diff --git a/flake.lock b/flake.lock index ea41394..b64856b 100644 --- a/flake.lock +++ b/flake.lock @@ -180,7 +180,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -239,11 +239,11 @@ ] }, "locked": { - "lastModified": 1713294767, - "narHash": "sha256-LmaabaQZdx52MPGKPRt9Opoc9Gd9RbwvCdysUUYQoXI=", + "lastModified": 1713713092, + "narHash": "sha256-rvyr6BBtn3cq5B/48rhJlbIOpxprwlO/71663sd9Gik=", "owner": "nix-community", "repo": "home-manager", - "rev": "fa8c16e2452bf092ac76f09ee1fb1e9f7d0796e7", + "rev": "2846d5230a3c3923618eabb367deaf8885df580f", "type": "github" }, "original": { @@ -279,11 +279,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1713105314, - "narHash": "sha256-X3URKbcgIy4UaQGrsy3DmY5x+fePQ5IYaa76YewoUE0=", + "lastModified": 1713701427, + "narHash": "sha256-v6z8hz/UDaC/rbnkH+hxGFUxlNyseVntRetVpSxLU6c=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f347ed9a1cab12c27541ed4d173e2f2d5c9bc0bb", + "rev": "3b32a98eb3053f8c8ca55497d1881443ef2996e6", "type": "github" }, "original": { @@ -297,7 +297,7 @@ "flake-parts": "flake-parts", "nix-github-actions": "nix-github-actions", "nixpkgs": "nixpkgs_6", - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1705242886, @@ -373,14 +373,16 @@ "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" - ] + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1708022692, - "narHash": "sha256-T2o3XwFWK5bYNnVqEYdW9JqmOtgpn26/GCgbrVJ47ls=", + "lastModified": 1713393417, + "narHash": "sha256-YriEUgA8u37V859nbSpqeYlL/GiezzeBIyBAAzhxZaI=", "owner": "Janik-Haag", "repo": "nixos-dns", - "rev": "0205c8cc6b4f7f75689a922b0bf20730c64a51f4", + "rev": "1cf30ea07873b291fc39265d4c6dc63bfdf67ad7", "type": "github" }, "original": { @@ -412,11 +414,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1712909959, - "narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=", + "lastModified": 1713521961, + "narHash": "sha256-EwR8wW9AqJhSIY+0oxWRybUZ32BVKuZ9bjlRh8SJvQ8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f", + "rev": "5d48925b815fd202781bfae8fb6f45c07112fdb2", "type": "github" }, "original": { @@ -444,11 +446,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1713055793, - "narHash": "sha256-vIrZQykYW32RnlI2lT/gCcB59BOIqqrAmPirBdiirrc=", + "lastModified": 1713660444, + "narHash": "sha256-2bVnrEGyWJhRNKspzfTJmVD/fsH9HQURD4cWpz79Ulw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "361d8a4f443bbfab20bd6d222f9022b8c6665906", + "rev": "6882347415e352cfc9c277cc01f73e0f5cb7b93c", "type": "github" }, "original": { @@ -467,11 +469,11 @@ ] }, "locked": { - "lastModified": 1713349019, - "narHash": "sha256-H8FjOiATw0/k2fq2VcCE7Vov5Ic+S1x0h4nDImM1cUQ=", + "lastModified": 1713719682, + "narHash": "sha256-d6YzWLGoHF3si3fHZ5qv587gR16Bgk7EQgrvgtCaoRM=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "f8c128a08d5873682e8518af7c401512381cfd73", + "rev": "df1a94e03aaf5324dd2d9fe6d965422d26d1e6e1", "type": "github" }, "original": { @@ -530,11 +532,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1713254108, - "narHash": "sha256-0TZIsfDbHG5zibtlw6x0yOp3jkInIGaJ35B7Y4G8Pec=", + "lastModified": 1713687659, + "narHash": "sha256-Yd8KuOBpZ0Slau/NxFhMPJI0gBxeax0vq/FD0rqKwuQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fd19c8be2551a61c1ddc3d9f86d748f4db94f00", + "rev": "f2d7a289c5a5ece8521dd082b81ac7e4a57c2c5c", "type": "github" }, "original": { @@ -605,6 +607,20 @@ } }, "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -678,6 +694,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-dns", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711963903, + "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "nixpkgs-wayland", diff --git a/flake.nix b/flake.nix index 454ca79..cddcdb6 100644 --- a/flake.nix +++ b/flake.nix @@ -54,7 +54,7 @@ owner = "octodns"; repo = pname; rev = "main"; - sha256 = "sha256-KVdH55wkTk2n2t/Y+n9+/5SCk3ml8vXIlFbtmOL4DlA="; + sha256 = "sha256-cBdR6LCIivR4L9PePy5ZOOhV/JdanlujWgueCQma9fo="; }; doCheck = false; propagatedBuildInputs = with pkgs.python3Packages; [ @@ -402,6 +402,38 @@ g } ]; }; + dnsmasq = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + agenix.nixosModules.default + (import ./nix/dnsmasq/configuration.nix) + { + _module.args.nixinate = { + host = "192.168.50.87"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; + dnsmasq-floof = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + agenix.nixosModules.default + (import ./nix/dnsmasq-floof/configuration.nix) + { + _module.args.nixinate = { + host = "10.230.101.104"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; }; }; } diff --git a/nix/dnsmasq-floof/configuration.nix b/nix/dnsmasq-floof/configuration.nix new file mode 100644 index 0000000..7deac20 --- /dev/null +++ b/nix/dnsmasq-floof/configuration.nix @@ -0,0 +1,79 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + age.secrets.dnsmasq-nextdns-profile = { + file = ../../secrets/dnsmasq-nextdns-profile.age; + owner = "dnsmasq"; + }; + + nix = { + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + }; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "dnsmasq-cache"; # Define your hostname. + firewall = { + enable = true; + allowedUDPPorts = [53]; + allowedTCPPorts = [22 53 9153]; + trustedInterfaces = ["enp6s18" "tailscale0"]; + checkReversePath = "loose"; + allowedUDPPortRanges = [ + { + from = 3000; + to = 22000; + } + ]; + }; + + nftables.enable = true; + }; + + services = { + openssh.enable = true; + tailscale.enable = true; + dnsmasq = { + enable = true; + settings = { + interface = "tailscale0"; + cache-size = "4000"; + no-resolv = true; + bogus-priv = true; + strict-order = true; + server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0" ]; + conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}"; + }; + }; + }; + + environment = { + systemPackages = with pkgs; [ + tailscale + ]; + }; + + virtualisation.oci-containers.containers = { + dnsmasq_exporter = { + image = "git.gmem.ca/arch/dnsmasq_exporter"; + extraOptions = ["--network=host"]; + }; + }; + + system.stateVersion = "23.11"; # Did you read the comment? + +} diff --git a/nix/dnsmasq-floof/disk-config.nix b/nix/dnsmasq-floof/disk-config.nix new file mode 100644 index 0000000..549a3dd --- /dev/null +++ b/nix/dnsmasq-floof/disk-config.nix @@ -0,0 +1,32 @@ +{ + disko.devices = { + disk = { + my-disk = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/dnsmasq-floof/hardware-configuration.nix b/nix/dnsmasq-floof/hardware-configuration.nix new file mode 100644 index 0000000..8f48f9f --- /dev/null +++ b/nix/dnsmasq-floof/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ''${builtins.fetchTarball { + url = "https://github.com/nix-community/disko/archive/master.tar.gz"; + sha256 = "0qyl65hs2j4f5ffj2lv5kb4hc1gradkqvv2j35hbdyiik155l4gn"; + }}/module.nix'' + ./disk-config.nix + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nix/dnsmasq/configuration.nix b/nix/dnsmasq/configuration.nix new file mode 100644 index 0000000..6792935 --- /dev/null +++ b/nix/dnsmasq/configuration.nix @@ -0,0 +1,87 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + age.secrets.dnsmasq-nextdns-profile = { + file = ../../secrets/dnsmasq-nextdns-profile.age; + owner = "dnsmasq"; + }; + + nix = { + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + }; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "dnsmasq-cache"; # Define your hostname. + useDHCP = false; + + interfaces.enp6s18.ipv4.addresses = [ { + address = "192.168.50.87"; + prefixLength = 24; + } ]; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; + firewall = { + enable = true; + allowedUDPPorts = [53]; + allowedTCPPorts = [22 53 9153]; + trustedInterfaces = ["enp6s18" "tailscale0"]; + checkReversePath = "loose"; + allowedUDPPortRanges = [ + { + from = 3000; + to = 22000; + } + ]; + }; + defaultGateway = "192.168.50.1"; + defaultGateway6 = "2a02:1648:6709::1"; + nftables.enable = true; + }; + + services = { + openssh.enable = true; + tailscale.enable = true; + dnsmasq = { + enable = true; + settings = { + interface = "tailscale0"; + cache-size = "4000"; + no-resolv = true; + bogus-priv = true; + strict-order = true; + server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0" ]; + conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}"; + }; + }; + }; + + environment = { + systemPackages = with pkgs; [ + tailscale + ]; + }; + + virtualisation.oci-containers.containers = { + dnsmasq_exporter = { + image = "git.gmem.ca/arch/dnsmasq_exporter"; + extraOptions = ["--network=host"]; + }; + }; + + system.stateVersion = "23.11"; # Did you read the comment? + +} diff --git a/nix/dnsmasq/disk-config.nix b/nix/dnsmasq/disk-config.nix new file mode 100644 index 0000000..549a3dd --- /dev/null +++ b/nix/dnsmasq/disk-config.nix @@ -0,0 +1,32 @@ +{ + disko.devices = { + disk = { + my-disk = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/dnsmasq/hardware-configuration.nix b/nix/dnsmasq/hardware-configuration.nix new file mode 100644 index 0000000..8f48f9f --- /dev/null +++ b/nix/dnsmasq/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ''${builtins.fetchTarball { + url = "https://github.com/nix-community/disko/archive/master.tar.gz"; + sha256 = "0qyl65hs2j4f5ffj2lv5kb4hc1gradkqvv2j35hbdyiik155l4gn"; + }}/module.nix'' + ./disk-config.nix + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/secrets/dnsmasq-nextdns-profile.age b/secrets/dnsmasq-nextdns-profile.age new file mode 100644 index 0000000..becab2f --- /dev/null +++ b/secrets/dnsmasq-nextdns-profile.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 o0sdgw 9I44ptc/Dwhk2EcjCtJhl3kSu69BXMRCPHZAdt9kJgE +t8gc+3qVIkEuyNSWE3S3vEhV+q7uSMe/qIJccV6ln54 +-> ssh-ed25519 C7Rp1Q G0PsVpG+bRptzUhAxYNkerKqhYRgnYatX2S4vEj0F2M +sivnnSL3QRKXPubK6Bk1ASdriuOx7uwoA89iWjsazi8 +-> ssh-ed25519 qbziOw sZzOsi5z1YTAHY809dsew0rLRuSxLQLLbwF+zTXHLjo +j0uANQ6MrUdwCI+Qf9dimMnZheP2zUNsGzHGgrD4oO4 +--- QJmFdG6wwF307+25uBp0E9aSGjH0eAmNEYI/RfZ5c7k +ԧƾw57Tڼ!>Zp]