From 0c33836fecf0e2daf361303aa08d13268a8881a7 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Wed, 29 May 2024 20:05:59 +0200 Subject: nanopi: make tailscale, dnsmasq and kresd play nicely --- system/nanopi.nix | 77 ++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 15 deletions(-) (limited to 'system/nanopi.nix') diff --git a/system/nanopi.nix b/system/nanopi.nix index 1dc90aaa..7da53b7e 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -85,17 +85,13 @@ in systemd.network.config.networkConfig = { SpeedMeter = true; }; + networking = { hostName = "nanopi"; domain = "lan"; + search = [ "lan" ]; useDHCP = false; useNetworkd = true; - nameservers = [ - "176.9.93.198" - "176.9.1.117" - "2a01:4f8:151:34aa::198" - "2a01:4f8:141:316d::117" - ]; firewall = { enable = true; rejectPackets = true; @@ -187,13 +183,56 @@ in # }; }; }; - services.resolved.enable = false; - services.tailscale = { + networking = { + resolvconf = { + # having this enabled (the default) is pointless + # a) this device has fixed upstream nameservers + enable = false; + # b) it makes tailscale think it should change the search domains for MagicDNS + # ... due to this: + # useLocalResolver = false; + # which is set by kresd?! + # https://github.com/NixOS/nixpkgs/blob/7780e5160e011b39019797a4c4b1a4babc80d1bf/nixos/modules/services/networking/kresd.nix#L113 + }; + nameservers = lib.optionals config.services.dnsmasq.enable [ + "::1" + "127.0.0.1" + ]; + }; + services.resolved = { + # this allows link-specific DNS configuration, which is useful. enable = true; - extraUpFlags = [ "--advertise-routes=10.0.0.0/20,fd12:d04f:65d:42::/56" ]; + # why use simple boolean when string do trick? + llmnr = "false"; + fallbackDns = [ + "9.9.9.9" + "149.112.112.112" + "2620::fe:fe" + "2620::fe:9" + "116.203.248.56" + "2a01:4f8:c012:23a4::1" + ]; }; + # leaving this here just in case I ever think about disabling both `resolvconf` and `resolved` + # I thought that there would have been a fallback that does this anyway, but apparently not. + environment.etc."resolv.conf".text = lib.mkDefault (lib.optionalString + ( + !config.networking.resolvconf.enable + && + !config.services.resolved.enable + ) '' + search lan hydra-pinecone.ts.net + nameserver ::1 + nameserver 127.0.0.1 + options edns0 + ''); + + services.tailscale = { + enable = true; + extraUpFlags = [ "--accept-dns=false" "--advertise-routes=10.0.0.0/20,fd12:d04f:65d:42::/56" ]; + }; programs.command-not-found.enable = false; @@ -423,7 +462,8 @@ in services.dnsmasq = { enable = true; - resolveLocalQueries = true; + # let systemd-resolved.do this + resolveLocalQueries = false; alwaysKeepRunning = true; settings = { local-ttl = 60; @@ -442,16 +482,21 @@ in "2620::fe:9" "116.203.248.56" "2a01:4f8:c012:23a4::1" - # "127.0.0.1#5553" - # "::1#5553" - "127.0.0.1#5533" - "::1#5533" + # kresd + "127.0.0.1#5553" + "::1#5553" + # smartdns + # "127.0.0.1#5533" + # "::1#5533" + "/ts.net/100.100.100.100" ]; localise-queries = true; cname = [ "homeassistant,ha" ]; interface-name = [ + "nanopi,bridge0" + "nanopi.lan,bridge0" "home.alanpearce.eu,wan0" "nanopi.alanpearce.eu,wan0" "nanopi.lan.alanpearce.eu,bridge0" @@ -461,6 +506,7 @@ in "wwan,wwan0" ]; interface = [ + "lo" "bridge0" ]; no-dhcp-interface = [ @@ -470,8 +516,9 @@ in # auth-server = [ # "nanopi.alanpearce.eu,wan0" # ]; - bind-interfaces = false; + bind-interfaces = true; + # if this is false, a remote query for nanopi returns 127.0.0.2, because that's in /etc/hosts no-hosts = true; enable-ra = true; -- cgit 1.4.1