commit 2bd81235734f4ca7307fbcd0f4c53af917377b78 · kitten.sh/system

+1 -1

machines/ramune/configuration.nix

···

       25
       25
        
                 cidr = "10.0.0.1/24";

     

       26
       26
        
               };

     

       27
       27
        
             };

     

       28
       28
       -
             dnsmasq.leases = [

     

       28
       28
       +
             leases = [

     

       29
       29
        
               { macAddress = "98:ed:7e:c6:57:b2"; ipAddress = "10.0.0.102"; } # eero router

     

       30
       30
        
               { macAddress = "c4:f1:74:51:4c:f2"; ipAddress = "10.0.0.124"; } # eero router

     

       31
       31
        
               { macAddress = "5c:61:99:7a:16:40"; ipAddress = "10.0.0.103"; } # brother printer

-2

modules/router/default.nix

···

       17
       17
        
         imports = [

     

       18
       18
        
           ./network.nix

     

       19
       19
        
           ./timeserver.nix

     

       20
       20
       -
           ./dnsOverTLS.nix

     

       21
       21
       -
           ./dnsmasq.nix

     

       22
       20
        
           ./nftables.nix

     

       23
       21
        
           ./upnp.nix

     

       24
       22
        
           ./kernel.nix

-47

modules/router/dnsOverTLS.nix

···

       1
       1
       -
       { lib, config, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       let

     

       5
       5
       -
         cfg = config.modules.router;

     

       6
       6
       -
       in {

     

       7
       7
       -
         options.modules.router = {

     

       8
       8
       -
           dnsOverTLS = {

     

       9
       9
       -
             enable = mkOption {

     

       10
       10
       -
               default = cfg.enable;

     

       11
       11
       -
               description = "Whether to enable Stubby DNS proxy";

     

       12
       12
       -
               type = types.bool;

     

       13
       13
       -
             };

     

       14
       14
       -
       

     

       15
       15
       -
             port = mkOption {

     

       16
       16
       -
               default = 53000;

     

       17
       17
       -
               description = "Port for Stubby";

     

       18
       18
       -
               type = types.int;

     

       19
       19
       -
             };

     

       20
       20
       -
           };

     

       21
       21
       -
         };

     

       22
       22
       -
       

     

       23
       23
       -
         config = mkIf cfg.dnsOverTLS.enable {

     

       24
       24
       -
           services.stubby = {

     

       25
       25
       -
             enable = true;

     

       26
       26
       -
             settings = {

     

       27
       27
       -
               resolution_type = "GETDNS_RESOLUTION_STUB";

     

       28
       28
       -
               dns_transport_list = [ "GETDNS_TRANSPORT_TLS" ];

     

       29
       29
       -
               tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";

     

       30
       30
       -
               tls_query_padding_blocksize = 128;

     

       31
       31
       -
               edns_client_subnet_private = 1;

     

       32
       32
       -
               round_robin_upstreams = 1;

     

       33
       33
       -
               tls_connection_retries = 5;

     

       34
       34
       -
               listen_addresses = [

     

       35
       35
       -
                 "127.0.0.1@${toString cfg.dnsOverTLS.port}"

     

       36
       36
       -
                 "0::1@${toString cfg.dnsOverTLS.port}"

     

       37
       37
       -
               ];

     

       38
       38
       -
               appdata_dir = "/var/cache/stubby";

     

       39
       39
       -
               trust_anchors_backoff_time = 2500;

     

       40
       40
       -
               upstream_recursive_servers = [

     

       41
       41
       -
                 { address_data = "1.1.1.1"; tls_auth_name = "cloudflare-dns.com"; }

     

       42
       42
       -
                 { address_data = "1.0.0.1"; tls_auth_name = "cloudflare-dns.com"; }

     

       43
       43
       -
               ];

     

       44
       44
       -
             };

     

       45
       45
       -
           };

     

       46
       46
       -
         };

     

       47
       47
       -
       }

-134

modules/router/dnsmasq.nix

···

       1
       1
       -
       { lib, config, ... } @ inputs:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       let

     

       5
       5
       -
         inherit (import ../../lib/ipv4.nix inputs) ipv4;

     

       6
       6
       -
       

     

       7
       7
       -
         cfg = config.modules.router;

     

       8
       8
       -
         intern = cfg.interfaces.internal;

     

       9
       9
       -
         extern = cfg.interfaces.external;

     

       10
       10
       -
       

     

       11
       11
       -
         leaseType = types.submodule {

     

       12
       12
       -
           options = {

     

       13
       13
       -
             macAddress = mkOption {

     

