Deploy NixNG-built dnsmasq container image

flake.lock

@@ -78,6 +78,22 @@
       }
     },
     "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -147,9 +163,32 @@
         "type": "github"
       }
     },
-    "nix-snapshotter": {
+    "kubenix": {
       "inputs": {
         "flake-compat": "flake-compat_2",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "systems": "systems_3",
+        "treefmt": "treefmt"
+      },
+      "locked": {
+        "lastModified": 1717788185,
+        "narHash": "sha256-Uc6QSQqJa2lyv/1W4StwoKrjtq7cFjlKNhdrtanToGo=",
+        "owner": "pizzapim",
+        "repo": "kubenix",
+        "rev": "a9590abe23a2f7577bc3271d90955e9ccc2923fe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pizzapim",
+        "repo": "kubenix",
+        "type": "github"
+      }
+    },
+    "nix-snapshotter": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
         "flake-parts": "flake-parts",
         "nixpkgs": [
           "nixpkgs-unstable"
@@ -169,6 +208,27 @@
         "type": "github"
       }
     },
+    "nixng": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726571270,
+        "narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=",
+        "owner": "pizzapim",
+        "repo": "NixNG",
+        "rev": "9538892da603608f0176d07d33b1265e038c0adf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pizzapim",
+        "ref": "dnsmasq",
+        "repo": "NixNG",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1722332872,
@@ -255,7 +315,9 @@
         "disko": "disko",
         "dns": "dns",
         "flake-utils": "flake-utils_2",
+        "kubenix": "kubenix",
         "nix-snapshotter": "nix-snapshotter",
+        "nixng": "nixng",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -313,6 +375,41 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "treefmt": {
+      "inputs": {
+        "nixpkgs": [
+          "kubenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688026376,
+        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "utils": {
       "inputs": {
         "systems": "systems"

flake.nix

@@ -37,6 +37,16 @@
       url = "github:pdtpartners/nix-snapshotter";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+
+    nixng = {
+      url = "github:pizzapim/NixNG/dnsmasq";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    kubenix = {
+      url = "github:pizzapim/kubenix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
   };
 
   outputs =

modules/k3s/default.nix

@@ -1,4 +1,4 @@
-{ self, inputs, pkgs, lib, config, ... }:
+{ self, inputs, pkgs, lib, config, globals, ... }:
 let
   cfg = config.lab.k3s;
 in
@@ -165,6 +165,31 @@ in
         '';
       };
 
+      nixng = lib.mkIf (cfg.role == "server")
+        (
+          let
+            dnsmasqStream = (import ./dnsmasq.nix {
+              inherit (inputs) nixpkgs nixng;
+              inherit (inputs.nixng) nglib;
+              inherit (self) globals;
+            }).config.system.build.ociImage.stream;
+
+            dnsmasqImage = pkgs.stdenv.mkDerivation {
+              name = "dnsmasq.tar";
+              src = dnsmasqStream;
+              dontUnpack = true;
+              buildPhase = ''
+                $src > $out
+              '';
+            };
+          in
+          {
+            text = ''
+              ln -sf ${dnsmasqImage} /root/dnsmasq.tar
+            '';
+          }
+        );
+
       docker-images.text =
         let
           imageDefs = import "${self}/container-images.nix";

modules/k3s/dnsmasq.nix

@@ -0,0 +1,41 @@
+{ globals, nixpkgs, nglib, ... }:
+nglib.makeSystem {
+  inherit nixpkgs;
+  system = "x86_64-linux";
+  name = "nixng-dnsmasq";
+
+  config = { ... }: {
+    dumb-init = {
+      enable = true;
+      type.services = { };
+    };
+
+    init.services.dnsmasq = {
+      shutdownOnExit = true;
+    };
+
+    services.dnsmasq = {
+      enable = true;
+
+      settings = {
+        address = [
+          "/kms.kun.is/${globals.kmsIPv4}"
+          "/ssh.git.kun.is/${globals.gitIPv4}"
+        ];
+
+        alias = "${globals.routerPublicIPv4},${globals.traefikIPv4}";
+        expand-hosts = true;
+        local = "/dmz/";
+        log-queries = true;
+        no-hosts = true;
+        no-resolv = true;
+        port = 53;
+
+        server = [
+          "192.168.30.1"
+          "/kun.is/${globals.bind9IPv4}"
+        ];
+      };
+    };
+  };
+}