refactor: split "real" modules and "config" modules

2024-05-25 17:56:30 +02:00 · 2024-05-25 17:56:30 +02:00 · cceae6c63c
commit cceae6c63c
parent 045f15239a
60 changed files with 126 additions and 113 deletions
--- a/config/resolved.nix
+++ b/config/resolved.nix
@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  services.resolved = {
+    enable = true;
+    dnssec = "allow-downgrade";
+    fallbackDns = [
+      "1.1.1.1"
+      "2606:4700:4700::1111"
+      "8.8.8.8"
+      "2001:4860:4860::8844"
+    ];
+    llmnr = "false";
+    extraConfig = ''
+      Domains=~.
+      MulticastDNS=true
+    '';
+  };
+
+  system.nssDatabases.hosts = lib.mkMerge [
+    (lib.mkBefore ["mdns_minimal [NOTFOUND=return]"])
+    (lib.mkAfter ["mdns"])
+  ];
+
+  # Open port 5353 for any interfaces that have MulticastDNS enabled
+  networking.nftables.firewall = let
+    # Determine all networks that have MulticastDNS enabled
+    networksWithMulticast =
+      lib.filter
+      (n: config.systemd.network.networks.${n}.networkConfig.MulticastDNS or false)
+      (lib.attrNames config.systemd.network.networks);
+
+    # Determine all known mac addresses and the corresponding link name
+    # based on the renameInterfacesByMac option.
+    knownMacs =
+      lib.mapAttrs'
+      (k: v: lib.nameValuePair v k)
+      config.networking.renameInterfacesByMac;
+    # A helper that returns the link name for the given mac address,
+    # or null if it doesn't exist or the given mac was null.
+    linkNameFor = mac:
+      if mac == null
+      then null
+      else knownMacs.${mac} or null;
+
+    # Calls the given function for each network that has MulticastDNS enabled,
+    # and collects all non-null values.
+    mapNetworks = f: lib.filter (v: v != null) (map f networksWithMulticast);
+
+    # All interfaces on which MulticastDNS is used
+    mdnsInterfaces = lib.unique (
+      # For each network that is matched by MAC, lookup the link name
+      # and if map the definition name to the link name.
+      mapNetworks (x: linkNameFor (config.systemd.network.networks.${x}.matchConfig.MACAddress or null))
+      # For each network that is matched by name, map the definition
+      # name to the link name.
+      ++ mapNetworks (x: config.systemd.network.networks.${x}.matchConfig.Name or null)
+    );
+  in
+    lib.mkIf (mdnsInterfaces != []) {
+      zones.mdns.interfaces = mdnsInterfaces;
+      rules.mdns-to-local = {
+        from = ["mdns"];
+        to = ["local"];
+        allowedUDPPorts = [5353];
+      };
+    };
+}