dual dhcp/dns

This commit is contained in:
Chris Dombroski 2024-12-29 18:59:34 -05:00
parent dbbfe0fb28
commit e6234e3b43
4 changed files with 101 additions and 43 deletions

View file

@ -13,7 +13,9 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
"${modulesPath}/installer/scan/not-detected.nix" "${modulesPath}/installer/scan/not-detected.nix"
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
ezModules.dhcp
ezModules.networkd-base ezModules.networkd-base
ezModules.unbound
]; ];
boot = { boot = {
@ -61,17 +63,10 @@
]; ];
}; };
}; };
mainInterface = "40-end0";
networking = { networking = {
hostName = "orangepihole"; # Define your hostname. hostName = "orangepihole"; # Define your hostname.
firewall = {
allowedUDPPorts = [
53
67
68
];
allowedTCPPorts = [ 53 ];
};
useDHCP = lib.mkDefault true; useDHCP = lib.mkDefault true;
}; };
systemd.network.networks."40-end0" = { systemd.network.networks."40-end0" = {
@ -86,30 +81,15 @@
]; ];
domains = [ "icanttype.org" ]; domains = [ "icanttype.org" ];
gateway = [ "10.42.69.1" ]; gateway = [ "10.42.69.1" ];
networkConfig.DHCPServer = true;
dhcpServerConfig = { dhcpServerConfig = {
PoolOffset = 150; PoolOffset = 150;
EmitDNS = true;
DNS = "10.42.69.2";
EmitRouter = true;
Router = "10.42.69.1";
SendOption = [
"15:string:icanttype.org"
"119:string:icanttype.org"
];
}; };
networkConfig.IPv6SendRA = true;
ipv6SendRAConfig = {
RouterLifetimeSec = 0;
EmitDNS = false;
};
ipv6Prefixes = [ { Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
}; };
zramSwap.enable = true; zramSwap.enable = true;
swapDevices = [ swapDevices = [
{ {
device = "/persist/swapfile"; device = "/persist/swapfile";
size = 1024; size = 4096;
} }
]; ];
services = { services = {
@ -135,25 +115,6 @@
journald.storage = "volatile"; journald.storage = "volatile";
}; };
systemd = {
services.adblock = {
startAt = "daily";
postStop = "systemctl try-reload-or-restart unbound";
path = [
pkgs.gawk
pkgs.wget
];
script = ''
wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
rm /tmp/new.conf
'';
};
};
environment = { environment = {
systemPackages = [ systemPackages = [
pkgs.vim pkgs.vim

View file

@ -19,6 +19,7 @@ in
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
inputs.nixos-hardware.nixosModules.common-pc inputs.nixos-hardware.nixosModules.common-pc
ezModules.aarch64-emu ezModules.aarch64-emu
ezModules.dhcp
ezModules.networkd-base ezModules.networkd-base
ezModules.smartd ezModules.smartd
ezModules.plymouth ezModules.plymouth
@ -41,6 +42,7 @@ in
ezModules.docker-static-web ezModules.docker-static-web
ezModules.docker-swag ezModules.docker-swag
ezModules.docker-zwave ezModules.docker-zwave
ezModules.unbound
]; ];
boot = { boot = {
@ -133,6 +135,7 @@ in
{ device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; } { device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; }
{ device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; } { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
]; ];
mainInterface = "lan-shim";
networking = { networking = {
hostName = "zeus"; # Define your hostname. hostName = "zeus"; # Define your hostname.
hostId = "9e95b576"; hostId = "9e95b576";
@ -182,6 +185,9 @@ in
dns = [ "10.42.69.2" ]; dns = [ "10.42.69.2" ];
domains = [ "icanttype.org" ]; domains = [ "icanttype.org" ];
gateway = [ "10.42.69.1" ]; gateway = [ "10.42.69.1" ];
dhcpServerConfig = {
PoolOffset = 100;
};
}; };
}; };

39
nixos-modules/dhcp.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, ... }:
{
options = {
mainInterface = lib.mkOption {
type = lib.types.str;
};
};
config = {
networking.firewall.allowedUDPPorts = [
67
68
];
systemd.network.networks.${config.mainInterface} = {
networkConfig = {
DHCPServer = true;
IPv6SendRA = true;
};
dhcpServerConfig = {
EmitDNS = true;
PoolSize = 50;
DNS = [
"10.42.69.2"
"10.42.69.100"
];
EmitRouter = true;
Router = "10.42.69.1";
SendOption = [
"15:string:icanttype.org"
"119:string:icanttype.org"
];
};
ipv6SendRAConfig = {
RouterLifetimeSec = 0;
EmitDNS = false;
};
ipv6Prefixes = [ { Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
};
};
}

52
nixos-modules/unbound.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, ... }:
{
systemd = {
services.adblock = {
startAt = "daily";
postStop = "systemctl try-reload-or-restart unbound";
path = [
pkgs.gawk
pkgs.wget
];
script = ''
wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
rm /tmp/new.conf
'';
};
};
networking = {
firewall = {
allowedUDPPorts = [
53
];
allowedTCPPorts = [ 53 ];
};
};
services = {
unbound = {
enable = true;
localControlSocketPath = "/var/lib/unbound/control.sock";
settings = {
server = {
do-ip6 = "no";
qname-minimisation = "yes";
# interface = [ "end0" ];
access-control = [
"10.0.0.0/8 allow"
"fc::/7 allow"
];
};
include = [
"/etc/unbound/ads.conf"
"${../configs/unbound-local.conf}"
];
};
};
};
}