Simon Bruder
b55cc2deaf
This is required to have them available in nftables rules without too much headache.
98 lines
3.1 KiB
Nix
98 lines
3.1 KiB
Nix
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = pkgs.callPackage ./common.nix { };
|
|
|
|
bypassHe = [
|
|
"googlevideo.com"
|
|
"youtube.com"
|
|
];
|
|
in
|
|
{
|
|
services.dnsmasq = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
bogus-priv = true; # do not forward revese lookups of internal addresses
|
|
domain-needed = true; # do not forward names without domain
|
|
interface = lib.mapAttrsToList (name: config: "br-${name}") cfg.vlan; # only respond to queries from own interfaces
|
|
no-hosts = true; # do not resolve hosts from /etc/hosts
|
|
no-resolv = true; # only use explicitly configured resolvers
|
|
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
|
|
|
|
cache-size = 10000;
|
|
|
|
domain = [
|
|
"invalid.sbruder.de" # used when no rule below matches
|
|
] ++ (lib.flatten (lib.mapAttrsToList
|
|
(name: { domain, subnet, ... }: [
|
|
"${domain},br-${name}" # only this is not enough
|
|
"${domain},${subnet.v4.cidr}"
|
|
"${domain},${subnet.v6.cidr}"
|
|
])
|
|
cfg.vlan));
|
|
|
|
# Allow resolving the router
|
|
interface-name = lib.mapAttrsToList (name: { domain, ... }: "${config.networking.hostName}.${domain},br-${name}") cfg.vlan;
|
|
|
|
dhcp-range = lib.flatten (lib.mapAttrsToList
|
|
(name: { subnet, ... }: [
|
|
"tag:br-${name},${subnet.v4.withoutLastComponent}2,${subnet.v4.withoutLastComponent}254,12h" # DHCPv4
|
|
"tag:br-${name},${subnet.v6.net},ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS)
|
|
])
|
|
cfg.vlan);
|
|
dhcp-option = lib.flatten (lib.mapAttrsToList
|
|
(name: { subnet, ... }: [
|
|
# Gateway
|
|
"tag:br-${name},option:router,${subnet.v4.gateway}"
|
|
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
|
|
|
|
# NTP server (runs on gateway)
|
|
"tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
|
|
"tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
|
|
])
|
|
cfg.vlan);
|
|
|
|
dhcp-host = lib.mapAttrsToList
|
|
(name: { hwaddr, address4, vlan, ... }: "${hwaddr},tag:br-${vlan},${address4},${name}")
|
|
cfg.staticHosts;
|
|
|
|
nftset = [
|
|
"/${lib.concatStringsSep "/" bypassHe}/6#ip6#he-bypass#addresses"
|
|
];
|
|
|
|
server = [
|
|
"127.0.0.1#5053"
|
|
];
|
|
|
|
# Authoritative zones for external reachability (only AAAA records)
|
|
auth-server = "shinobu.shinonome-lab.de,2001:470:73b9::1";
|
|
auth-zone = map
|
|
(vlan: "${vlan.domain},${vlan.subnet.v6.cidr}")
|
|
(lib.attrValues cfg.vlan);
|
|
};
|
|
};
|
|
systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];
|
|
|
|
networking.firewall.allowedUDPPorts = [ 53 67 ];
|
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
|
|
|
services.prometheus.exporters.dnsmasq = {
|
|
enable = true;
|
|
listenAddress = config.sbruder.wireguard.home.address;
|
|
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
|
|
};
|
|
|
|
services.https-dns-proxy = {
|
|
enable = true;
|
|
provider = {
|
|
kind = "custom";
|
|
ips = [ "9.9.9.9" "149.112.112.112" ];
|
|
url = "https://dns.quad9.net/dns-query";
|
|
};
|
|
};
|
|
}
|