summary refs log tree commit diff stats
path: root/system/nano.nix
diff options
context:
space:
mode:
authorAlan Pearce2025-02-16 20:25:53 +0100
committerAlan Pearce2025-02-16 20:26:28 +0100
commitcde930a37f8cc9298d53be24703a165aab1e27ea (patch)
treef4d52a9af7dff0bbd78e9acbaeec351c65e7c536 /system/nano.nix
parent5b39acfa25c4e509572aafb5a21e76d269a2c178 (diff)
downloadnixfiles-cde930a37f8cc9298d53be24703a165aab1e27ea.tar.lz
nixfiles-cde930a37f8cc9298d53be24703a165aab1e27ea.tar.zst
nixfiles-cde930a37f8cc9298d53be24703a165aab1e27ea.zip
nano: enable DNS views per-interface with DNS-over-TLS
Diffstat (limited to 'system/nano.nix')
-rw-r--r--system/nano.nix24


1 files changed, 15 insertions, 9 deletions
diff --git a/system/nano.nix b/system/nano.nix
index b9f32eaa..be440a62 100644
--- a/system/nano.nix
+++ b/system/nano.nix
@@ -59,7 +59,7 @@ in
       "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ];
       "192.168.100.1" = [ "modem" "pyur" ];
     };
-    nameservers = map (ns: "${ns}#dns11.quad9.net") [
+    nameservers = [
       "9.9.9.11"
       "149.112.112.11"
       "2620:fe::11"
@@ -78,7 +78,6 @@ in
       externalInterface = wan;
       internalInterfaces = [ lan ];
     };
-    resolvconf.enable = false;
   };
   systemd.network = {
     enable = true;
@@ -98,7 +97,7 @@ in
       };
     };
     networks = {
-      "50-${lan}" = {
+      "50-${lan}" = rec {
         matchConfig.Name = lan;
         address = [
           "10.0.0.1/16"
@@ -114,11 +113,12 @@ in
           IPv6AcceptRA = false;
           DHCPPrefixDelegation = true;
           ConfigureWithoutCarrier = true;
-          LLMNR = true;
           MulticastDNS = true;
           Domains = [ config.networking.domain ];
           IPv6SendRA = !dnsmasqEnable;
           DHCPServer = !dnsmasqEnable;
+          DNS = map (a: builtins.head (lib.strings.splitString "/" a)) address;
+          DNSDefaultRoute = false;
         };
         dhcpPrefixDelegationConfig = {
           UplinkInterface = wan;
@@ -139,11 +139,10 @@ in
           DHCP = true;
           IPv6AcceptRA = true;
           IPv4Forwarding = true;
-          LLMNR = false;
           MulticastDNS = false;
           DNSDefaultRoute = true;
-          DNS = config.networking.nameservers;
           DNSOverTLS = true;
+          DNS = map (ns: "${ns}#dns11.quad9.net") config.networking.nameservers;
         };
         dhcpV4Config = {
           UseDNS = false;
@@ -182,16 +181,20 @@ in
   };
   services.resolved = {
     enable = true;
-    llmnr = "false";
+    extraConfig = ''
+      DNS =
+      LLMNR = false
+      MulticastDNS = true
+    '';
   };
 
   services.dnsmasq = {
     enable = dnsmasqEnable;
     alwaysKeepRunning = true;
-    resolveLocalQueries = false;
     settings = {
       inherit domain;
       interface = lan;
+      except-interface = "lo";
       bind-interfaces = true;
       dhcp-fqdn = true;
       dhcp-authoritative = true;
@@ -206,6 +209,8 @@ in
       quiet-ra = true;
       enable-ra = true;
 
+      cache-size = 0;
+      no-resolv = true;
       server = [ "127.0.0.53" ];
 
       expand-hosts = true;
@@ -217,7 +222,8 @@ in
       ];
     };
   };
-  systemd.services.dnsmasq.after = [ "network.target" ];
+  systemd.services.dnsmasq.after = [ "network-online.target" ];
+  systemd.services.dnsmasq.wants = [ "network-online.target" ];
 
   # TODO find script
   # systemd.services.dynamic-dns-update = {

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-02-22 17:37:52 +0000