2024-04-11 19:30:26 +00:00
|
|
|
{ lib, config, ... }@inputs:
|
2024-01-07 19:24:12 +00:00
|
|
|
let
|
2024-01-31 20:58:23 +00:00
|
|
|
cfg = config.lab.networking.dmz.services;
|
2024-01-07 19:24:12 +00:00
|
|
|
in
|
|
|
|
|
{
|
2024-01-31 20:58:23 +00:00
|
|
|
options.lab.networking.dmz.services.enable = lib.mkOption {
|
2024-01-07 19:24:12 +00:00
|
|
|
default = false;
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
2024-01-31 20:58:23 +00:00
|
|
|
# TODO Remove this; make this explicit in the machine config.
|
|
|
|
|
lab.networking.dmz.allowConnectivity = true;
|
2024-01-13 16:33:14 +00:00
|
|
|
|
2024-01-29 21:21:15 +00:00
|
|
|
# TODO: listen only on dmz interface, make this portable between physical and VM.
|
|
|
|
|
networking.firewall = {
|
2024-01-12 21:31:15 +00:00
|
|
|
allowedTCPPorts = [ 53 5353 ];
|
|
|
|
|
allowedUDPPorts = [ 53 67 5353 ];
|
2024-01-07 19:24:12 +00:00
|
|
|
};
|
|
|
|
|
|
2024-01-07 21:36:26 +00:00
|
|
|
services = {
|
|
|
|
|
dnsmasq = {
|
|
|
|
|
enable = true;
|
2024-01-08 22:17:37 +00:00
|
|
|
settings = import ./dnsmasq.nix inputs;
|
2024-01-07 19:24:12 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
