dnsmasq server configurations
This commit is contained in:
parent
4c46c0b825
commit
6a7e47a9e8
85
flake.lock
85
flake.lock
|
@ -180,7 +180,7 @@
|
|||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
|
@ -239,11 +239,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713294767,
|
||||
"narHash": "sha256-LmaabaQZdx52MPGKPRt9Opoc9Gd9RbwvCdysUUYQoXI=",
|
||||
"lastModified": 1713713092,
|
||||
"narHash": "sha256-rvyr6BBtn3cq5B/48rhJlbIOpxprwlO/71663sd9Gik=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "fa8c16e2452bf092ac76f09ee1fb1e9f7d0796e7",
|
||||
"rev": "2846d5230a3c3923618eabb367deaf8885df580f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -279,11 +279,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713105314,
|
||||
"narHash": "sha256-X3URKbcgIy4UaQGrsy3DmY5x+fePQ5IYaa76YewoUE0=",
|
||||
"lastModified": 1713701427,
|
||||
"narHash": "sha256-v6z8hz/UDaC/rbnkH+hxGFUxlNyseVntRetVpSxLU6c=",
|
||||
"owner": "nix-community",
|
||||
"repo": "lib-aggregate",
|
||||
"rev": "f347ed9a1cab12c27541ed4d173e2f2d5c9bc0bb",
|
||||
"rev": "3b32a98eb3053f8c8ca55497d1881443ef2996e6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -297,7 +297,7 @@
|
|||
"flake-parts": "flake-parts",
|
||||
"nix-github-actions": "nix-github-actions",
|
||||
"nixpkgs": "nixpkgs_6",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
"treefmt-nix": "treefmt-nix_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705242886,
|
||||
|
@ -373,14 +373,16 @@
|
|||
"flake-compat": "flake-compat_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
],
|
||||
"systems": "systems_2",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708022692,
|
||||
"narHash": "sha256-T2o3XwFWK5bYNnVqEYdW9JqmOtgpn26/GCgbrVJ47ls=",
|
||||
"lastModified": 1713393417,
|
||||
"narHash": "sha256-YriEUgA8u37V859nbSpqeYlL/GiezzeBIyBAAzhxZaI=",
|
||||
"owner": "Janik-Haag",
|
||||
"repo": "nixos-dns",
|
||||
"rev": "0205c8cc6b4f7f75689a922b0bf20730c64a51f4",
|
||||
"rev": "1cf30ea07873b291fc39265d4c6dc63bfdf67ad7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -412,11 +414,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1712909959,
|
||||
"narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
|
||||
"lastModified": 1713521961,
|
||||
"narHash": "sha256-EwR8wW9AqJhSIY+0oxWRybUZ32BVKuZ9bjlRh8SJvQ8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
|
||||
"rev": "5d48925b815fd202781bfae8fb6f45c07112fdb2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -444,11 +446,11 @@
|
|||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1713055793,
|
||||
"narHash": "sha256-vIrZQykYW32RnlI2lT/gCcB59BOIqqrAmPirBdiirrc=",
|
||||
"lastModified": 1713660444,
|
||||
"narHash": "sha256-2bVnrEGyWJhRNKspzfTJmVD/fsH9HQURD4cWpz79Ulw=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "361d8a4f443bbfab20bd6d222f9022b8c6665906",
|
||||
"rev": "6882347415e352cfc9c277cc01f73e0f5cb7b93c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -467,11 +469,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713349019,
|
||||
"narHash": "sha256-H8FjOiATw0/k2fq2VcCE7Vov5Ic+S1x0h4nDImM1cUQ=",
|
||||
"lastModified": 1713719682,
|
||||
"narHash": "sha256-d6YzWLGoHF3si3fHZ5qv587gR16Bgk7EQgrvgtCaoRM=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs-wayland",
|
||||
"rev": "f8c128a08d5873682e8518af7c401512381cfd73",
|
||||
"rev": "df1a94e03aaf5324dd2d9fe6d965422d26d1e6e1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -530,11 +532,11 @@
|
|||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1713254108,
|
||||
"narHash": "sha256-0TZIsfDbHG5zibtlw6x0yOp3jkInIGaJ35B7Y4G8Pec=",
|
||||
"lastModified": 1713687659,
|
||||
"narHash": "sha256-Yd8KuOBpZ0Slau/NxFhMPJI0gBxeax0vq/FD0rqKwuQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2fd19c8be2551a61c1ddc3d9f86d748f4db94f00",
|
||||
"rev": "f2d7a289c5a5ece8521dd082b81ac7e4a57c2c5c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -605,6 +607,20 @@
|
|||
}
|
||||
},
|
||||
"systems_2": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "systems",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
|
@ -678,6 +694,27 @@
|
|||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos-dns",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711963903,
|
||||
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs-wayland",
|
||||
|
|
34
flake.nix
34
flake.nix
|
@ -54,7 +54,7 @@
|
|||
owner = "octodns";
|
||||
repo = pname;
|
||||
rev = "main";
|
||||
sha256 = "sha256-KVdH55wkTk2n2t/Y+n9+/5SCk3ml8vXIlFbtmOL4DlA=";
|
||||
sha256 = "sha256-cBdR6LCIivR4L9PePy5ZOOhV/JdanlujWgueCQma9fo=";
|
||||
};
|
||||
doCheck = false;
|
||||
propagatedBuildInputs = with pkgs.python3Packages; [
|
||||
|
@ -402,6 +402,38 @@ g
|
|||
}
|
||||
];
|
||||
};
|
||||
dnsmasq = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
agenix.nixosModules.default
|
||||
(import ./nix/dnsmasq/configuration.nix)
|
||||
{
|
||||
_module.args.nixinate = {
|
||||
host = "192.168.50.87";
|
||||
sshUser = "root";
|
||||
buildOn = "remote";
|
||||
substituteOnTarget = true;
|
||||
hermetic = false;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
dnsmasq-floof = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
agenix.nixosModules.default
|
||||
(import ./nix/dnsmasq-floof/configuration.nix)
|
||||
{
|
||||
_module.args.nixinate = {
|
||||
host = "10.230.101.104";
|
||||
sshUser = "root";
|
||||
buildOn = "remote";
|
||||
substituteOnTarget = true;
|
||||
hermetic = false;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
79
nix/dnsmasq-floof/configuration.nix
Normal file
79
nix/dnsmasq-floof/configuration.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
age.secrets.dnsmasq-nextdns-profile = {
|
||||
file = ../../secrets/dnsmasq-nextdns-profile.age;
|
||||
owner = "dnsmasq";
|
||||
};
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
experimental-features = ["nix-command" "flakes"];
|
||||
};
|
||||
};
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking = {
|
||||
hostName = "dnsmasq-cache"; # Define your hostname.
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedUDPPorts = [53];
|
||||
allowedTCPPorts = [22 53 9153];
|
||||
trustedInterfaces = ["enp6s18" "tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
allowedUDPPortRanges = [
|
||||
{
|
||||
from = 3000;
|
||||
to = 22000;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nftables.enable = true;
|
||||
};
|
||||
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
tailscale.enable = true;
|
||||
dnsmasq = {
|
||||
enable = true;
|
||||
settings = {
|
||||
interface = "tailscale0";
|
||||
cache-size = "4000";
|
||||
no-resolv = true;
|
||||
bogus-priv = true;
|
||||
strict-order = true;
|
||||
server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0" ];
|
||||
conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
tailscale
|
||||
];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
dnsmasq_exporter = {
|
||||
image = "git.gmem.ca/arch/dnsmasq_exporter";
|
||||
extraOptions = ["--network=host"];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
|
||||
}
|
32
nix/dnsmasq-floof/disk-config.nix
Normal file
32
nix/dnsmasq-floof/disk-config.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
my-disk = {
|
||||
device = "/dev/sda";
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
type = "EF00";
|
||||
size = "500M";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
29
nix/dnsmasq-floof/hardware-configuration.nix
Normal file
29
nix/dnsmasq-floof/hardware-configuration.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
''${builtins.fetchTarball {
|
||||
url = "https://github.com/nix-community/disko/archive/master.tar.gz";
|
||||
sha256 = "0qyl65hs2j4f5ffj2lv5kb4hc1gradkqvv2j35hbdyiik155l4gn";
|
||||
}}/module.nix''
|
||||
./disk-config.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
87
nix/dnsmasq/configuration.nix
Normal file
87
nix/dnsmasq/configuration.nix
Normal file
|
@ -0,0 +1,87 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
age.secrets.dnsmasq-nextdns-profile = {
|
||||
file = ../../secrets/dnsmasq-nextdns-profile.age;
|
||||
owner = "dnsmasq";
|
||||
};
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
experimental-features = ["nix-command" "flakes"];
|
||||
};
|
||||
};
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking = {
|
||||
hostName = "dnsmasq-cache"; # Define your hostname.
|
||||
useDHCP = false;
|
||||
|
||||
interfaces.enp6s18.ipv4.addresses = [ {
|
||||
address = "192.168.50.87";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedUDPPorts = [53];
|
||||
allowedTCPPorts = [22 53 9153];
|
||||
trustedInterfaces = ["enp6s18" "tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
allowedUDPPortRanges = [
|
||||
{
|
||||
from = 3000;
|
||||
to = 22000;
|
||||
}
|
||||
];
|
||||
};
|
||||
defaultGateway = "192.168.50.1";
|
||||
defaultGateway6 = "2a02:1648:6709::1";
|
||||
nftables.enable = true;
|
||||
};
|
||||
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
tailscale.enable = true;
|
||||
dnsmasq = {
|
||||
enable = true;
|
||||
settings = {
|
||||
interface = "tailscale0";
|
||||
cache-size = "4000";
|
||||
no-resolv = true;
|
||||
bogus-priv = true;
|
||||
strict-order = true;
|
||||
server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0" ];
|
||||
conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
tailscale
|
||||
];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
dnsmasq_exporter = {
|
||||
image = "git.gmem.ca/arch/dnsmasq_exporter";
|
||||
extraOptions = ["--network=host"];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
|
||||
}
|
32
nix/dnsmasq/disk-config.nix
Normal file
32
nix/dnsmasq/disk-config.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
my-disk = {
|
||||
device = "/dev/sda";
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
type = "EF00";
|
||||
size = "500M";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
29
nix/dnsmasq/hardware-configuration.nix
Normal file
29
nix/dnsmasq/hardware-configuration.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
''${builtins.fetchTarball {
|
||||
url = "https://github.com/nix-community/disko/archive/master.tar.gz";
|
||||
sha256 = "0qyl65hs2j4f5ffj2lv5kb4hc1gradkqvv2j35hbdyiik155l4gn";
|
||||
}}/module.nix''
|
||||
./disk-config.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
9
secrets/dnsmasq-nextdns-profile.age
Normal file
9
secrets/dnsmasq-nextdns-profile.age
Normal file
|
@ -0,0 +1,9 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 o0sdgw 9I44ptc/Dwhk2EcjCtJhl3kSu69BXMRCPHZAdt9kJgE
|
||||
t8gc+3qVIkEuyNSWE3S3vEhV+q7uSMe/qIJccV6ln54
|
||||
-> ssh-ed25519 C7Rp1Q G0PsVpG+bRptzUhAxYNkerKqhYRgnYatX2S4vEj0F2M
|
||||
sivnnSL3QRKXPubK6Bk1ASdriuOx7uwoA89iWjsazi8
|
||||
-> ssh-ed25519 qbziOw sZzOsi5z1YTAHY809dsew0rLRuSxLQLLbwF+zTXHLjo
|
||||
j0uANQ6MrUdwCI+Qf9dimMnZheP2zUNsGzHGgrD4oO4
|
||||
--- QJmFdG6wwF307+25uBp0E9aSGjH0eAmNEYI/RfZ5c7k
|
||||
¦Æԧƾw5ÞôÚ7…ÿÐTÚ¼!É>ƒýÔZö½p]Ÿ<àÇO‰ï¿<C3AF>íÎÎX
|
Loading…
Reference in a new issue