sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(adguardhome): bind only external interface

Browse source
This commit is contained in:
oddlama 2023-07-06 02:34:07 +02:00
parent 31ef29569d
commit 3f6286ef31
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 122 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

2
flake.lock generated
View file

@ -415,7 +415,7 @@
}, },
"locked": { "locked": {
"lastModified": 1687369979, "lastModified": 1687369979,
"narHash": "sha256-Dr6BQSKE1iX85h5kanhSPyJR9RSjJYa20T5PhukQTV8=", "narHash": "sha256-rRV+VKRVb0N2xYLVMfAGk8FQnII3mCuH5JMTOCLlEnk=",
"type": "git", "type": "git",
"url": "file:///root/projects/microvm.nix" "url": "file:///root/projects/microvm.nix"
}, },

1
hosts/ward/default.nix
View file

@ -18,6 +18,7 @@
./fs.nix ./fs.nix
./net.nix ./net.nix
./kea.nix
]; ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];

77
hosts/ward/kea.nix Normal file
View file

@ -0,0 +1,77 @@
{
config,
lib,
utils,
nodes,
...
}: let
inherit
(lib)
flip
mapAttrsToList
mkOption
net
types
;
lanCidrv4 = "192.168.100.0/24";
dnsIp = net.cidr.host 2 lanCidrv4;
in {
# TODO make meta.kea module?
# TODO reserve by default using assignIps algo?
options.networking.dhcp4Reservations = mkOption {
default = {};
type = types.attrsOf (types.net.ipv4-in lanCidrv4);
description = "Maps MAC addresses to their reserved ipv4 address.";
};
config = {
services.kea.dhcp4 = {
enable = true;
settings = {
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
valid-lifetime = 4000;
renew-timer = 1000;
rebind-timer = 2000;
interfaces-config = {
# XXX: why does this bind other macvtaps?
interfaces = ["lan-self"];
service-sockets-max-retries = -1;
};
option-data = [
{
name = "domain-name-servers";
data = dnsIp;
}
];
subnet4 = [
{
interface = "lan-self";
subnet = lanCidrv4;
pools = [
{pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
];
option-data = [
{
name = "routers";
data = net.cidr.host 1 lanCidrv4;
}
];
reservations = [
{
hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
ip-address = dnsIp;
}
];
}
];
};
};
systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
};
}

48
hosts/ward/microvms/adguardhome.nix
View file

@ -2,6 +2,7 @@
config, config,
lib, lib,
nodes, nodes,
pkgs,
utils, utils,
... ...
}: let }: let
@ -34,23 +35,50 @@ in {
}; };
}; };
networking.firewall = {
allowedTCPPorts = [53];
allowedUDPPorts = [53];
};
services.adguardhome = { services.adguardhome = {
enable = true; enable = true;
mutableSettings = false;
settings = { settings = {
bind_host = config.meta.wireguard.proxy-sentinel.ipv4; bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
bind_port = 3000; bind_port = 3000;
#dns = { dns = {
# edns_client_subnet.enabled = false; edns_client_subnet.enabled = false;
# bind_hosts = [ "127.0.0.1" ]; bind_hosts = [
# bootstrap_dns = [ # This dummy address passes the configuration check and will
# "8.8.8.8" # later be replaced by the actual interface address.
# "8.8.4.4" "123.123.123.123"
# "2001:4860:4860::8888" ];
# "2001:4860:4860::8844" # allowed_clients = [
# ]; # ];
#}; #trusted_proxied = [];
ratelimit = 60;
upstream_dns = [
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
];
bootstrap_dns = [
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
];
dhcp.enabled = false;
};
}; };
}; };
systemd.services.influxdb.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; systemd.services.adguardhome = {
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"];
preStart = lib.mkAfter ''
INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
'';
};
} }

46
hosts/ward/net.nix
View file

@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
utils,
... ...
}: let }: let
lanCidrv4 = "192.168.100.0/24"; lanCidrv4 = "192.168.100.0/24";
@ -125,51 +124,6 @@ in {
}; };
}; };
services.kea = {
dhcp4 = {
enable = true;
settings = {
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
valid-lifetime = 4000;
renew-timer = 1000;
rebind-timer = 2000;
interfaces-config = {
# TODO why does this bind other macvtaps?
interfaces = ["lan-self"];
service-sockets-max-retries = -1;
};
option-data = [
{
name = "domain-name-servers";
# TODO pihole via self
data = "1.1.1.1, 8.8.8.8";
}
];
subnet4 = [
{
interface = "lan-self";
subnet = lanCidrv4;
pools = [
{pool = "${lib.net.cidr.host 20 lanCidrv4} - ${lib.net.cidr.host (-6) lanCidrv4}";}
];
option-data = [
{
name = "routers";
data = lib.net.cidr.host 1 lanCidrv4;
}
];
}
];
};
};
};
systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
meta.microvms.networking = { meta.microvms.networking = {
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac; baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
macvtapInterface = "lan"; macvtapInterface = "lan";

2
modules/meta/microvms.nix
View file

@ -111,6 +111,8 @@
config = {config, ...}: { config = {config, ...}: {
imports = cfg.commonImports ++ node.imports ++ vmCfg.modules; imports = cfg.commonImports ++ node.imports ++ vmCfg.modules;
lib.microvm.mac = mac;
microvm = { microvm = {
hypervisor = mkDefault "cloud-hypervisor"; hypervisor = mkDefault "cloud-hypervisor";

3
modules/meta/telegraf.nix
View file

@ -158,7 +158,8 @@ in {
systemd.services.telegraf = { systemd.services.telegraf = {
path = [ path = [
# Make sensors refer to the correct wrapper # Make sensors refer to the correct wrapper
(mkIf config.services.smartd.enable (pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path)) (mkIf config.services.smartd.enable
(pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path))
]; ];
serviceConfig = { serviceConfig = {
# For wireguard statistics # For wireguard statistics