enable dnsmasq for DHCP and DNS

allow setting static ipv4 address on DMZ
This commit is contained in:
Pim Kunis 2024-01-07 22:36:26 +01:00
parent d4301bf7cd
commit 54d5f6f5dc
3 changed files with 99 additions and 36 deletions

View file

@ -24,6 +24,9 @@
hostName = "atlas.hyp"; hostName = "atlas.hyp";
nixosModule.lab = { nixosModule.lab = {
dns.enable = true;
networking.staticDMZIpv4Address = "192.168.30.7/24";
storage = { storage = {
osDisk = "/dev/sda"; osDisk = "/dev/sda";
dataPartition = "/dev/nvme0n1p1"; dataPartition = "/dev/nvme0n1p1";
@ -43,7 +46,7 @@
nixosModule.lab = { nixosModule.lab = {
dataHost.enable = true; dataHost.enable = true;
dns.enable = true; # dns.enable = true;
storage = { storage = {
osDisk = "/dev/sda"; osDisk = "/dev/sda";

View file

@ -24,40 +24,88 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 53 ]; allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 67 ];
}; };
services.bind = { services = {
enable = true; bind = {
forwarders = [ ]; enable = true;
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems. forwarders = [ ];
ipv4Only = true; # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
ipv4Only = true;
extraOptions = '' extraOptions = ''
allow-transfer { none; }; allow-transfer { none; };
allow-recursion { none; }; allow-recursion { none; };
version "No dice."; version "No dice.";
''; '';
zones = { zones = {
"kun.is" = { "kun.is" = {
master = true; master = true;
file = kunisZoneFile; file = kunisZoneFile;
allowQuery = [ "any" ]; allowQuery = [ "any" ];
extraConfig = '' extraConfig = ''
notify yes; notify yes;
allow-update { none; }; allow-update { none; };
''; '';
};
"geokunis2.nl" = {
master = true;
file = geokunis2nlZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
}; };
};
"geokunis2.nl" = { dnsmasq = {
master = true; enable = true;
file = geokunis2nlZoneFile;
allowQuery = [ "any" ]; settings = {
extraConfig = '' no-resolv = true;
notify yes; server = [
allow-update { none; }; "192.168.30.1"
''; "/geokunis2.nl/192.168.30.7"
"/kun.is/192.168.30.7"
];
local = "/dmz/";
dhcp-fqdn = true;
no-hosts = true;
expand-hosts = true;
domain = "dmz";
dhcp-authoritative = true;
dhcp-range = [
"192.168.30.50,192.168.30.127,15m"
"2a02:58:19a:f730::, ra-stateless, ra-names"
];
dhcp-host = [
"b8:27:eb:b9:ab:e2,esrom"
"ca:fe:c0:ff:ee:03,max,192.168.30.3"
"ca:fe:c0:ff:ee:08,maestro,192.168.30.8"
"dc:a6:32:7b:e2:11,iris,192.168.30.9"
"ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10"
"52:54:00:72:e0:9a,forum,192.168.30.11"
];
dhcp-option = [
"3,192.168.30.1"
"option6:dns-server,[2a02:58:19a:f730::1]"
"option:dns-server,192.168.30.1"
];
ra-param = "*,0,0";
alias = "192.145.57.90,192.168.30.8";
log-dhcp = true;
log-queries = true;
interface-name = "hermes.dmz,ens3";
port = "5353";
address = [
"/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7"
"/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07"
];
}; };
}; };
}; };

View file

@ -1,18 +1,29 @@
{ lib, config, ... }: { lib, config, ... }:
let cfg = config.lab.networking; let cfg = config.lab.networking;
in { in {
options.lab.networking.allowDMZConnectivity = lib.mkOption { options.lab.networking = {
default = false; allowDMZConnectivity = lib.mkOption {
type = lib.types.bool; default = false;
description = '' type = lib.types.bool;
Whether to create a networking interface on the DMZ bridge. description = ''
''; Whether to create a networking interface on the DMZ bridge.
'';
};
staticDMZIpv4Address = lib.mkOption {
default = "";
type = lib.types.str;
description = ''
Assign a static IPv4 on the DMZ interface.
'';
};
}; };
config = { config = {
networking = { networking = {
domain = "hyp"; domain = "hyp";
firewall.enable = true; # TODO: Enabling the firewall makes connectivity of LAN -> DMZ impossible...
firewall.enable = false;
useDHCP = false; useDHCP = false;
}; };
@ -70,6 +81,7 @@ in {
IPv6AcceptRA = false; IPv6AcceptRA = false;
LinkLocalAddressing = "no"; LinkLocalAddressing = "no";
DHCP = lib.mkIf cfg.allowDMZConnectivity "yes"; DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
Address = lib.mkIf (cfg.staticDMZIpv4Address != "") cfg.staticDMZIpv4Address;
}; };
}; };
}; };