dual dhcp/dns

2024-12-29 18:59:34 -05:00 · 2024-12-29 18:59:34 -05:00 · e6234e3b43
commit e6234e3b43
parent dbbfe0fb28
4 changed files with 101 additions and 43 deletions
--- a/nixos-configurations/orangepihole.nix
+++ b/nixos-configurations/orangepihole.nix
@ -13,7 +13,9 @@
    # Include the results of the hardware scan.
    "${modulesPath}/installer/scan/not-detected.nix"
    inputs.impermanence.nixosModules.impermanence
+    ezModules.dhcp
    ezModules.networkd-base
+    ezModules.unbound
  ];

  boot = {
@ -61,17 +63,10 @@
      ];
    };
  };
+  mainInterface = "40-end0";

  networking = {
    hostName = "orangepihole"; # Define your hostname.
-    firewall = {
-      allowedUDPPorts = [
-        53
-        67
-        68
-      ];
-      allowedTCPPorts = [ 53 ];
-    };
    useDHCP = lib.mkDefault true;
  };
  systemd.network.networks."40-end0" = {
@ -86,30 +81,15 @@
    ];
    domains = [ "icanttype.org" ];
    gateway = [ "10.42.69.1" ];
-    networkConfig.DHCPServer = true;
    dhcpServerConfig = {
      PoolOffset = 150;
-      EmitDNS = true;
-      DNS = "10.42.69.2";
-      EmitRouter = true;
-      Router = "10.42.69.1";
-      SendOption = [
-        "15:string:icanttype.org"
-        "119:string:icanttype.org"
-      ];
    };
-    networkConfig.IPv6SendRA = true;
-    ipv6SendRAConfig = {
-      RouterLifetimeSec = 0;
-      EmitDNS = false;
-    };
-    ipv6Prefixes = [ { Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
  };
  zramSwap.enable = true;
  swapDevices = [
    {
      device = "/persist/swapfile";
-      size = 1024;
+      size = 4096;
    }
  ];
  services = {
@ -135,25 +115,6 @@
    journald.storage = "volatile";
  };

-  systemd = {
-    services.adblock = {
-      startAt = "daily";
-      postStop = "systemctl try-reload-or-restart unbound";
-      path = [
-        pkgs.gawk
-        pkgs.wget
-      ];
-      script = ''
-        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
-                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
-        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
-        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
-                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
-                rm /tmp/new.conf
-      '';
-    };
-  };
-
  environment = {
    systemPackages = [
      pkgs.vim
--- a/nixos-configurations/zeus.nix
+++ b/nixos-configurations/zeus.nix
@ -19,6 +19,7 @@ in
    inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
    inputs.nixos-hardware.nixosModules.common-pc
    ezModules.aarch64-emu
+    ezModules.dhcp
    ezModules.networkd-base
    ezModules.smartd
    ezModules.plymouth
@ -41,6 +42,7 @@ in
    ezModules.docker-static-web
    ezModules.docker-swag
    ezModules.docker-zwave
+    ezModules.unbound
  ];

  boot = {
@ -133,6 +135,7 @@ in
    { device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; }
    { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
  ];
+  mainInterface = "lan-shim";
  networking = {
    hostName = "zeus"; # Define your hostname.
    hostId = "9e95b576";
@ -182,6 +185,9 @@ in
      dns = [ "10.42.69.2" ];
      domains = [ "icanttype.org" ];
      gateway = [ "10.42.69.1" ];
+      dhcpServerConfig = {
+        PoolOffset = 100;
+      };
    };
  };

--- a/nixos-modules/dhcp.nix
+++ b/nixos-modules/dhcp.nix
@ -0,0 +1,39 @@
+{ config, lib, ... }:
+{
+  options = {
+    mainInterface = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+  config = {
+    networking.firewall.allowedUDPPorts = [
+      67
+      68
+    ];
+    systemd.network.networks.${config.mainInterface} = {
+      networkConfig = {
+        DHCPServer = true;
+        IPv6SendRA = true;
+      };
+      dhcpServerConfig = {
+        EmitDNS = true;
+        PoolSize = 50;
+        DNS = [
+          "10.42.69.2"
+          "10.42.69.100"
+        ];
+        EmitRouter = true;
+        Router = "10.42.69.1";
+        SendOption = [
+          "15:string:icanttype.org"
+          "119:string:icanttype.org"
+        ];
+      };
+      ipv6SendRAConfig = {
+        RouterLifetimeSec = 0;
+        EmitDNS = false;
+      };
+      ipv6Prefixes = [ { Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
+    };
+  };
+}
--- a/nixos-modules/unbound.nix
+++ b/nixos-modules/unbound.nix
@ -0,0 +1,52 @@
+{ pkgs, ... }:
+{
+  systemd = {
+    services.adblock = {
+      startAt = "daily";
+      postStop = "systemctl try-reload-or-restart unbound";
+      path = [
+        pkgs.gawk
+        pkgs.wget
+      ];
+      script = ''
+        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
+                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
+        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
+        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
+                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
+                rm /tmp/new.conf
+      '';
+    };
+  };
+
+  networking = {
+    firewall = {
+      allowedUDPPorts = [
+        53
+      ];
+      allowedTCPPorts = [ 53 ];
+    };
+  };
+
+  services = {
+    unbound = {
+      enable = true;
+      localControlSocketPath = "/var/lib/unbound/control.sock";
+      settings = {
+        server = {
+          do-ip6 = "no";
+          qname-minimisation = "yes";
+          # interface = [ "end0" ];
+          access-control = [
+            "10.0.0.0/8 allow"
+            "fc::/7 allow"
+          ];
+        };
+        include = [
+          "/etc/unbound/ads.conf"
+          "${../configs/unbound-local.conf}"
+        ];
+      };
+    };
+  };
+}