nixos-config/machines/shinobu/services/router/dnsmasq.nix

# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  cfg = pkgs.callPackage ./common.nix { };
in
{
  services.dnsmasq = {
    enable = true;

    settings = {
      bogus-priv = true; # do not forward revese lookups of internal addresses
      domain-needed = true; # do not forward names without domain
      interface = lib.mapAttrsToList (name: config: "br-${name}") cfg.vlan; # only respond to queries from own interfaces
      no-hosts = true; # do not resolve hosts from /etc/hosts
      no-resolv = true; # only use explicitly configured resolvers
      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS

      cache-size = 10000;

      domain = [
        "invalid.sbruder.de" # used when no rule below matches
      ] ++ (lib.flatten (lib.mapAttrsToList
        (name: { domain, subnet, ... }: [
          "${domain},br-${name}" # only this is not enough
          "${domain},${subnet.v4.cidr}"
          "${domain},${subnet.v6.cidr}"
        ])
        cfg.vlan));

      # Allow resolving the router
      interface-name = lib.mapAttrsToList (name: { domain, ... }: "${config.networking.hostName}.${domain},br-${name}") cfg.vlan;

      dhcp-range = lib.flatten (lib.mapAttrsToList
        (name: { subnet, ... }: [
          "tag:br-${name},${subnet.v4.withoutLastComponent}2,${subnet.v4.withoutLastComponent}254,12h" # DHCPv4
          "tag:br-${name},${subnet.v6.net},ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS)
        ])
        cfg.vlan);
      dhcp-option = lib.flatten (lib.mapAttrsToList
        (name: { subnet, ... }: [
          "tag:br-${name},option:router,${subnet.v4.gateway}"
          "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
        ])
        cfg.vlan);

      nftset = [
        "/pool.ntp.org/4#inet#filter#iot_ntp4"
        "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
      ];

      server = [
        "127.0.0.1#5053"
      ];
    };
  };
  systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];

  services.prometheus.exporters.dnsmasq = {
    enable = true;
    listenAddress = config.sbruder.wireguard.home.address;
    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
  };

  services.https-dns-proxy = {
    enable = true;
    provider = {
      kind = "custom";
      ips = [ "9.9.9.9" "149.112.112.112" ];
      url = "https://dns.quad9.net/dns-query";
    };
  };
}