       14
       14
       -
               type = types.str;

     

       15
       15
       -
               example = "00:00:00:00:00:00";

     

       16
       16
       -
             };

     

       17
       17
       -
             ipAddress = mkOption {

     

       18
       18
       -
               type = types.str;

     

       19
       19
       -
               example = "10.0.0.10";

     

       20
       20
       -
             };

     

       21
       21
       -
           };

     

       22
       22
       -
         };

     

       23
       23
       -
       

     

       24
       24
       -
         dnsServer = if cfg.dnsOverTLS.enable

     

       25
       25
       -
           then [ "127.0.0.1#${toString cfg.dnsOverTLS.port}" ]

     

       26
       26
       -
           else [ "1.1.1.1" "1.0.0.1" ];

     

       27
       27
       -
       

     

       28
       28
       -
         dhcpHost = builtins.map (lease: "${lease.macAddress},${lease.ipAddress}") cfg.dnsmasq.leases;

     

       29
       29
       -
       

     

       30
       30
       -
         dhcpIPv4Range = let

     

       31
       31
       -
           subnetMask = ipv4.prettyIp (ipv4.cidrToSubnetMask intern.cidr);

     

       32
       32
       -
           firstIP = ipv4.prettyIp (ipv4.incrementIp (ipv4.cidrToFirstUsableIp intern.cidr) 1);

     

       33
       33
       -
           lastIP = ipv4.prettyIp (ipv4.cidrToLastUsableIp intern.cidr);

     

       34
       34
       -
         in "${firstIP}, ${lastIP}, ${subnetMask}, 12h";

     

       35
       35
       -
       

     

       36
       36
       -
         localDomains = builtins.map (host: "/${host}/${cfg.address}") cfg.dnsmasq.localDomains;

     

       37
       37
       -
       in {

     

       38
       38
       -
         options.modules.router = {

     

       39
       39
       -
           dnsmasq = {

     

       40
       40
       -
             enable = mkOption {

     

       41
       41
       -
               default = cfg.enable;

     

       42
       42
       -
               description = "Whether to enable DNSMasq";

     

       43
       43
       -
               type = types.bool;

     

       44
       44
       -
             };

     

       45
       45
       -
       

     

       46
       46
       -
             leases = mkOption {

     

       47
       47
       -
               default = [];

     

       48
       48
       -
               type = types.listOf leaseType;

     

       49
       49
       -
               description = "List of reserved IP address leases";

     

       50
       50
       -
             };

     

       51
       51
       -
       

     

       52
       52
       -
             localDomains = mkOption {

     

       53
       53
       -
               default = [];

     

       54
       54
       -
               type = types.listOf types.str;

     

       55
       55
       -
             };

     

       56
       56
       -
           };

     

       57
       57
       -
         };

     

       58
       58
       -
       

     

       59
       59
       -
         config = mkIf cfg.dnsmasq.enable {

     

       60
       60
       -
           modules.router.dnsmasq.localDomains = [

     

       61
       61
       -
             "time.apple.com"

     

       62
       62
       -
             "time1.apple.com"

     

       63
       63
       -
             "time2.apple.com"

     

       64
       64
       -
             "time3.apple.com"

     

       65
       65
       -
             "time4.apple.com"

     

       66
       66
       -
             "time5.apple.com"

     

       67
       67
       -
             "time6.apple.com"

     

       68
       68
       -
             "time7.apple.com"

     

       69
       69
       -
             "time.euro.apple.com"

     

       70
       70
       -
             "time.windows.com"

     

       71
       71
       -
             "0.android.pool.ntp.org"

     

       72
       72
       -
             "1.android.pool.ntp.org"

     

       73
       73
       -
             "2.android.pool.ntp.org"

     

       74
       74
       -
             "3.android.pool.ntp.org"

     

       75
       75
       -
           ];

     

       76
       76
       -
       

     

       77
       77
       -
           networking.nameservers = [ "127.0.0.1" ];

     

       78
       78
       -
       

     

       79
       79
       -
           services.resolved.extraConfig = mkDefault ''

     

       80
       80
       -
             [Resolve]

     

       81
       81
       -
             DNSStubListener=no

     

       82
       82
       -
           '';

     

       83
       83
       -
       

     

       84
       84
       -
           services.dnsmasq = {

     

       85
       85
       -
             enable = true;

     

       86
       86
       -
             alwaysKeepRunning = true;

     

       87
       87
       -
             settings = {

     

       88
       88
       -
               server = dnsServer;

     

       89
       89
       -
       

     

       90
       90
       -
               # never forward plain names (without a dot or domain part)

     

       91
       91
       -
               domain-needed = true;

     

       92
       92
       -
               # never forward addresses in the non-routed address spaces.

