From e6234e3b43441c32caa58d61d0444e295da464cc Mon Sep 17 00:00:00 2001 From: Chris Dombroski Date: Sun, 29 Dec 2024 18:59:34 -0500 Subject: [PATCH] dual dhcp/dns --- nixos-configurations/orangepihole.nix | 47 +++--------------------- nixos-configurations/zeus.nix | 6 ++++ nixos-modules/dhcp.nix | 39 ++++++++++++++++++++ nixos-modules/unbound.nix | 52 +++++++++++++++++++++++++++ 4 files changed, 101 insertions(+), 43 deletions(-) create mode 100644 nixos-modules/dhcp.nix create mode 100644 nixos-modules/unbound.nix diff --git a/nixos-configurations/orangepihole.nix b/nixos-configurations/orangepihole.nix index e298e88..1763e68 100644 --- a/nixos-configurations/orangepihole.nix +++ b/nixos-configurations/orangepihole.nix @@ -13,7 +13,9 @@ # Include the results of the hardware scan. "${modulesPath}/installer/scan/not-detected.nix" inputs.impermanence.nixosModules.impermanence + ezModules.dhcp ezModules.networkd-base + ezModules.unbound ]; boot = { @@ -61,17 +63,10 @@ ]; }; }; + mainInterface = "40-end0"; networking = { hostName = "orangepihole"; # Define your hostname. - firewall = { - allowedUDPPorts = [ - 53 - 67 - 68 - ]; - allowedTCPPorts = [ 53 ]; - }; useDHCP = lib.mkDefault true; }; systemd.network.networks."40-end0" = { @@ -86,30 +81,15 @@ ]; domains = [ "icanttype.org" ]; gateway = [ "10.42.69.1" ]; - networkConfig.DHCPServer = true; dhcpServerConfig = { PoolOffset = 150; - EmitDNS = true; - DNS = "10.42.69.2"; - EmitRouter = true; - Router = "10.42.69.1"; - SendOption = [ - "15:string:icanttype.org" - "119:string:icanttype.org" - ]; }; - networkConfig.IPv6SendRA = true; - ipv6SendRAConfig = { - RouterLifetimeSec = 0; - EmitDNS = false; - }; - ipv6Prefixes = [ { Prefix = "fd72:3dd5:21ae:3c97::/64"; } ]; }; zramSwap.enable = true; swapDevices = [ { device = "/persist/swapfile"; - size = 1024; + size = 4096; } ]; services = { @@ -135,25 +115,6 @@ journald.storage = "volatile"; }; - systemd = { - services.adblock = { - startAt = "daily"; - postStop = "systemctl try-reload-or-restart unbound"; - path = [ - pkgs.gawk - pkgs.wget - ]; - script = '' - wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf - echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf - echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf - echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf - awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf - rm /tmp/new.conf - ''; - }; - }; - environment = { systemPackages = [ pkgs.vim diff --git a/nixos-configurations/zeus.nix b/nixos-configurations/zeus.nix index a462ffd..6929af8 100644 --- a/nixos-configurations/zeus.nix +++ b/nixos-configurations/zeus.nix @@ -19,6 +19,7 @@ in inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower inputs.nixos-hardware.nixosModules.common-pc ezModules.aarch64-emu + ezModules.dhcp ezModules.networkd-base ezModules.smartd ezModules.plymouth @@ -41,6 +42,7 @@ in ezModules.docker-static-web ezModules.docker-swag ezModules.docker-zwave + ezModules.unbound ]; boot = { @@ -133,6 +135,7 @@ in { device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; } { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; } ]; + mainInterface = "lan-shim"; networking = { hostName = "zeus"; # Define your hostname. hostId = "9e95b576"; @@ -182,6 +185,9 @@ in dns = [ "10.42.69.2" ]; domains = [ "icanttype.org" ]; gateway = [ "10.42.69.1" ]; + dhcpServerConfig = { + PoolOffset = 100; + }; }; }; diff --git a/nixos-modules/dhcp.nix b/nixos-modules/dhcp.nix new file mode 100644 index 0000000..8f31230 --- /dev/null +++ b/nixos-modules/dhcp.nix @@ -0,0 +1,39 @@ +{ config, lib, ... }: +{ + options = { + mainInterface = lib.mkOption { + type = lib.types.str; + }; + }; + config = { + networking.firewall.allowedUDPPorts = [ + 67 + 68 + ]; + systemd.network.networks.${config.mainInterface} = { + networkConfig = { + DHCPServer = true; + IPv6SendRA = true; + }; + dhcpServerConfig = { + EmitDNS = true; + PoolSize = 50; + DNS = [ + "10.42.69.2" + "10.42.69.100" + ]; + EmitRouter = true; + Router = "10.42.69.1"; + SendOption = [ + "15:string:icanttype.org" + "119:string:icanttype.org" + ]; + }; + ipv6SendRAConfig = { + RouterLifetimeSec = 0; + EmitDNS = false; + }; + ipv6Prefixes = [ { Prefix = "fd72:3dd5:21ae:3c97::/64"; } ]; + }; + }; +} diff --git a/nixos-modules/unbound.nix b/nixos-modules/unbound.nix new file mode 100644 index 0000000..89bf026 --- /dev/null +++ b/nixos-modules/unbound.nix @@ -0,0 +1,52 @@ +{ pkgs, ... }: +{ + systemd = { + services.adblock = { + startAt = "daily"; + postStop = "systemctl try-reload-or-restart unbound"; + path = [ + pkgs.gawk + pkgs.wget + ]; + script = '' + wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf + echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf + echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf + echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf + awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf + rm /tmp/new.conf + ''; + }; + }; + + networking = { + firewall = { + allowedUDPPorts = [ + 53 + ]; + allowedTCPPorts = [ 53 ]; + }; + }; + + services = { + unbound = { + enable = true; + localControlSocketPath = "/var/lib/unbound/control.sock"; + settings = { + server = { + do-ip6 = "no"; + qname-minimisation = "yes"; + # interface = [ "end0" ]; + access-control = [ + "10.0.0.0/8 allow" + "fc::/7 allow" + ]; + }; + include = [ + "/etc/unbound/ads.conf" + "${../configs/unbound-local.conf}" + ]; + }; + }; + }; +}