add new host, add technitium module
This commit is contained in:
parent
f8312a9447
commit
9aab11df18
5 changed files with 260 additions and 36 deletions
72
flake.lock
generated
72
flake.lock
generated
|
@ -8,11 +8,11 @@
|
|||
},
|
||||
"locked": {
|
||||
"dir": "pkgs/firefox-addons",
|
||||
"lastModified": 1744400795,
|
||||
"narHash": "sha256-6kU2f0lPMJd9+yTwGMryM/Aa6CMPJYAOMY1xO5E6gaM=",
|
||||
"lastModified": 1744637480,
|
||||
"narHash": "sha256-e8QS5UFbAtu3mDM++/lEiPPCAHF2srtlfx5NknXFAxY=",
|
||||
"owner": "rycee",
|
||||
"repo": "nur-expressions",
|
||||
"rev": "12dc8c22e3b0ac99cefb274b825f85b003417ae7",
|
||||
"rev": "189196df2cf700fa07619ff3a3e3851df69c5001",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
|
@ -43,11 +43,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1741352980,
|
||||
"narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
|
||||
"lastModified": 1743550720,
|
||||
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
|
||||
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -118,11 +118,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1744400600,
|
||||
"narHash": "sha256-qYhUgA98mhq1QK13r9qVY+sG1ri6FBgyp+GApX6wS20=",
|
||||
"lastModified": 1744637364,
|
||||
"narHash": "sha256-ZVINTNMJS6W3fqPYV549DSmjYQW5I9ceKBl83FwPP7k=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "b74b22bb6167e8dff083ec6988c98798bf8954d3",
|
||||
"rev": "337541447773985f825512afd0f9821a975186be",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -133,11 +133,11 @@
|
|||
},
|
||||
"mnw": {
|
||||
"locked": {
|
||||
"lastModified": 1742255973,
|
||||
"narHash": "sha256-XfEGVKatTgEMMOVb4SNp1LYLQOSzzrFTDMVDTZFyMVE=",
|
||||
"lastModified": 1744592022,
|
||||
"narHash": "sha256-QuWrCRiF3CUM99sgj3gXbIzB1IAVWS5IEfFHadbMA2g=",
|
||||
"owner": "Gerg-L",
|
||||
"repo": "mnw",
|
||||
"rev": "b982dbd5e6d55d4438832b3567c09bc2a129649d",
|
||||
"rev": "cf9e19413b6c2d995b55565cd99facf9c751b653",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -174,11 +174,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1744366945,
|
||||
"narHash": "sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg=",
|
||||
"lastModified": 1744633460,
|
||||
"narHash": "sha256-fbWE4Xpw6eH0Q6in+ymNuDwTkqmFmtxcQEmtRuKDTTk=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1",
|
||||
"rev": "9a049b4a421076d27fee3eec664a18b2066824cb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -189,11 +189,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1744232761,
|
||||
"narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=",
|
||||
"lastModified": 1744463964,
|
||||
"narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14",
|
||||
"rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -205,11 +205,11 @@
|
|||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1740877520,
|
||||
"narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
|
||||
"lastModified": 1743296961,
|
||||
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
|
||||
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -220,11 +220,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1743076231,
|
||||
"narHash": "sha256-yQugdVfi316qUfqzN8JMaA2vixl+45GxNm4oUfXlbgw=",
|
||||
"lastModified": 1744473229,
|
||||
"narHash": "sha256-rGXvIsD/Hn+bJRFb7hqSx7UUZUIlxXs0fM6ix5+iT5w=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6c5963357f3c1c840201eda129a99d455074db04",
|
||||
"rev": "52d0eded529af34e91df6b2a2bc32eb636637cd2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -236,11 +236,11 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1743689281,
|
||||
"narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=",
|
||||
"lastModified": 1744502386,
|
||||
"narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2bfc080955153be0be56724be6fa5477b4eefabb",
|
||||
"rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -260,11 +260,11 @@
|
|||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1744308014,
|
||||
"narHash": "sha256-gbN6v+1be1SrRRbur3GgvDPbv/QMJ5L6keJDMcNGpZ8=",
|
||||
"lastModified": 1744639354,
|
||||
"narHash": "sha256-AwUtAeDokimPucrPVj0YuoFWZ/xFVL4wy2wxZN5+u20=",
|
||||
"owner": "notashelf",
|
||||
"repo": "nvf",
|
||||
"rev": "ed31499ad65e97a6210291848aff6dd9f9b137d0",
|
||||
"rev": "f516cb43ceb2b071e6b9a6d5c9d681c8a3187f5f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -358,11 +358,11 @@
|
|||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1744103455,
|
||||
"narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=",
|
||||
"lastModified": 1744518500,
|
||||
"narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba",
|
||||
"rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -373,11 +373,11 @@
|
|||
},
|
||||
"stable": {
|
||||
"locked": {
|
||||
"lastModified": 1744309437,
|
||||
"narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
|
||||
"lastModified": 1744440957,
|
||||
"narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
|
||||
"rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
107
modules/nixos/services/technitium-dns-server/default.nix
Normal file
107
modules/nixos/services/technitium-dns-server/default.nix
Normal file
|
@ -0,0 +1,107 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
namespace,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.${namespace}.services.technitium-dns-server;
|
||||
inherit (lib)
|
||||
mkEnableOption
|
||||
mkPackageOption
|
||||
mkOption
|
||||
mkIf
|
||||
types
|
||||
;
|
||||
in
|
||||
{
|
||||
options.${namespace}.services.technitium-dns-server = {
|
||||
enable = mkEnableOption "Technitium DNS Server";
|
||||
|
||||
package = mkPackageOption pkgs "technitium-dns-server" { };
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to open ports in the firewall.
