163 lines
4.0 KiB
Nix
163 lines
4.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
primary-ip = "10.0.0.1";
|
|
|
|
dns-proxy-port = 5335;
|
|
|
|
host-packages = with pkgs; [ nixops ];
|
|
|
|
site-name = config.fudo.hosts.${config.instance.hostname}.site;
|
|
site = config.fudo.site.${site-name};
|
|
|
|
in {
|
|
system = {
|
|
# # DO force all DNS traffic to use the local server
|
|
# activationScripts.force-local-dns = let
|
|
# wifi-ip =
|
|
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
|
|
# in ''
|
|
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
|
|
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
|
|
# '';
|
|
};
|
|
|
|
environment.systemPackages = host-packages;
|
|
|
|
fudo.local-network = let
|
|
host-config = config.fudo.hosts.${config.instance.hostname};
|
|
site-name = host-config.site;
|
|
site = config.fudo.sites.${site-name};
|
|
domain-name = host-config.domain;
|
|
domain = config.fudo.domains.${domain-name};
|
|
|
|
in {
|
|
enable = true;
|
|
# NOTE: requests go:
|
|
# - local bind instance
|
|
# - pi-hole
|
|
# - DoH resolver
|
|
domain = domain-name;
|
|
dns-servers = [ primary-ip ];
|
|
gateway = primary-ip;
|
|
dhcp-interfaces = [ "intif0" ];
|
|
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
|
|
recursive-resolver = "${primary-ip} port 5353";
|
|
network = site.network;
|
|
dhcp-dynamic-network = site.dynamic-network;
|
|
search-domains = [ "selby.ca" ];
|
|
enable-reverse-mappings = true;
|
|
network-definition = config.fudo.networks."rus.selby.ca";
|
|
};
|
|
|
|
fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
|
|
|
|
networking = {
|
|
interfaces = {
|
|
enp1s0.useDHCP = true;
|
|
|
|
enp2s0.useDHCP = false;
|
|
enp3s0.useDHCP = false;
|
|
enp4s0.useDHCP = false;
|
|
|
|
intif0 = {
|
|
useDHCP = false;
|
|
ipv4.addresses = [{
|
|
address = primary-ip;
|
|
prefixLength = 22;
|
|
}];
|
|
};
|
|
};
|
|
|
|
nat = {
|
|
enable = true;
|
|
externalInterface = "enp1s0";
|
|
internalInterfaces = [ "intif0" ];
|
|
forwardPorts = [{
|
|
destination = "127.0.0.1:53";
|
|
sourcePort = 53;
|
|
proto = "udp";
|
|
}];
|
|
};
|
|
};
|
|
|
|
fudo = {
|
|
garbage-collector = {
|
|
enable = true;
|
|
timing = "weekly";
|
|
};
|
|
|
|
auth.kdc = {
|
|
enable = true;
|
|
realm = "RUS.SELBY.CA";
|
|
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
|
|
acl = {
|
|
"niten" = { perms = [ "add" "change-password" "list" ]; };
|
|
"*/root" = { perms = [ "all" ]; };
|
|
};
|
|
};
|
|
|
|
secure-dns-proxy = {
|
|
enable = true;
|
|
listen-port = dns-proxy-port;
|
|
upstream-dns =
|
|
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
|
|
bootstrap-dns = "1.1.1.1";
|
|
allowed-networks =
|
|
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
|
|
listen-ips = [ primary-ip ];
|
|
};
|
|
};
|
|
|
|
virtualisation = {
|
|
docker = {
|
|
enable = true;
|
|
autoPrune.enable = true;
|
|
enableOnBoot = true;
|
|
};
|
|
|
|
oci-containers = {
|
|
backend = "docker";
|
|
containers = {
|
|
pihole = {
|
|
image = "pihole/pihole:v5.7";
|
|
autoStart = true;
|
|
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
|
|
environment = {
|
|
# ServerIP = primary-ip;
|
|
VIRTUAL_HOST = "dns-hole.rus.selby.ca";
|
|
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
|
|
};
|
|
volumes = [
|
|
"/srv/pihole/etc-pihole/:/etc/pihole/"
|
|
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
virtualHosts = {
|
|
"dns-hole.rus.selby.ca" = {
|
|
serverAliases = [
|
|
"pihole.rus.selby.ca"
|
|
"hole.rus.selby.ca"
|
|
"pihole"
|
|
"dns-hole"
|
|
"hole"
|
|
];
|
|
|
|
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
|
|
};
|
|
};
|
|
};
|
|
}
|