diff options
| author | Alan Pearce | 2025-02-16 20:25:53 +0100 |
|---|---|---|
| committer | Alan Pearce | 2025-02-16 20:26:28 +0100 |
| commit | cde930a37f8cc9298d53be24703a165aab1e27ea (patch) | |
| tree | f4d52a9af7dff0bbd78e9acbaeec351c65e7c536 | |
| parent | 5b39acfa25c4e509572aafb5a21e76d269a2c178 (diff) | |
| download | nixfiles-cde930a37f8cc9298d53be24703a165aab1e27ea.tar.lz nixfiles-cde930a37f8cc9298d53be24703a165aab1e27ea.tar.zst nixfiles-cde930a37f8cc9298d53be24703a165aab1e27ea.zip | |
nano: enable DNS views per-interface with DNS-over-TLS
| -rw-r--r-- | system/nano.nix | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/system/nano.nix b/system/nano.nix index b9f32eaa..be440a62 100644 --- a/system/nano.nix +++ b/system/nano.nix @@ -59,7 +59,7 @@ in "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; "192.168.100.1" = [ "modem" "pyur" ]; }; - nameservers = map (ns: "${ns}#dns11.quad9.net") [ + nameservers = [ "9.9.9.11" "149.112.112.11" "2620:fe::11" @@ -78,7 +78,6 @@ in externalInterface = wan; internalInterfaces = [ lan ]; }; - resolvconf.enable = false; }; systemd.network = { enable = true; @@ -98,7 +97,7 @@ in }; }; networks = { - "50-${lan}" = { + "50-${lan}" = rec { matchConfig.Name = lan; address = [ "10.0.0.1/16" @@ -114,11 +113,12 @@ in IPv6AcceptRA = false; DHCPPrefixDelegation = true; ConfigureWithoutCarrier = true; - LLMNR = true; MulticastDNS = true; Domains = [ config.networking.domain ]; IPv6SendRA = !dnsmasqEnable; DHCPServer = !dnsmasqEnable; + DNS = map (a: builtins.head (lib.strings.splitString "/" a)) address; + DNSDefaultRoute = false; }; dhcpPrefixDelegationConfig = { UplinkInterface = wan; @@ -139,11 +139,10 @@ in DHCP = true; IPv6AcceptRA = true; IPv4Forwarding = true; - LLMNR = false; MulticastDNS = false; DNSDefaultRoute = true; - DNS = config.networking.nameservers; DNSOverTLS = true; + DNS = map (ns: "${ns}#dns11.quad9.net") config.networking.nameservers; }; dhcpV4Config = { UseDNS = false; @@ -182,16 +181,20 @@ in }; services.resolved = { enable = true; - llmnr = "false"; + extraConfig = '' + DNS = + LLMNR = false + MulticastDNS = true + ''; }; services.dnsmasq = { enable = dnsmasqEnable; alwaysKeepRunning = true; - resolveLocalQueries = false; settings = { inherit domain; interface = lan; + except-interface = "lo"; bind-interfaces = true; dhcp-fqdn = true; dhcp-authoritative = true; @@ -206,6 +209,8 @@ in quiet-ra = true; enable-ra = true; + cache-size = 0; + no-resolv = true; server = [ "127.0.0.53" ]; expand-hosts = true; @@ -217,7 +222,8 @@ in ]; }; }; - systemd.services.dnsmasq.after = [ "network.target" ]; + systemd.services.dnsmasq.after = [ "network-online.target" ]; + systemd.services.dnsmasq.wants = [ "network-online.target" ]; # TODO find script # systemd.services.dynamic-dns-update = { |