|
||||
Standard ports are 53 (UDP and TCP, for DNS), 5380 and 53443 (TCP, HTTP and HTTPS for web interface).
|
||||
Specify different or additional ports in options firewallUDPPorts and firewallTCPPorts if necessary.
|
||||
'';
|
||||
};
|
||||
|
||||
firewallUDPPorts = mkOption {
|
||||
type = with types; listOf int;
|
||||
default = [ 53 ];
|
||||
description = ''
|
||||
List of UDP ports to open in firewall.
|
||||
'';
|
||||
};
|
||||
|
||||
firewallTCPPorts = mkOption {
|
||||
type = with types; listOf int;
|
||||
default = [
|
||||
53
|
||||
5380 # web interface HTTP
|
||||
53443 # web interface HTTPS
|
||||
];
|
||||
description = ''
|
||||
List of TCP ports to open in firewall.
|
||||
You might want to open ports 443 and 853 if you intend to use DNS over HTTPS or DNS over TLS.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.technitium-dns-server = {
|
||||
description = "Technitium DNS Server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/technitium-dns-server $STATE_DIRECTORY";
|
||||
|
||||
DynamicUser = true;
|
||||
|
||||
StateDirectory = "technitium-dns-server";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
TimeoutStopSec = 10;
|
||||
KillSignal = "SIGINT";
|
||||
|
||||
# Harden the service
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedUDPPorts = cfg.firewallUDPPorts;
|
||||
allowedTCPPorts = cfg.firewallTCPPorts;
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ fabianrig ];
|
||||
}
|
52
systems/x86_64-linux/dns-1/default.nix
Normal file
52
systems/x86_64-linux/dns-1/default.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
namespace,
|
||||
...
|
||||
}:
|
||||
with lib.${namespace};
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
];
|
||||
|
||||
boot.loader = {
|
||||
grub.enable = false;
|
||||
};
|
||||
|
||||
nix.settings.experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
|
||||
users.users.philipp = {
|
||||
isNormalUser = true;
|
||||
description = "Philipp Böhm";
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
];
|
||||
};
|
||||
|
||||
awesome-flake = {
|
||||
services = {
|
||||
ssh = enabled;
|
||||
technitium-dns-server = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
};
|
||||
|
||||
cli = {
|
||||
neovim = enabled;
|
||||
eza = enabled;
|
||||
nh = enabled;
|
||||
};
|
||||
};
|
||||
|
||||
# Set your time zone
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
||||
system.stateVersion = "24.11";
|
||||
}
|
37
systems/x86_64-linux/dns-1/hardware-configuration.nix
Normal file
37
systems/x86_64-linux/dns-1/hardware-configuration.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/0cf4622b-0da7-4c05-b603-3b3228b63941";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/F9CE-788D";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
28
systems/x86_64-linux/dns-1/networking.nix
Normal file
28
systems/x86_64-linux/dns-1/networking.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{
|
||||
networking = {
|
||||
hostName = "dns-1";
|
||||
firewall.enable = false;
|
||||
networkmanager.enable = false;
|
||||
dhcpcd.enable = false;
|
||||
nameservers = [
|
||||
"1.1.1.1"
|
||||
"8.8.8.8"
|
||||
];
|
||||
defaultGateway.address = "192.168.5.1";
|
||||
interfaces.ens18 = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.5.100";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{
|
||||
address = "fd00:192:168:5::100";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue