From 54d5f6f5dcdddb55dac5ccdb734e685b6a62f446 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sun, 7 Jan 2024 22:36:26 +0100
Subject: [PATCH] enable dnsmasq for DHCP and DNS allow setting static ipv4
 address on DMZ

---
 nixos/machines/default.nix    |   5 +-
 nixos/modules/dns/default.nix | 104 +++++++++++++++++++++++++---------
 nixos/modules/networking.nix  |  26 ++++++---
 3 files changed, 99 insertions(+), 36 deletions(-)

diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix
index 93736c7..cce5f37 100644
--- a/nixos/machines/default.nix
+++ b/nixos/machines/default.nix
@@ -24,6 +24,9 @@
     hostName = "atlas.hyp";
 
     nixosModule.lab = {
+      dns.enable = true;
+      networking.staticDMZIpv4Address = "192.168.30.7/24";
+
       storage = {
         osDisk = "/dev/sda";
         dataPartition = "/dev/nvme0n1p1";
@@ -43,7 +46,7 @@
 
     nixosModule.lab = {
       dataHost.enable = true;
-      dns.enable = true;
+      # dns.enable = true;
 
       storage = {
         osDisk = "/dev/sda";
diff --git a/nixos/modules/dns/default.nix b/nixos/modules/dns/default.nix
index fd1c3dc..84baf7c 100644
--- a/nixos/modules/dns/default.nix
+++ b/nixos/modules/dns/default.nix
@@ -24,40 +24,88 @@ in
   config = lib.mkIf cfg.enable {
     networking.firewall = {
       allowedTCPPorts = [ 53 ];
-      allowedUDPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 67 ];
     };
 
-    services.bind = {
-      enable = true;
-      forwarders = [ ];
-      # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
-      ipv4Only = true;
+    services = {
+      bind = {
+        enable = true;
+        forwarders = [ ];
+        # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
+        ipv4Only = true;
 
-      extraOptions = ''
-        allow-transfer { none; }; 
-        allow-recursion { none; };
-        version "No dice.";
-      '';
+        extraOptions = ''
+          allow-transfer { none; }; 
+          allow-recursion { none; };
+          version "No dice.";
+        '';
 
-      zones = {
-        "kun.is" = {
-          master = true;
-          file = kunisZoneFile;
-          allowQuery = [ "any" ];
-          extraConfig = ''
-            notify yes;
-            allow-update { none; };
-          '';
+        zones = {
+          "kun.is" = {
+            master = true;
+            file = kunisZoneFile;
+            allowQuery = [ "any" ];
+            extraConfig = ''
+              notify yes;
+              allow-update { none; };
+            '';
+          };
+
+          "geokunis2.nl" = {
+            master = true;
+            file = geokunis2nlZoneFile;
+            allowQuery = [ "any" ];
+            extraConfig = ''
+              notify yes;
+              allow-update { none; };
+            '';
+          };
         };
+      };
 
-        "geokunis2.nl" = {
-          master = true;
-          file = geokunis2nlZoneFile;
-          allowQuery = [ "any" ];
-          extraConfig = ''
-            notify yes;
-            allow-update { none; };
-          '';
+      dnsmasq = {
+        enable = true;
+
+        settings = {
+          no-resolv = true;
+          server = [
+            "192.168.30.1"
+            "/geokunis2.nl/192.168.30.7"
+            "/kun.is/192.168.30.7"
+          ];
+          local = "/dmz/";
+          dhcp-fqdn = true;
+          no-hosts = true;
+          expand-hosts = true;
+          domain = "dmz";
+          dhcp-authoritative = true;
+          dhcp-range = [
+            "192.168.30.50,192.168.30.127,15m"
+            "2a02:58:19a:f730::, ra-stateless, ra-names"
+          ];
+          dhcp-host = [
+            "b8:27:eb:b9:ab:e2,esrom"
+            "ca:fe:c0:ff:ee:03,max,192.168.30.3"
+            "ca:fe:c0:ff:ee:08,maestro,192.168.30.8"
+            "dc:a6:32:7b:e2:11,iris,192.168.30.9"
+            "ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10"
+            "52:54:00:72:e0:9a,forum,192.168.30.11"
+          ];
+          dhcp-option = [
+            "3,192.168.30.1"
+            "option6:dns-server,[2a02:58:19a:f730::1]"
+            "option:dns-server,192.168.30.1"
+          ];
+          ra-param = "*,0,0";
+          alias = "192.145.57.90,192.168.30.8";
+          log-dhcp = true;
+          log-queries = true;
+          interface-name = "hermes.dmz,ens3";
+          port = "5353";
+          address = [
+            "/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7"
+            "/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07"
+          ];
         };
       };
     };
diff --git a/nixos/modules/networking.nix b/nixos/modules/networking.nix
index 1dd2ae9..b06fea9 100644
--- a/nixos/modules/networking.nix
+++ b/nixos/modules/networking.nix
@@ -1,18 +1,29 @@
 { lib, config, ... }:
 let cfg = config.lab.networking;
 in {
-  options.lab.networking.allowDMZConnectivity = lib.mkOption {
-    default = false;
-    type = lib.types.bool;
-    description = ''
-      Whether to create a networking interface on the DMZ bridge.
-    '';
+  options.lab.networking = {
+    allowDMZConnectivity = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = ''
+        Whether to create a networking interface on the DMZ bridge.
+      '';
+    };
+
+    staticDMZIpv4Address = lib.mkOption {
+      default = "";
+      type = lib.types.str;
+      description = ''
+        Assign a static IPv4 on the DMZ interface.
+      '';
+    };
   };
 
   config = {
     networking = {
       domain = "hyp";
-      firewall.enable = true;
+      # TODO: Enabling the firewall makes connectivity of LAN -> DMZ impossible...
+      firewall.enable = false;
       useDHCP = false;
     };
 
@@ -70,6 +81,7 @@ in {
             IPv6AcceptRA = false;
             LinkLocalAddressing = "no";
             DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
+            Address = lib.mkIf (cfg.staticDMZIpv4Address != "") cfg.staticDMZIpv4Address;
           };
         };
       };