arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

dnsmasq server configurations

Browse source
This commit is contained in:
Gabriel Simmer 2024-04-24 13:49:20 +01:00
parent 4c46c0b825
commit 6a7e47a9e8
Signed by: arch
SSH key fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
9 changed files with 391 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
flake.lock
View file

@ -180,7 +180,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
@ -239,11 +239,11 @@
]
},
"locked": {
"lastModified": 1713294767,
"narHash": "sha256-LmaabaQZdx52MPGKPRt9Opoc9Gd9RbwvCdysUUYQoXI=",
"lastModified": 1713713092,
"narHash": "sha256-rvyr6BBtn3cq5B/48rhJlbIOpxprwlO/71663sd9Gik=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fa8c16e2452bf092ac76f09ee1fb1e9f7d0796e7",
"rev": "2846d5230a3c3923618eabb367deaf8885df580f",
"type": "github"
},
"original": {
@ -279,11 +279,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1713105314,
"narHash": "sha256-X3URKbcgIy4UaQGrsy3DmY5x+fePQ5IYaa76YewoUE0=",
"lastModified": 1713701427,
"narHash": "sha256-v6z8hz/UDaC/rbnkH+hxGFUxlNyseVntRetVpSxLU6c=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "f347ed9a1cab12c27541ed4d173e2f2d5c9bc0bb",
"rev": "3b32a98eb3053f8c8ca55497d1881443ef2996e6",
"type": "github"
},
"original": {
@ -297,7 +297,7 @@
"flake-parts": "flake-parts",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs_6",
"treefmt-nix": "treefmt-nix"
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1705242886,
@ -373,14 +373,16 @@
"flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
]
],
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1708022692,
"narHash": "sha256-T2o3XwFWK5bYNnVqEYdW9JqmOtgpn26/GCgbrVJ47ls=",
"lastModified": 1713393417,
"narHash": "sha256-YriEUgA8u37V859nbSpqeYlL/GiezzeBIyBAAzhxZaI=",
"owner": "Janik-Haag",
"repo": "nixos-dns",
"rev": "0205c8cc6b4f7f75689a922b0bf20730c64a51f4",
"rev": "1cf30ea07873b291fc39265d4c6dc63bfdf67ad7",
"type": "github"
},
"original": {
@ -412,11 +414,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1712909959,
"narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
"lastModified": 1713521961,
"narHash": "sha256-EwR8wW9AqJhSIY+0oxWRybUZ32BVKuZ9bjlRh8SJvQ8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
"rev": "5d48925b815fd202781bfae8fb6f45c07112fdb2",
"type": "github"
},
"original": {
@ -444,11 +446,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1713055793,
"narHash": "sha256-vIrZQykYW32RnlI2lT/gCcB59BOIqqrAmPirBdiirrc=",
"lastModified": 1713660444,
"narHash": "sha256-2bVnrEGyWJhRNKspzfTJmVD/fsH9HQURD4cWpz79Ulw=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "361d8a4f443bbfab20bd6d222f9022b8c6665906",
"rev": "6882347415e352cfc9c277cc01f73e0f5cb7b93c",
"type": "github"
},
"original": {
@ -467,11 +469,11 @@
]
},
"locked": {
"lastModified": 1713349019,
"narHash": "sha256-H8FjOiATw0/k2fq2VcCE7Vov5Ic+S1x0h4nDImM1cUQ=",
"lastModified": 1713719682,
"narHash": "sha256-d6YzWLGoHF3si3fHZ5qv587gR16Bgk7EQgrvgtCaoRM=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "f8c128a08d5873682e8518af7c401512381cfd73",
"rev": "df1a94e03aaf5324dd2d9fe6d965422d26d1e6e1",
"type": "github"
},
"original": {
@ -530,11 +532,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1713254108,
"narHash": "sha256-0TZIsfDbHG5zibtlw6x0yOp3jkInIGaJ35B7Y4G8Pec=",
"lastModified": 1713687659,
"narHash": "sha256-Yd8KuOBpZ0Slau/NxFhMPJI0gBxeax0vq/FD0rqKwuQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2fd19c8be2551a61c1ddc3d9f86d748f4db94f00",
"rev": "f2d7a289c5a5ece8521dd082b81ac7e4a57c2c5c",
"type": "github"
},
"original": {
@ -605,6 +607,20 @@
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -678,6 +694,27 @@
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixos-dns",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixpkgs-wayland",

34
flake.nix
View file

@ -54,7 +54,7 @@
owner = "octodns";
repo = pname;
rev = "main";
sha256 = "sha256-KVdH55wkTk2n2t/Y+n9+/5SCk3ml8vXIlFbtmOL4DlA=";
sha256 = "sha256-cBdR6LCIivR4L9PePy5ZOOhV/JdanlujWgueCQma9fo=";
};
doCheck = false;
propagatedBuildInputs = with pkgs.python3Packages; [
@ -402,6 +402,38 @@ g
}
];
};
dnsmasq = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
agenix.nixosModules.default
(import ./nix/dnsmasq/configuration.nix)
{
_module.args.nixinate = {
host = "192.168.50.87";
sshUser = "root";
buildOn = "remote";
substituteOnTarget = true;
hermetic = false;
};
}
];
};
dnsmasq-floof = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
agenix.nixosModules.default
(import ./nix/dnsmasq-floof/configuration.nix)
{
_module.args.nixinate = {
host = "10.230.101.104";
sshUser = "root";
buildOn = "remote";
substituteOnTarget = true;
hermetic = false;
};
}
];
};
};
};
}

