diff --git a/nixos/common/default.nix b/nixos/common/default.nix index c0d6cc0..ac227dd 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -5,7 +5,7 @@ inputs.vault-secrets.nixosModules.vault-secrets # User account definitions ./users - ./services + ./modules ]; # Clean /tmp on boot. diff --git a/nixos/common/modules/default.nix b/nixos/common/modules/default.nix new file mode 100644 index 0000000..386191b --- /dev/null +++ b/nixos/common/modules/default.nix @@ -0,0 +1,8 @@ +{ ... }: { + imports = [ + ./dns.nix + ./flood.nix + ./unpackerr.nix + ./vmagent.nix + ]; +} diff --git a/nixos/common/modules/dns.nix b/nixos/common/modules/dns.nix new file mode 100644 index 0000000..f5bd52c --- /dev/null +++ b/nixos/common/modules/dns.nix @@ -0,0 +1,95 @@ +{ config, pkgs, lib, hosts, flat_hosts, ... }: +# DNS Module to set up Unbound DNS with all my hosts in the config +# Used for DNS Servers and my laptop +with lib; +let + inherit (builtins) filter hasAttr attrNames; + domains = attrNames hosts; + ipv4Host = filter (hasAttr "ip") flat_hosts; + ipv6Hosts = filter (hasAttr "ip6") flat_hosts; + + localData = { hostname, realm, ip, ... }: ''"${hostname}.${realm}. A ${ip}"''; + local6Data = { hostname, realm, ip6, ... }: ''"${hostname}.${realm}. AAAA ${ip6}"''; + ptrData = { hostname, realm, ip, ... }: ''"${ip} ${hostname}.${realm}"''; + ptr6Data = { hostname, realm, ip6, ... }: ''"${ip6} ${hostname}.${realm}"''; + + cfg = config.services.v.dns; +in +{ + options.services.v.dns = { + enable = mkEnableOption "v.dns"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open port 53 in the firwall for unbound dns + ''; + }; + + mode = mkOption { + type = types.strMatching "^(server|laptop)$"; + default = "laptop"; + description = '' + Whether to configure the DNS in server mode (listen on all interfaces) or laptop mode (just on localhost) + ''; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf (cfg.openFirewall) { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + services.unbound = { + enable = true; + package = pkgs.v.unbound; + settings = { + server = mkMerge [ + { + use-syslog = "yes"; + module-config = ''"validator iterator"''; + + local-zone = map (localdomain: ''"${localdomain}}." transparent'') domains; + local-data = (map localData ipv4Host) ++ (map local6Data ipv6Hosts); + local-data-ptr = (map ptrData ipv4Host) ++ (map ptr6Data ipv6Hosts); + + private-address = [ + "127.0.0.0/8" + "10.0.0.0/8" + "::ffff:a00:0/104" + "172.16.0.0/12" + "::ffff:ac10:0/108" + "169.254.0.0/16" + "::ffff:a9fe:0/112" + "192.168.0.0/16" + "::ffff:c0a8:0/112" + "fd00::/8" + "fe80::/10" + ]; + } + (mkIf (cfg.mode == "server") { + interface-automatic = "yes"; + interface = [ "0.0.0.0" "::0" ]; + access-control = [ + "127.0.0.1/32 allow_snoop" + "::1 allow_snoop" + "10.42.0.0/16 allow" + "127.0.0.0/8 allow" + "192.168.0.0/23 allow" + "192.168.2.0/24 allow" + "::1/128 allow" + ]; + }) + (mkIf (cfg.mode == "laptop") { + interface = [ "127.0.0.1" "::1" ]; + access-control = [ + "127.0.0.1/32 allow_snoop" + "::1 allow_snoop" + ]; + }) + ]; + }; + }; + }; +} diff --git a/nixos/common/services/flood.nix b/nixos/common/modules/flood.nix similarity index 100% rename from nixos/common/services/flood.nix rename to nixos/common/modules/flood.nix diff --git a/nixos/common/services/unpackerr.nix b/nixos/common/modules/unpackerr.nix similarity index 100% rename from nixos/common/services/unpackerr.nix rename to nixos/common/modules/unpackerr.nix diff --git a/nixos/common/services/vmagent.nix b/nixos/common/modules/vmagent.nix similarity index 100% rename from nixos/common/services/vmagent.nix rename to nixos/common/modules/vmagent.nix diff --git a/nixos/common/services/default.nix b/nixos/common/services/default.nix deleted file mode 100644 index 192c835..0000000 --- a/nixos/common/services/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ config, lib, pkgs, ... }: { imports = [ ./flood.nix ./unpackerr.nix ./vmagent.nix ]; } diff --git a/nixos/hosts/olympus/wireguard/configuration.nix b/nixos/hosts/olympus/wireguard/configuration.nix index 355ad5e..9666067 100644 --- a/nixos/hosts/olympus/wireguard/configuration.nix +++ b/nixos/hosts/olympus/wireguard/configuration.nix @@ -73,6 +73,7 @@ let vs = config.vault-secrets.secrets; in publicKey = "KgqLhmUMX6kyTjRoa/GOCrZOvXNE5HWYuOr/T3v8/VI="; allowedIPs = [ "10.100.0.5/32" "192.168.0.0/23" "10.10.10.0/24" ]; endpoint = "80.60.83.220:51820"; + persistentKeepalive = 25; } ]; }; diff --git a/nixos/hosts/thalassa/null/networking.nix b/nixos/hosts/thalassa/null/networking.nix index 7a584a7..a5d1524 100644 --- a/nixos/hosts/thalassa/null/networking.nix +++ b/nixos/hosts/thalassa/null/networking.nix @@ -1,7 +1,12 @@ -{ ... }@a: +{ ... }: { + services.v.dns = { + enable = true; + openFirewall = false; + mode = "laptop"; + }; networking = { - networkmanager.enable = false; + useDHCP = true; wireless = { enable = true; environmentFile = "/var/lib/secrets/wireless.env"; @@ -29,10 +34,7 @@ # TODO: Set up DNS on my laptop to prevent slow networking when servers are down nameservers = [ - "10.42.42.15" - "10.42.42.16" - "192.168.0.1" - "1.1.1.1" + "127.0.0.1" ]; firewall.allowedUDPPorts = [ 51820 ]; @@ -48,7 +50,7 @@ # Delft publicKey = "kDIO3BJSYlDwRXc2zt9tR1LqKJzIPrulaRmdiYkg+m0="; allowedIPs = [ "10.100.0.1" "10.42.42.0/23" ]; - endpoint = "0x76.dev:51820"; + endpoint = "195.85.167.34:51820"; persistentKeepalive = 25; } { @@ -60,7 +62,7 @@ "192.168.1.0/24" "10.10.10.0/24" ]; - endpoint = "xirion.net:51820"; + endpoint = "80.60.83.220:51820"; persistentKeepalive = 25; } ];