mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-09 23:22:57 +00:00
use bind for local dns
This commit is contained in:
parent
9e8bac6834
commit
22cba9acac
@ -126,7 +126,6 @@
|
||||
mail.smtpHost = "smtp.purelymail.com";
|
||||
dotfilesRepo = "git@github.com:nmasur/dotfiles";
|
||||
hostnames = {
|
||||
zone = baseName;
|
||||
git = "git.${baseName}";
|
||||
metrics = "metrics.${baseName}";
|
||||
prometheus = "prom.${baseName}";
|
||||
|
@ -53,6 +53,7 @@ inputs.nixpkgs.lib.nixosSystem {
|
||||
dotfiles.enable = true;
|
||||
arrs.enable = true;
|
||||
|
||||
services.bind.enable = true;
|
||||
services.caddy.enable = true;
|
||||
services.jellyfin.enable = true;
|
||||
services.nextcloud.enable = true;
|
||||
|
@ -10,6 +10,9 @@
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
domainName = "local";
|
||||
ipv6 = false; # Should work either way
|
||||
# Resolve local hostnames using Avahi DNS
|
||||
nssmdns = true;
|
||||
publish = {
|
||||
enable = true;
|
||||
addresses = true;
|
||||
@ -17,10 +20,6 @@
|
||||
workstation = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Resolve local hostnames using Avahi DNS
|
||||
services.avahi.nssmdns = true;
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -1,12 +1,27 @@
|
||||
{ pkgs, ... }: {
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
config = {
|
||||
let
|
||||
|
||||
localIp = "192.168.1.218";
|
||||
localServices = [
|
||||
config.hostnames.stream
|
||||
config.hostnames.content
|
||||
config.hostnames.books
|
||||
config.hostnames.download
|
||||
];
|
||||
mkRecord = service: "${service} A ${localIp}";
|
||||
localRecords = lib.concatLines (map mkRecord localServices);
|
||||
|
||||
in {
|
||||
|
||||
config = lib.mkIf config.services.bind.enable {
|
||||
|
||||
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
|
||||
|
||||
services.bind = {
|
||||
|
||||
cacheNetworks = [ "192.168.0.0/16" ];
|
||||
|
||||
cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
|
||||
forwarders = [ "1.1.1.1" "1.0.0.1" ];
|
||||
ipv4Only = true;
|
||||
|
||||
# Use rpz zone as an override
|
||||
extraOptions = ''response-policy { zone "rpz"; };'';
|
||||
@ -25,13 +40,16 @@
|
||||
)
|
||||
IN NS localhost.
|
||||
localhost A 127.0.0.1
|
||||
stream A 192.168.0.218
|
||||
${localRecords}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -1,55 +1,70 @@
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options = {
|
||||
caddy.tlsPolicies = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON TLS policies";
|
||||
default = [ ];
|
||||
};
|
||||
caddy.routes = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON routes for http servers";
|
||||
default = [ ];
|
||||
};
|
||||
caddy.blocks = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON error blocks for http servers";
|
||||
default = [ ];
|
||||
caddy = {
|
||||
tlsPolicies = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON TLS policies";
|
||||
default = [ ];
|
||||
};
|
||||
routes = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON routes for http servers";
|
||||
default = [ ];
|
||||
};
|
||||
blocks = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Caddy JSON error blocks for http servers";
|
||||
default = [ ];
|
||||
};
|
||||
cidrAllowlist = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
description = "CIDR blocks to allow for requests";
|
||||
default = [ "127.0.0.1/32" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
|
||||
config = lib.mkIf config.services.caddy.enable {
|
||||
|
||||
services.caddy = {
|
||||
adapter = "''"; # Required to enable JSON
|
||||
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
|
||||
apps.http.servers.main = {
|
||||
listen = [ ":443" ];
|
||||
routes = config.caddy.routes;
|
||||
errors.routes = config.caddy.blocks;
|
||||
# logs = { }; # Uncomment to collect access logs
|
||||
# Force Caddy to 403 if not coming from allowlisted source
|
||||
caddy.routes = [{
|
||||
match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
|
||||
handle = [{
|
||||
handler = "static_response";
|
||||
status_code = "403";
|
||||
}];
|
||||
}];
|
||||
|
||||
services.caddy = {
|
||||
adapter = "''"; # Required to enable JSON
|
||||
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
|
||||
apps.http.servers.main = {
|
||||
listen = [ ":443" ];
|
||||
routes = config.caddy.routes;
|
||||
errors.routes = config.caddy.blocks;
|
||||
# logs = { }; # Uncomment to collect access logs
|
||||
};
|
||||
apps.http.servers.metrics = { }; # Enables Prometheus metrics
|
||||
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
||||
logging.logs.main = {
|
||||
encoder = { format = "console"; };
|
||||
writer = {
|
||||
output = "file";
|
||||
filename = "${config.services.caddy.logDir}/caddy.log";
|
||||
roll = true;
|
||||
};
|
||||
apps.http.servers.metrics = { }; # Enables Prometheus metrics
|
||||
apps.tls.automation.policies = config.caddy.tlsPolicies;
|
||||
logging.logs.main = {
|
||||
encoder = { format = "console"; };
|
||||
writer = {
|
||||
output = "file";
|
||||
filename = "${config.services.caddy.logDir}/caddy.log";
|
||||
roll = true;
|
||||
};
|
||||
level = "INFO";
|
||||
};
|
||||
});
|
||||
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
|
||||
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
|
||||
level = "INFO";
|
||||
};
|
||||
});
|
||||
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
|
||||
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -41,13 +41,7 @@ in {
|
||||
config = lib.mkIf config.cloudflare.enable {
|
||||
|
||||
# Forces Caddy to error if coming from a non-Cloudflare IP
|
||||
caddy.routes = [{
|
||||
match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
|
||||
handle = [{
|
||||
handler = "static_response";
|
||||
status_code = "403";
|
||||
}];
|
||||
}];
|
||||
caddy.cidrAllowlist = cloudflareIpRanges;
|
||||
|
||||
# Tell Caddy to use Cloudflare DNS for ACME challenge validation
|
||||
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
|
||||
|
@ -3,6 +3,7 @@
|
||||
imports = [
|
||||
./arr.nix
|
||||
./backups.nix
|
||||
./bind.nix
|
||||
./caddy.nix
|
||||
./calibre.nix
|
||||
./cloudflare-tunnel.nix
|
||||
|
Loading…
Reference in New Issue
Block a user