     

       93
       93
       -
               bogus-priv = true;

     

       94
       94
       -
               # filter useless windows-originated DNS requests

     

       95
       95
       -
               filterwin2k = true;

     

       96
       96
       -
               # never read nameservers from /etc/resolv.conf

     

       97
       97
       -
               no-resolv = true;

     

       98
       98
       -
       

     

       99
       99
       -
               cache-size = 5000;

     

       100
       100
       -
               no-negcache = true;

     

       101
       101
       -
       

     

       102
       102
       -
               expand-hosts = true;

     

       103
       103
       -
               addn-hosts = "/etc/hosts";

     

       104
       104
       -
       

     

       105
       105
       -
               dhcp-host = dhcpHost;

     

       106
       106
       -
       

     

       107
       107
       -
               # listen only on intern0 by excluding extern0

     

       108
       108
       -
               except-interface = extern.name;

     

       109
       109
       -
       

     

       110
       110
       -
               # set the DHCP server to authoritative and rapic commit mode

     

       111
       111
       -
               dhcp-authoritative = true;

     

       112
       112
       -
               dhcp-rapid-commit = true;

     

       113
       113
       -
       

     

       114
       114
       -
               # Detect attempts by Verisign to send queries to unregistered hosts

     

       115
       115
       -
               bogus-nxdomain = "64.94.110.11";

     

       116
       116
       -
       

     

       117
       117
       -
               address = localDomains;

     

       118
       118
       -
             } // (optionalAttrs (intern != null) {

     

       119
       119
       -
               dhcp-range = [

     

       120
       120
       -
                 dhcpIPv4Range

     

       121
       121
       -
                 "tag:${intern.name}, ::1, constructor:${intern.name}, ra-names, slaac, 12h"

     

       122
       122
       -
               ];

     

       123
       123
       -
       

     

       124
       124
       -
               dhcp-option = [

     

       125
       125
       -
                 "option6:information-refresh-time, 6h"

     

       126
       126
       -
                 "option:router,${cfg.address}"

     

       127
       127
       -
                 "ra-param=${intern.name},high,0,0"

     

       128
       128
       -
               ] ++ (

     

       129
       129
       -
                 if cfg.timeserver.enable then [ "option:ntp-server,${cfg.address}" ] else []

     

       130
       130
       -
               );

     

       131
       131
       -
             });

     

       132
       132
       -
           };

     

       133
       133
       -
         };

     

       134
       134
       -
       }

+92 -38

modules/router/network.nix

···

       6
       6
        
       

     

       7
       7
        
         cfg = config.modules.router;

     

       8
       8
        
       

     

       9
       9
       +
         leaseType = types.submodule {

     

       10
       10
       +
           options = {

     

       11
       11
       +
             macAddress = mkOption {

     

       12
       12
       +
               type = types.str;

     

       13
       13
       +
               example = "00:00:00:00:00:00";

     

       14
       14
       +
             };

     

       15
       15
       +
             ipAddress = mkOption {

     

       16
       16
       +
               type = types.str;

     

       17
       17
       +
               example = "10.0.0.10";

     

       18
       18
       +
             };

     

       19
       19
       +
           };

     

       20
       20
       +
         };

     

       21
       21
       +
       

     

       9
       22
        
         interfaceType = types.submodule {

     

       10
       23
        
           options = {

     

       11
       24
        
             name = mkOption {

     
···

       26
       39
        
       

     

       27
       40
        
         extern = cfg.interfaces.external;

     

       28
       41
        
         intern = cfg.interfaces.internal;

     

       29
       29
       -
       

     

       30
       30
       -
         links = {

     

       31
       31
       -
           "10-${extern.name}" = {

     

       32
       32
       -
             matchConfig.PermanentMACAddress = extern.macAddress;

     

       33
       33
       -
             linkConfig = {

     

       34
       34
       -
               Description = "External Network Interface";

     

       35
       35
       -
               Name = extern.name;

     

       36
       36
       -
               # MACAddress = "64:20:9f:16:70:a6";

     

       37
       37
       -
               MTUBytes = "1500";

     

       38
       38
       -
             };

     

       39
       39
       -
           };

     

       40
       40
       -
         } // (optionalAttrs (intern != null) {

     

       41
       41
       -
           "11-${intern.name}" = {

     

       42
       42
       -
             matchConfig.PermanentMACAddress = intern.macAddress;

     

