nixos-config/machines/shinobu/services/router/dnsmasq.nix

94 lines
3 KiB
Nix

# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
cfg = pkgs.callPackage ./common.nix { };
bypassHe = [
"googlevideo.com"
"youtube.com"
];
in
{
services.dnsmasq = {
enable = true;
settings = {
bogus-priv = true; # do not forward revese lookups of internal addresses
domain-needed = true; # do not forward names without domain
interface = lib.mapAttrsToList (name: config: "br-${name}") cfg.vlan; # only respond to queries from own interfaces
no-hosts = true; # do not resolve hosts from /etc/hosts
no-resolv = true; # only use explicitly configured resolvers
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
cache-size = 10000;
domain = [
"invalid.sbruder.de" # used when no rule below matches
] ++ (lib.flatten (lib.mapAttrsToList
(name: { domain, subnet, ... }: [
"${domain},br-${name}" # only this is not enough
"${domain},${subnet.v4.cidr}"
"${domain},${subnet.v6.cidr}"
])
cfg.vlan));
# Allow resolving the router
interface-name = lib.mapAttrsToList (name: { domain, ... }: "${config.networking.hostName}.${domain},br-${name}") cfg.vlan;
dhcp-range = lib.flatten (lib.mapAttrsToList
(name: { subnet, ... }: [
"tag:br-${name},${subnet.v4.withoutLastComponent}2,${subnet.v4.withoutLastComponent}254,12h" # DHCPv4
"tag:br-${name},${subnet.v6.net},ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS)
])
cfg.vlan);
dhcp-option = lib.flatten (lib.mapAttrsToList
(name: { subnet, ... }: [
# Gateway
"tag:br-${name},option:router,${subnet.v4.gateway}"
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
# NTP server (runs on gateway)
"tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
"tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
])
cfg.vlan);
nftset = [
"/${lib.concatStringsSep "/" bypassHe}/6#ip6#he-bypass#addresses"
];
server = [
"127.0.0.1#5053"
];
# Authoritative zones for external reachability (only AAAA records)
auth-server = "shinobu.shinonome-lab.de,2001:470:73b9::1";
auth-zone = map
(vlan: "${vlan.domain},${vlan.subnet.v6.cidr}")
(lib.attrValues cfg.vlan);
};
};
systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];
networking.firewall.allowedUDPPorts = [ 53 67 ];
networking.firewall.allowedTCPPorts = [ 53 ];
services.prometheus.exporters.dnsmasq = {
enable = true;
listenAddress = config.sbruder.wireguard.home.address;
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
};
services.https-dns-proxy = {
enable = true;
provider = {
kind = "custom";
ips = [ "9.9.9.9" "149.112.112.112" ];
url = "https://dns.quad9.net/dns-query";
};
};
}