steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

fix(sj-srv1,containers, systemd-resolved): resolve via dhcp, host, and never use fallbacks

Browse source
This commit is contained in:
steveej 2024-10-16 23:01:57 +02:00
parent def42226f1
commit 7f97ee3d47
3 changed files with 41 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

23
nix/os/devices/sj-srv1/system.nix
View file

@ -11,6 +11,23 @@
in { in {
imports = [ imports = [
../../snippets/systemd-resolved.nix ../../snippets/systemd-resolved.nix
{
# make sure it uses the DNS that comes in via DHCP
networking.nameservers = lib.mkForce [];
services.resolved.enable = true;
# provide DNS to the containers
services.resolved.extraConfig = ''
DNSStubListenerExtra=${hostBridgeAddress}
'';
networking.firewall.interfaces.br0.allowedTCPPorts = [53];
networking.firewall.interfaces.br0.allowedUDPPorts = [53];
}
];
programs.wireshark.enable = true;
environment.systemPackages = [
pkgs.dnsutils
]; ];
networking.firewall.enable = true; networking.firewall.enable = true;
@ -83,6 +100,9 @@ in {
enable = true; enable = true;
matchConfig.Name = "dmz0"; matchConfig.Name = "dmz0";
DHCP = "yes"; DHCP = "yes";
dhcpV4Config.UseDNS = true;
dhcpV6Config.UseDNS = true;
}; };
boot.kernel.sysctl = { boot.kernel.sysctl = {
@ -134,6 +154,7 @@ in {
mailserver = import ../../containers/mailserver.nix { mailserver = import ../../containers/mailserver.nix {
specialArgs = { specialArgs = {
inherit repoFlake nodeFlake; inherit repoFlake nodeFlake;
hostAddress = hostBridgeAddress;
}; };
autoStart = true; autoStart = true;
@ -151,6 +172,7 @@ in {
{ {
specialArgs = { specialArgs = {
inherit repoFlake nodeFlake; inherit repoFlake nodeFlake;
hostAddress = hostBridgeAddress;
}; };
autoStart = true; autoStart = true;
@ -167,6 +189,7 @@ in {
syncthing = import ../../containers/syncthing.nix { syncthing = import ../../containers/syncthing.nix {
specialArgs = { specialArgs = {
inherit repoFlake nodeFlake; inherit repoFlake nodeFlake;
hostAddress = hostBridgeAddress;
}; };
autoStart = true; autoStart = true;

17
nix/os/profiles/containers/configuration.nix
View file

@ -1,16 +1,29 @@
{pkgs, ...}: { {
hostAddress,
pkgs,
lib,
...
}: {
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
networking.firewall.enable = true; networking.firewall.enable = true;
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.flushRuleset = true; networking.nftables.flushRuleset = true;
networking.nameservers = lib.mkForce [hostAddress];
environment.systemPackages = [ environment.systemPackages = [
pkgs.dnsutils pkgs.dnsutils
]; ];
imports = [ imports = [
../../snippets/systemd-resolved.nix {
# keep DNS set up to a minimum: only query the container host
services.resolved.enable = lib.mkForce false;
networking.nameservers = [
hostAddress
];
}
../../snippets/nix-settings.nix ../../snippets/nix-settings.nix
# ../../modules/ddclient-ovh.nix # ../../modules/ddclient-ovh.nix
# ../../modules/ddclient-hetzner.nix # ../../modules/ddclient-hetzner.nix

4
nix/os/snippets/systemd-resolved.nix
View file

@ -1,4 +1,4 @@
{ {lib, ...}: {
networking.nameservers = [ networking.nameservers = [
# https://dnsforge.de/ # https://dnsforge.de/
"176.9.93.198" "176.9.93.198"
@ -16,5 +16,7 @@
# TODO: figure out why "true" doesn't work # TODO: figure out why "true" doesn't work
dnsovertls = "opportunistic"; dnsovertls = "opportunistic";
fallbackDns = lib.mkForce [];
}; };
} }