       43
       43
       -
             linkConfig = {

     

       44
       44
       -
               Description = "Internal Network Interface";

     

       45
       45
       -
               Name = intern.name;

     

       46
       46
       -
               MTUBytes = "1500";

     

       47
       47
       -
             };

     

       48
       48
       -
           };

     

       49
       49
       -
         });

     

       50
       42
        
       in {

     

       51
       51
       -
         options.modules.router = {

     

       43
       43
       +
         options.modules.router = let

     

       44
       44
       +
           defaultAddress = if intern != null

     

       45
       45
       +
             then ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr)

     

       46
       46
       +
             else "127.0.0.1";

     

       47
       47
       +
         in {

     

       52
       48
        
           address = mkOption {

     

       53
       49
        
             type = types.str;

     

       54
       54
       -
             default = if intern != null

     

       55
       55
       -
               then ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr)

     

       56
       56
       -
               else "127.0.0.1";

     

       50
       50
       +
             default = defaultAddress;

     

       57
       51
        
             example = "127.0.0.1";

     

       58
       52
        
           };

     

       59
       53
        
           mdns = mkOption {

     
···

       68
       62
        
               type = types.nullOr interfaceType;

     

       69
       63
        
               default = null;

     

       70
       64
        
             };

     

       65
       65
       +
           };

     

       66
       66
       +
           leases = mkOption {

     

       67
       67
       +
             default = [];

     

       68
       68
       +
             type = types.listOf leaseType;

     

       69
       69
       +
             description = "List of reserved IP address leases";

     

       71
       70
        
           };

     

       72
       71
        
         };

     

       73
       72
        
       

     

       74
       74
       -
         config = mkIf cfg.enable {

     

       75
       75
       -
           networking.useNetworkd = true;

     

       76
       76
       -
       

     

       77
       77
       -
           networking.firewall = mkIf (intern != null) {

     

       78
       78
       -
             trustedInterfaces = [ "lo" intern.name ];

     

       73
       73
       +
         config = let

     

       74
       74
       +
           links = {

     

       75
       75
       +
             "10-${extern.name}" = {

     

       76
       76
       +
               matchConfig.PermanentMACAddress = extern.macAddress;

     

       77
       77
       +
               linkConfig = {

     

       78
       78
       +
                 Description = "External Network Interface";

     

       79
       79
       +
                 Name = extern.name;

     

       80
       80
       +
                 # MACAddress = "64:20:9f:16:70:a6";

     

       81
       81
       +
                 MTUBytes = "1500";

     

       82
       82
       +
               };

     

       83
       83
       +
             };

     

       84
       84
       +
           } // (optionalAttrs (intern != null) {

     

       85
       85
       +
             "11-${intern.name}" = {

     

       86
       86
       +
               matchConfig.PermanentMACAddress = intern.macAddress;

     

       87
       87
       +
               linkConfig = {

     

       88
       88
       +
                 Description = "Internal Network Interface";

     

       89
       89
       +
                 Name = intern.name;

     

       90
       90
       +
                 MTUBytes = "1500";

     

       91
       91
       +
               };

     

       92
       92
       +
             };

     

       93
       93
       +
           });

     

       94
       94
       +
         in mkIf cfg.enable {

     

       95
       95
       +
           networking = {

     

       96
       96
       +
             useNetworkd = true;

     

       97
       97
       +
             firewall = mkIf (intern != null) {

     

       98
       98
       +
               trustedInterfaces = [ "lo" intern.name ];

     

       99
       99
       +
             };

     

       100
       100
       +
             nameservers = [

     

       101
       101
       +
               "1.1.1.1#cloudflare-dns.com"

     

       102
       102
       +
               "2606:4700:4700::1111#cloudflare-dns.com"

     

       103
       103
       +
             ];

     

       79
       104
        
           };

     

       80
       105
        
       

     

       81
       106
        
           boot.initrd.systemd.network = {

     
···

       84
       109
        
           };

     

       85
       110
        
       

     

       86
       111
        
           systemd.network = {

     

       87
       87
       -
             inherit links;

     

       88
       112
        
             enable = true;

     

       89
       89
       -
       

     

       113
       113
       +
             inherit links;

     

       90
       114
        
             networks = {

     

       91
       115
        
               "10-${extern.name}" = {

     

       92
       116
        
                 name = extern.name;

     

       93
       117
        
                 networkConfig = {

     

       94
       118
        
                   DHCP = "ipv4";

     

       95
       95
       -
                   DNS = if cfg.dnsmasq.enable then "127.0.0.1" else "1.1.1.1";

     

