{ config, lib, pkgs, ... }: with lib; let primary-ip = "10.0.0.1"; dns-proxy-port = 5335; host-packages = with pkgs; [ nixops ]; site-name = config.fudo.hosts.${config.instance.hostname}.site; site = config.fudo.site.${site-name}; in { system = { # # DO force all DNS traffic to use the local server # activationScripts.force-local-dns = let # wifi-ip = # config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address; # in '' # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 # ''; }; environment.systemPackages = host-packages; fudo.local-network = let host-config = config.fudo.hosts.${config.instance.hostname}; site-name = host-config.site; site = config.fudo.sites.${site-name}; domain-name = host-config.domain; domain = config.fudo.domains.${domain-name}; in { enable = true; # NOTE: requests go: # - local bind instance # - pi-hole # - DoH resolver domain = domain-name; dns-servers = [ primary-ip ]; gateway = primary-ip; dhcp-interfaces = [ "intif0" ]; dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; recursive-resolver = "${primary-ip} port 5353"; network = site.network; dhcp-dynamic-network = site.dynamic-network; search-domains = [ "selby.ca" ]; enable-reverse-mappings = true; network-definition = config.fudo.networks."rus.selby.ca"; }; fudo.hosts.clunk.external-interfaces = [ "enp1s0" ]; networking = { interfaces = { enp1s0.useDHCP = true; enp2s0.useDHCP = false; enp3s0.useDHCP = false; enp4s0.useDHCP = false; intif0 = { useDHCP = false; ipv4.addresses = [{ address = primary-ip; prefixLength = 16; }]; }; }; nat = { enable = true; externalInterface = "enp1s0"; internalInterfaces = [ "intif0" ]; forwardPorts = [{ destination = "127.0.0.1:53"; sourcePort = 53; proto = "udp"; }]; }; }; fudo = { garbage-collector = { enable = true; timing = "weekly"; }; auth.kdc = { enable = true; realm = "RUS.SELBY.CA"; bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; acl = { "niten" = { perms = [ "add" "change-password" "list" ]; }; "*/root" = { perms = [ "all" ]; }; }; }; secure-dns-proxy = { enable = true; listen-port = dns-proxy-port; upstream-dns = [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; bootstrap-dns = "1.1.1.1"; allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ]; listen-ips = [ primary-ip ]; }; }; virtualisation = { docker = { enable = true; autoPrune.enable = true; enableOnBoot = true; }; oci-containers = { backend = "docker"; containers = { pihole = { image = "pihole/pihole:v5.7"; autoStart = true; ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; environment = { # ServerIP = primary-ip; VIRTUAL_HOST = "dns-hole.rus.selby.ca"; DNS1 = "${primary-ip}#${toString dns-proxy-port}"; }; volumes = [ "/srv/pihole/etc-pihole/:/etc/pihole/" "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" ]; }; }; }; }; services.nginx = { enable = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "dns-hole.rus.selby.ca" = { serverAliases = [ "pihole.rus.selby.ca" "hole.rus.selby.ca" "pihole" "dns-hole" "hole" ]; locations."/" = { proxyPass = "http://127.0.0.1:3080"; }; }; }; }; }