magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add DNS resolver to hela

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-11-10 15:25:21 +01:00
parent 2c48118b30
commit d5045f7056
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
5 changed files with 105 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/systems/hela/default.nix
View file

@ -47,6 +47,7 @@ in {
../../common/nixpkgs.nix
./users.nix
./networking.nix
./dns.nix
(_: let
mkMtuOption = mtu:
lib.mkOption {

80
nixos/systems/hela/dns.nix Normal file
View file

@ -0,0 +1,80 @@
{
lib,
config,
...
}: let
in {
services.bind = {
enable = true;
forward = "only";
forwarders = [
"1.1.1.1 port 53"
"1.1.0.0 port 53"
];
directory = "/var/lib/bind";
cacheNetworks = [
"10.1.0.0/19"
"192.168.1.0/24"
];
extraConfig = ''
logging {
channel stderr_chan {
print-category yes;
print-severity yes;
severity dynamic;
stderr;
};
${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };")
[
"client"
"cname"
"config"
"database"
"default"
"dispatch"
"dnssec"
"dnstap"
"edns-disabled"
"general"
"lame-servers"
"network"
"notify"
"nsid"
"queries"
"query-errors"
"rate-limit"
"resolver"
"rpz"
"rpz-passthru"
"security"
"serve-stale"
"spill"
"sslkeylog"
"trust-anchor-telemetry"
"unmatched"
"update"
"update-security"
"xfer-in"
"xfer-out"
"zoneload"
]}
};
'';
extraOptions = ''
dnssec-validation auto;
max-cache-size 512M;
max-ncache-ttl 1M;
allow-query-cache { cachenetworks; };
'';
};
systemd.services.bind.serviceConfig = {
StandardError = "journal";
};
}

15
nixos/systems/hela/networking.nix
View file

@ -119,6 +119,16 @@
# ---
ruleset {
filter = add table {family = f: f.inet;} {
allowed_ports =
add set {
type = f: [f.inet_proto f.ipv4_addr f.inet_service];
flags = f: [f.interval];
} [
(concat ["tcp" "10.1.0.1" 22])
(concat ["udp" "10.1.0.1" 53])
(concat ["tcp" "10.1.0.1" 53])
];
postrouting = add chain {
type = f: f.nat;
hook = f: f.postrouting;
@ -151,8 +161,7 @@
})
]
[
(is.eq ip.daddr "10.1.0.1")
(is.eq th.dport 22)
(is.eq (concat [ip.protocol ip.daddr th.dport]) "@allowed_ports")
accept
]
[
@ -233,7 +242,7 @@
code = 6;
space = "dhcp4";
csv-format = true;
data = "8.8.8.8, 8.8.4.4";
data = "10.1.0.1";
}
{
name = "routers";

9
nixos/systems/hela/networking/border.nix
View file

@ -89,6 +89,8 @@
[(concat ["udp" "86.80.70.193" 500]) (concat ["10.0.0.2" 500])]
[(concat ["udp" "86.80.70.193" 501]) (concat ["10.0.0.2" 501])]
[(concat ["tcp" "192.168.1.1" 22]) (concat ["10.0.0.2" 22])]
[(concat ["tcp" "192.168.1.1" 53]) (concat ["10.0.0.2" 53])]
[(concat ["udp" "192.168.1.1" 53]) (concat ["10.0.0.2" 53])]
];
local_nets4 =
@ -233,6 +235,13 @@
prio = -100;
policy = f: f.accept;
}
[
(is.eq meta.iifname "ppp-slan")
(is.eq th.dport 53)
(dnat.ip {
addr = "10.0.0.2";
})
]
[
(dnat.ip {
addr.map = {

12
nixos/systems/hela/networking/hel.nix
View file

@ -184,7 +184,9 @@
[(concat ["udp" "10.0.0.2" 6666]) (concat ["10.1.31.1" 6666])]
[(concat ["udp" "10.0.0.2" 500]) (concat ["10.1.31.1" 6666])]
[(concat ["udp" "10.0.0.2" 501]) (concat ["10.1.31.2" 6666])]
[(concat ["udp" "10.0.0.2" 22]) (concat ["10.1.0.1" 22])]
[(concat ["tcp" "10.0.0.2" 22]) (concat ["10.1.0.1" 22])]
[(concat ["tcp" "10.0.0.2" 53]) (concat ["10.1.0.1" 53])]
[(concat ["udp" "10.0.0.2" 53]) (concat ["10.1.0.1" 53])]
];
prerouting =
@ -201,14 +203,6 @@
data = "@port_dnat";
};
})
]
[
(is.eq ip.daddr "10.0.0.2")
(is.eq tcp.dport "22")
(dnat {
addr = "10.1.0.1";
port = "22";
})
];
postrouting =