       96
       119
        
                   IPv4Forwarding = true;

     

       97
       120
        
                   IPv6Forwarding = true;

     

       98
       121
        
                 };

     
···

       105
       128
        
             } // (optionalAttrs (intern != null) {

     

       106
       129
        
               "11-${intern.name}" = {

     

       107
       130
        
                 name = intern.name;

     

       131
       131
       +
       

     

       108
       132
        
                 networkConfig = {

     

       109
       133
        
                   Address = intern.cidr;

     

       110
       110
       -
                   DHCPServer = false;

     

       134
       134
       +
                   DHCPServer = true;

     

       111
       135
        
                   IPv4Forwarding = true;

     

       112
       136
        
                   IPv6Forwarding = true;

     

       113
       137
        
                   ConfigureWithoutCarrier = true;

     

       114
       138
        
                   MulticastDNS = cfg.mdns;

     

       115
       139
        
                 };

     

       140
       140
       +
       

     

       141
       141
       +
                 dhcpServerConfig = let

     

       142
       142
       +
                   gatewayAddress = ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr);

     

       143
       143
       +
                 in {

     

       144
       144
       +
                   EmitDNS = true;

     

       145
       145
       +
                   EmitNTP = true;

     

       146
       146
       +
                   DNS = gatewayAddress;

     

       147
       147
       +
                   NTP = gatewayAddress;

     

       148
       148
       +
                   DefaultLeaseTimeSec = 43200;

     

       149
       149
       +
                   MaxLeaseTimeSec = 86400;

     

       150
       150
       +
                 };

     

       151
       151
       +
       

     

       152
       152
       +
                 dhcpServerStaticLeases = builtins.map (lease: {

     

       153
       153
       +
                   Address = lease.ipAddress;

     

       154
       154
       +
                   MACAddress = lease.macAddress;

     

       155
       155
       +
                 }) cfg.leases;

     

       116
       156
        
               };

     

       117
       157
        
             });

     

       118
       158
        
           };

     

       119
       159
        
       

     

       120
       120
       -
           services.resolved.extraConfig = optionalString cfg.mdns ''

     

       121
       121
       -
             DNSStubListener=no

     

       122
       122
       -
             MulticastDNS=yes

     

       123
       123
       -
           '';

     

       160
       160
       +
           services.resolved = {

     

       161
       161
       +
             enable = true;

     

       162
       162
       +
             fallbackDns = [

     

       163
       163
       +
               "1.0.0.1"

     

       164
       164
       +
               "2606:4700:4700::1001"

     

       165
       165
       +
             ];

     

       166
       166
       +
             dnsovertls = "opportunistic";

     

       167
       167
       +
             extraConfig = strings.concatStringsSep "\n" [

     

       168
       168
       +
               "[Resolve]"

     

       169
       169
       +
               (optionalString cfg.mdns ''

     

       170
       170
       +
                 MulticastDNS=yes

     

       171
       171
       +
               '')

     

       172
       172
       +
               (optionalString (intern != null) ''

     

       173
       173
       +
                 DNSStubListener=yes

     

       174
       174
       +
                 DNSStubListenerExtra=${ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr)}

     

       175
       175
       +
               '')

     

       176
       176
       +
             ];

     

       177
       177
       +
           };

     

       124
       178
        
         };

     

       125
       179
        
       }

+2 -4

modules/server/tailscale.nix

···

       16
       16
        
         };

     

       17
       17
        
       

     

       18
       18
        
         config = mkIf (cfg.enable && cfgRoot.enable) {

     

       19
       19
       -
           modules.router.dnsmasq.localDomains = [ "${hostname}.fable-pancake.ts.net" ];

     

       20
       20
       -
       

     

       21
       19
        
           networking = {

     

       22
       20
        
             domain = "fable-pancake.ts.net";

     

       23
       21
        
             firewall.trustedInterfaces = [ "tailscale0" ];

     
···

       32
       30
        
       

     

       33
       31
        
           services.tailscale = {

     

       34
       32
        
             enable = true;

     

       35
       35
       -
             useRoutingFeatures = "both";

     

       36
       36
       -
             extraUpFlags = [ "--advertise-exit-node" "--ssh" ];

     

       33
       33
       +
             useRoutingFeatures = "server";

     

       34
       34
       +
             extraUpFlags = [ "--advertise-exit-node" "--ssh" "--accept-dns=false" ];

     

       37
       35
        
             extraDaemonFlags = [ "--no-logs-no-support" ];

     

       38
       36
        
             authKeyFile = "/run/secrets/tailscale";

     

       39
       37
        
           };