nixos-config/machines/shinobu/services/router/dnsmasq.nix

{ config, ... }:
let
  cfg = import ./common.nix;
in
{
  services.dnsmasq = {
    enable = true;

    settings = {
      bogus-priv = true; # do not forward revese lookups of internal addresses
      domain-needed = true; # do not forward names without domain
      interface = "br-lan"; # only respond to queries from lan
      no-hosts = true; # do not resolve hosts from /etc/hosts
      no-resolv = true; # only use explicitly configured resolvers

      cache-size = 10000;

      inherit (cfg) domain;

      # Allow resolving the router
      interface-name = [
        "${config.networking.hostName}.${cfg.domain},br-lan"
        "${config.networking.hostName},br-lan"
      ];

      # DHCPv4
      dhcp-range = [
        "10.80.1.20,10.80.1.150,12h" # DHCPv4
        "fd00:80:1::,ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS)
      ];
      dhcp-option = [
        "option:router,10.80.1.1"
        "option6:dns-server,fd00:80:1::1"
      ];

      # Despite its name, the switch does not have a “smart” configuration,
      # that would allow me to tell it not to get DHCP from wan,
      # but from lan instead.
      # So it has to use static configuration.
      host-record = "switchviech,switchviech.${cfg.domain},10.80.1.19";
      server = [
        "127.0.0.1#5053"
      ];
    };
  };
  systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];

  services.prometheus.exporters.dnsmasq = {
    enable = true;
    listenAddress = config.sbruder.wireguard.home.address;
    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
  };

  services.https-dns-proxy = {
    enable = true;
    provider = {
      kind = "custom";
      ips = [ "9.9.9.9" "149.112.112.112" ];
      url = "https://dns.quad9.net/dns-query";
    };
  };
}
shinobu/router: Split configuration 2023-09-24 14:41:22 +02:00			`{ config, ... }:`
			`let`
			`cfg = import ./common.nix;`
			`in`
			`{`
			`services.dnsmasq = {`
			`enable = true;`

			`settings = {`
			`bogus-priv = true; # do not forward revese lookups of internal addresses`
			`domain-needed = true; # do not forward names without domain`
			`interface = "br-lan"; # only respond to queries from lan`
			`no-hosts = true; # do not resolve hosts from /etc/hosts`
			`no-resolv = true; # only use explicitly configured resolvers`

			`cache-size = 10000;`

			`inherit (cfg) domain;`

			`# Allow resolving the router`
			`interface-name = [`
			`"${config.networking.hostName}.${cfg.domain},br-lan"`
			`"${config.networking.hostName},br-lan"`
			`];`

			`# DHCPv4`
			`dhcp-range = [`
			`"10.80.1.20,10.80.1.150,12h" # DHCPv4`
			`"fd00:80:1::,ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS)`
			`];`
			`dhcp-option = [`
			`"option:router,10.80.1.1"`
			`"option6:dns-server,fd00:80:1::1"`
			`];`

			`# Despite its name, the switch does not have a “smart” configuration,`
			`# that would allow me to tell it not to get DHCP from wan,`
			`# but from lan instead.`
			`# So it has to use static configuration.`
			`host-record = "switchviech,switchviech.${cfg.domain},10.80.1.19";`
			`server = [`
			`"127.0.0.1#5053"`
			`];`
			`};`
			`};`
			`systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];`

			`networking.firewall.allowedUDPPorts = [ 53 67 ];`
			`networking.firewall.allowedTCPPorts = [ 53 ];`

			`services.prometheus.exporters.dnsmasq = {`
			`enable = true;`
			`listenAddress = config.sbruder.wireguard.home.address;`
			`leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";`
			`};`

			`services.https-dns-proxy = {`
			`enable = true;`
			`provider = {`
			`kind = "custom";`
			`ips = [ "9.9.9.9" "149.112.112.112" ];`
			`url = "https://dns.quad9.net/dns-query";`
			`};`
			`};`
			`}`