some dns fix + dnsmasq

2025-07-27 01:15:27 +02:00 · 2025-07-27 01:15:27 +02:00 · b46c2a8355
commit b46c2a8355
parent 7b3c103b5b
5 changed files with 154 additions and 36 deletions
--- a/shared/commons/nftables.nix
+++ b/shared/commons/nftables.nix
@ -53,6 +53,18 @@ in
                                udp dport 51920 accept
                            '' else ""}

+                            ${if myName == mapping.dns.master then ''
+                                # DNS Master
+                                iifname mesh tcp dport 53 accept
+                                iifname mesh udp dport 53 accept
+                            '' else ""}
+
+                            ${if lib.elem myName mapping.dns.secondary then ''
+                                # DNS Secondary
+                                tcp dport 53 accept
+                                udp dport 53 accept
+                            '' else ""}
+
                            # Log anything else
                            ip protocol tcp counter log prefix "tcp.in.dropped: "
                            ip protocol udp counter log prefix "udp.in.dropped: "
@ -65,11 +77,8 @@ in
                            ct state invalid counter drop

                            ${if lib.elem myName mapping.bastion.hosts then ''
-                                iifname mgmt oifname mesh* accept
+                                iifname mgmt oifname mesh accept
                            '' else ""}
-
-                            # Allow mesh bounces
-                            iifname mesh* oifname mesh* accept
                        }
                        chain output {
                            type filter hook output priority 0; policy accept;
--- a/shared/commons/resolver.nix
+++ b/shared/commons/resolver.nix
@ -0,0 +1,53 @@
+{ ... }:
+
+let
+    # Import nodes
+    nodes = import ./../../nodes.nix;
+    myName = config.hostName;
+    myPeer = nodes."${myName}";
+    myId = myPeer.id;
+    myZone = myPeer.zone;
+
+    # Import mapping
+    mapping = import ./../../mapping.nix;
+in
+{
+    services.resolved.enable = false;
+    networking.resolvconf.enable = false;
+
+    networking.domain = "lf";
+
+    environment.etc."resolv.conf".text = ''
+        # Do not edit, will be overwritten by Nixos
+        domain ${config.networking.domain}
+        search ${config.networking.domain}
+        ${builtins.concatStringsSep "\n" (map (ip: "nameserver ${ip}") config.services.dnsmasq.settings.listen-address)}
+        options edns0 trust-ad
+    '';
+
+    services.dnsmasq = {
+        enable = true;
+        settings = {
+            listen-address = [
+                "::1"
+                "127.0.0.1"
+            ];
+            local = [
+                "/${config.networking.domain}/"
+            ];
+            server = [
+                "1.1.1.1"
+                "8.8.8.8"
+                "9.9.9.9"
+            ] ++ map (hostName: "/lf/172.19.${nodes.${hostName}.zone}.${nodes.${hostName}.id}") mapping.dns.hosts
+            ++ map (hostName: "/lf/fc00::${nodes.${hostName}.zone}:${nodes.${hostName}.id}") mapping.dns.hosts;
+            no-resolv = true;
+            # Resolvconf can auto-generated /etc/dnsmasq-{conf,resolv}.conf
+            # By default dnsmasq import them
+            # We've disable resolvconf, but just to be on the safe side
+            resolv-file = false;
+            conf-file = false;
+            log-queries = false;
+        };
+    };
+}