swann: enable coredns and use google public DNS over TLS

2020-11-18 01:49:44 +00:00 · 2020-11-18 01:49:44 +00:00 · 68deb62b38
commit 68deb62b38
parent c0a6e48970
1 changed files with 69 additions and 0 deletions
--- a/ops/nixos/swann/default.nix
+++ b/ops/nixos/swann/default.nix
@ -135,14 +135,83 @@ in {
    interfaces.ens-general = {
      allowedTCPPorts = [
        8080 6789  # Unifi
+        53  # DNS
      ];
      allowedUDPPorts = [
        3478 10001  # Unifi
+        53  # DNS
      ];
    };
  };

+  services.ddclient = {
+    enable = false;
+    protocol = "cloudflare";
+    domains = ["home.lukegb.com"];
+    zone = "lukegb.com";
+    password = secrets.cloudflareCredentials.token;
+    use = "if";
+    extraConfig = ''
+      if=ens-virginmedia
+      daemon=0
+    '';
+  };
+  systemd.services.ddclient.serviceConfig.ExecStart = let
+    ddclient = pkgs.perlPackages.buildPerlPackage rec {
+      pname = "ddclient";
+      version = "3.9.1";
+      src = pkgs.fetchFromGitHub {
+        owner = "ddclient";
+        repo = "ddclient";
+        rev = "11a583b003920f8e15591813598b70061d1a4654";
+        sha256 = "sha256:1xz09vkii3mc2jmfwx9is07i06iiryv51571vdnl4m5mdnvsmlwb";
+      };
+      outputs = [ "out" ];
+      doCheck = false;
+      buildInputs = with pkgs.perlPackages; [ IOSocketSSL DigestSHA1 DataValidateIP JSONPP ];
+      nativeBuildInputs = with pkgs; [ autoreconfHook makeWrapper ];
+      preConfigure = ''
+        touch Makefile.PL
+      '';
+      postInstall = ''
+        patchShebangs $out/bin/ddclient
+        wrapProgram $out/bin/ddclient \
+          --suffix PATH : ${lib.makeBinPath (with pkgs; [ pkgs.iproute ])} \
+          --prefix PERL5LIB : $PERL5LIB
+      '';
+    };
+    RuntimeDirectory = "ddclient";
+  in lib.mkForce "${lib.getBin ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
+
  environment.systemPackages = with pkgs; [];

+  services.coredns = {
+    enable = true;
+    config = ''
+      .:53 {
+        bind 192.168.1.1 127.0.0.53
+        acl {
+          allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8
+          block
+        }
+        loadbalance
+        forward . tls://8.8.8.8 tls://8.8.4.4 {
+          tls_servername dns.google
+        }
+        cache {
+          success 4096
+          denial 1024
+          prefetch 512
+        }
+        prometheus :9153
+        errors
+        log
+      }
+    '';
+  };
+  networking.resolvconf.extraConfig = ''
+    name_servers='127.0.0.53'
+  '';
+
  system.stateVersion = "21.03";
 }