summary refs log tree commit diff stats
path: root/system
diff options
context:
space:
mode:
authorAlan Pearce2024-05-29 20:05:59 +0200
committerAlan Pearce2024-05-29 20:05:59 +0200
commit0c33836fecf0e2daf361303aa08d13268a8881a7 (patch)
tree8f87462b8aed5393fb39b75a7965b6c90fb75619 /system
parent7d034871011a325b72feaf3db42cae8cb9553472 (diff)
downloadnixfiles-0c33836fecf0e2daf361303aa08d13268a8881a7.tar.lz
nixfiles-0c33836fecf0e2daf361303aa08d13268a8881a7.tar.zst
nixfiles-0c33836fecf0e2daf361303aa08d13268a8881a7.zip
nanopi: make tailscale, dnsmasq and kresd play nicely
Diffstat (limited to 'system')
-rwxr-xr-xsystem/nanopi.nix77
1 files changed, 62 insertions, 15 deletions
diff --git a/system/nanopi.nix b/system/nanopi.nix
index 1dc90aaa..7da53b7e 100755
--- a/system/nanopi.nix
+++ b/system/nanopi.nix
@@ -85,17 +85,13 @@ in
   systemd.network.config.networkConfig = {
     SpeedMeter = true;
   };
+
   networking = {
     hostName = "nanopi";
     domain = "lan";
+    search = [ "lan" ];
     useDHCP = false;
     useNetworkd = true;
-    nameservers = [
-      "176.9.93.198"
-      "176.9.1.117"
-      "2a01:4f8:151:34aa::198"
-      "2a01:4f8:141:316d::117"
-    ];
     firewall = {
       enable = true;
       rejectPackets = true;
@@ -187,13 +183,56 @@ in
       # };
     };
   };
-  services.resolved.enable = false;
 
-  services.tailscale = {
+  networking = {
+    resolvconf = {
+      # having this enabled (the default) is pointless
+      # a) this device has fixed upstream nameservers
+      enable = false;
+      # b) it makes tailscale think it should change the search domains for MagicDNS
+      # ... due to this:
+      # useLocalResolver = false;
+      # which is set by kresd?!
+      # https://github.com/NixOS/nixpkgs/blob/7780e5160e011b39019797a4c4b1a4babc80d1bf/nixos/modules/services/networking/kresd.nix#L113
+    };
+    nameservers = lib.optionals config.services.dnsmasq.enable [
+      "::1"
+      "127.0.0.1"
+    ];
+  };
+  services.resolved = {
+    # this allows link-specific DNS configuration, which is useful.
     enable = true;
-    extraUpFlags = [ "--advertise-routes=10.0.0.0/20,fd12:d04f:65d:42::/56" ];
+    # why use simple boolean when string do trick?
+    llmnr = "false";
+    fallbackDns = [
+      "9.9.9.9"
+      "149.112.112.112"
+      "2620::fe:fe"
+      "2620::fe:9"
+      "116.203.248.56"
+      "2a01:4f8:c012:23a4::1"
+    ];
   };
 
+  # leaving this here just in case I ever think about disabling both `resolvconf` and `resolved`
+  # I thought that there would have been a fallback that does this anyway, but apparently not.
+  environment.etc."resolv.conf".text = lib.mkDefault (lib.optionalString
+    (
+      !config.networking.resolvconf.enable
+      &&
+      !config.services.resolved.enable
+    ) ''
+    search lan hydra-pinecone.ts.net
+    nameserver ::1
+    nameserver 127.0.0.1
+    options edns0
+  '');
+
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--accept-dns=false" "--advertise-routes=10.0.0.0/20,fd12:d04f:65d:42::/56" ];
+  };
 
   programs.command-not-found.enable = false;
 
@@ -423,7 +462,8 @@ in
 
   services.dnsmasq = {
     enable = true;
-    resolveLocalQueries = true;
+    # let systemd-resolved.do this
+    resolveLocalQueries = false;
     alwaysKeepRunning = true;
     settings = {
       local-ttl = 60;
@@ -442,16 +482,21 @@ in
         "2620::fe:9"
         "116.203.248.56"
         "2a01:4f8:c012:23a4::1"
-        # "127.0.0.1#5553"
-        # "::1#5553"
-        "127.0.0.1#5533"
-        "::1#5533"
+        # kresd
+        "127.0.0.1#5553"
+        "::1#5553"
+        # smartdns
+        # "127.0.0.1#5533"
+        # "::1#5533"
+        "/ts.net/100.100.100.100"
       ];
       localise-queries = true;
       cname = [
         "homeassistant,ha"
       ];
       interface-name = [
+        "nanopi,bridge0"
+        "nanopi.lan,bridge0"
         "home.alanpearce.eu,wan0"
         "nanopi.alanpearce.eu,wan0"
         "nanopi.lan.alanpearce.eu,bridge0"
@@ -461,6 +506,7 @@ in
         "wwan,wwan0"
       ];
       interface = [
+        "lo"
         "bridge0"
       ];
       no-dhcp-interface = [
@@ -470,8 +516,9 @@ in
       # auth-server = [
       #   "nanopi.alanpearce.eu,wan0"
       # ];
-      bind-interfaces = false;
+      bind-interfaces = true;
 
+      # if this is false, a remote query for nanopi returns 127.0.0.2, because that's in /etc/hosts
       no-hosts = true;
 
       enable-ra = true;