-tls-upstream: yes
+  forward-addr: 2620:fe::10#dns10.quad9.net
+  forward-addr: 9.9.9.10#dns10.quad9.net
+include: /etc/unbound/local.conf

setup-router.sh

@@ -2,6 +2,7 @@
 set -e
 cp -R home/* /
 sh setup-server.sh
-rpm-ostree install --idempotent hostapd systemd-networkd wireless-regdb
-systemctl enable --now nftables systemd-networkd
-systemctl disable --now NetworkManager
+rpm-ostree install --idempotent hostapd systemd-networkd unbound wireless-regdb
+systemctl enable --now nftables systemd-networkd unbound
+systemctl disable --now NetworkManager systemd-resolved
+systemctl mask unbound-anchor