79
nix/dnsmasq-floof/configuration.nix Normal file
View file

@ -0,0 +1,79 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
age.secrets.dnsmasq-nextdns-profile = {
file = ../../secrets/dnsmasq-nextdns-profile.age;
owner = "dnsmasq";
};
nix = {
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking = {
hostName = "dnsmasq-cache"; # Define your hostname.
firewall = {
enable = true;
allowedUDPPorts = [53];
allowedTCPPorts = [22 53 9153];
trustedInterfaces = ["enp6s18" "tailscale0"];
checkReversePath = "loose";
allowedUDPPortRanges = [
{
from = 3000;
to = 22000;
}
];
};
nftables.enable = true;
};
services = {
openssh.enable = true;
tailscale.enable = true;
dnsmasq = {
enable = true;
settings = {
interface = "tailscale0";
cache-size = "4000";
no-resolv = true;
bogus-priv = true;
strict-order = true;
server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0" ];
conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}";
};
};
};
environment = {
systemPackages = with pkgs; [
tailscale
];
};
virtualisation.oci-containers.containers = {
dnsmasq_exporter = {
image = "git.gmem.ca/arch/dnsmasq_exporter";
extraOptions = ["--network=host"];
};
};
system.stateVersion = "23.11"; # Did you read the comment?
}

32
nix/dnsmasq-floof/disk-config.nix Normal file
View file

@ -0,0 +1,32 @@
{
disko.devices = {
disk = {
my-disk = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

29
nix/dnsmasq-floof/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
''${builtins.fetchTarball {
url = "https://github.com/nix-community/disko/archive/master.tar.gz";
sha256 = "0qyl65hs2j4f5ffj2lv5kb4hc1gradkqvv2j35hbdyiik155l4gn";
}}/module.nix''
./disk-config.nix
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

87
nix/dnsmasq/configuration.nix Normal file
View file

@ -0,0 +1,87 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
age.secrets.dnsmasq-nextdns-profile = {
file = ../../secrets/dnsmasq-nextdns-profile.age;
owner = "dnsmasq";
};
nix = {
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking = {
hostName = "dnsmasq-cache"; # Define your hostname.
useDHCP = false;
interfaces.enp6s18.ipv4.addresses = [ {
address = "192.168.50.87";
prefixLength = 24;
} ];
nameservers = [ "1.1.1.1" "1.0.0.1" ];
firewall = {
enable = true;
allowedUDPPorts = [53];
allowedTCPPorts = [22 53 9153];
trustedInterfaces = ["enp6s18" "tailscale0"];
checkReversePath = "loose";
allowedUDPPortRanges = [
{
from = 3000;
to = 22000;
}
];
};
defaultGateway = "192.168.50.1";
defaultGateway6 = "2a02:1648:6709::1";
nftables.enable = true;
};
services = {
openssh.enable = true;
tailscale.enable = true;
dnsmasq = {
enable = true;
settings = {
interface = "tailscale0";
cache-size = "4000";
no-resolv = true;
bogus-priv = true;
strict-order = true;
server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0" ];
conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}";
};
};
};
environment = {
systemPackages = with pkgs; [
tailscale
];
};
virtualisation.oci-containers.containers = {
dnsmasq_exporter = {
image = "git.gmem.ca/arch/dnsmasq_exporter";
extraOptions = ["--network=host"];
};
};
system.stateVersion = "23.11"; # Did you read the comment?
}

32
nix/dnsmasq/disk-config.nix Normal file
View file

@ -0,0 +1,32 @@
{
disko.devices = {
disk = {
my-disk = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

29
nix/dnsmasq/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
''${builtins.fetchTarball {
url = "https://github.com/nix-community/disko/archive/master.tar.gz";
sha256 = "0qyl65hs2j4f5ffj2lv5kb4hc1gradkqvv2j35hbdyiik155l4gn";
}}/module.nix''
./disk-config.nix
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

9
secrets/dnsmasq-nextdns-profile.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 o0sdgw 9I44ptc/Dwhk2EcjCtJhl3kSu69BXMRCPHZAdt9kJgE
t8gc+3qVIkEuyNSWE3S3vEhV+q7uSMe/qIJccV6ln54
-> ssh-ed25519 C7Rp1Q G0PsVpG+bRptzUhAxYNkerKqhYRgnYatX2S4vEj0F2M
sivnnSL3QRKXPubK6Bk1ASdriuOx7uwoA89iWjsazi8
-> ssh-ed25519 qbziOw sZzOsi5z1YTAHY809dsew0rLRuSxLQLLbwF+zTXHLjo
j0uANQ6MrUdwCI+Qf9dimMnZheP2zUNsGzHGgrD4oO4
--- QJmFdG6wwF307+25uBp0E9aSGjH0eAmNEYI/RfZ5c7k
¦ÆÔ§ƾw5ÞôÚ7…ÿÐTÚ¼!É>ƒýÔZö½p]Ÿ<àÇO‰ï¿<C3AF>íÎÎX