diff --git a/flake.lock b/flake.lock index 72198ba..590e06c 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1744400795, - "narHash": "sha256-6kU2f0lPMJd9+yTwGMryM/Aa6CMPJYAOMY1xO5E6gaM=", + "lastModified": 1744637480, + "narHash": "sha256-e8QS5UFbAtu3mDM++/lEiPPCAHF2srtlfx5NknXFAxY=", "owner": "rycee", "repo": "nur-expressions", - "rev": "12dc8c22e3b0ac99cefb274b825f85b003417ae7", + "rev": "189196df2cf700fa07619ff3a3e3851df69c5001", "type": "gitlab" }, "original": { @@ -43,11 +43,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1741352980, - "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { @@ -118,11 +118,11 @@ ] }, "locked": { - "lastModified": 1744400600, - "narHash": "sha256-qYhUgA98mhq1QK13r9qVY+sG1ri6FBgyp+GApX6wS20=", + "lastModified": 1744637364, + "narHash": "sha256-ZVINTNMJS6W3fqPYV549DSmjYQW5I9ceKBl83FwPP7k=", "owner": "nix-community", "repo": "home-manager", - "rev": "b74b22bb6167e8dff083ec6988c98798bf8954d3", + "rev": "337541447773985f825512afd0f9821a975186be", "type": "github" }, "original": { @@ -133,11 +133,11 @@ }, "mnw": { "locked": { - "lastModified": 1742255973, - "narHash": "sha256-XfEGVKatTgEMMOVb4SNp1LYLQOSzzrFTDMVDTZFyMVE=", + "lastModified": 1744592022, + "narHash": "sha256-QuWrCRiF3CUM99sgj3gXbIzB1IAVWS5IEfFHadbMA2g=", "owner": "Gerg-L", "repo": "mnw", - "rev": "b982dbd5e6d55d4438832b3567c09bc2a129649d", + "rev": "cf9e19413b6c2d995b55565cd99facf9c751b653", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1744366945, - "narHash": "sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg=", + "lastModified": 1744633460, + "narHash": "sha256-fbWE4Xpw6eH0Q6in+ymNuDwTkqmFmtxcQEmtRuKDTTk=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1", + "rev": "9a049b4a421076d27fee3eec664a18b2066824cb", "type": "github" }, "original": { @@ -189,11 +189,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1744232761, - "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=", + "lastModified": 1744463964, + "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14", + "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", "type": "github" }, "original": { @@ -205,11 +205,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1740877520, - "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "type": "github" }, "original": { @@ -220,11 +220,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1743076231, - "narHash": "sha256-yQugdVfi316qUfqzN8JMaA2vixl+45GxNm4oUfXlbgw=", + "lastModified": 1744473229, + "narHash": "sha256-rGXvIsD/Hn+bJRFb7hqSx7UUZUIlxXs0fM6ix5+iT5w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6c5963357f3c1c840201eda129a99d455074db04", + "rev": "52d0eded529af34e91df6b2a2bc32eb636637cd2", "type": "github" }, "original": { @@ -236,11 +236,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1743689281, - "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=", + "lastModified": 1744502386, + "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2bfc080955153be0be56724be6fa5477b4eefabb", + "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124", "type": "github" }, "original": { @@ -260,11 +260,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1744308014, - "narHash": "sha256-gbN6v+1be1SrRRbur3GgvDPbv/QMJ5L6keJDMcNGpZ8=", + "lastModified": 1744639354, + "narHash": "sha256-AwUtAeDokimPucrPVj0YuoFWZ/xFVL4wy2wxZN5+u20=", "owner": "notashelf", "repo": "nvf", - "rev": "ed31499ad65e97a6210291848aff6dd9f9b137d0", + "rev": "f516cb43ceb2b071e6b9a6d5c9d681c8a3187f5f", "type": "github" }, "original": { @@ -358,11 +358,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1744103455, - "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=", + "lastModified": 1744518500, + "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba", + "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388", "type": "github" }, "original": { @@ -373,11 +373,11 @@ }, "stable": { "locked": { - "lastModified": 1744309437, - "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=", + "lastModified": 1744440957, + "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", "type": "github" }, "original": { diff --git a/modules/nixos/services/technitium-dns-server/default.nix b/modules/nixos/services/technitium-dns-server/default.nix new file mode 100644 index 0000000..44cf559 --- /dev/null +++ b/modules/nixos/services/technitium-dns-server/default.nix @@ -0,0 +1,107 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: + +let + cfg = config.${namespace}.services.technitium-dns-server; + inherit (lib) + mkEnableOption + mkPackageOption + mkOption + mkIf + types + ; +in +{ + options.${namespace}.services.technitium-dns-server = { + enable = mkEnableOption "Technitium DNS Server"; + + package = mkPackageOption pkgs "technitium-dns-server" { }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall. + Standard ports are 53 (UDP and TCP, for DNS), 5380 and 53443 (TCP, HTTP and HTTPS for web interface). + Specify different or additional ports in options firewallUDPPorts and firewallTCPPorts if necessary. + ''; + }; + + firewallUDPPorts = mkOption { + type = with types; listOf int; + default = [ 53 ]; + description = '' + List of UDP ports to open in firewall. + ''; + }; + + firewallTCPPorts = mkOption { + type = with types; listOf int; + default = [ + 53 + 5380 # web interface HTTP + 53443 # web interface HTTPS + ]; + description = '' + List of TCP ports to open in firewall. + You might want to open ports 443 and 853 if you intend to use DNS over HTTPS or DNS over TLS. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.technitium-dns-server = { + description = "Technitium DNS Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/technitium-dns-server $STATE_DIRECTORY"; + + DynamicUser = true; + + StateDirectory = "technitium-dns-server"; + + Restart = "always"; + RestartSec = 10; + TimeoutStopSec = 10; + KillSignal = "SIGINT"; + + # Harden the service + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedUDPPorts = cfg.firewallUDPPorts; + allowedTCPPorts = cfg.firewallTCPPorts; + }; + }; + + meta.maintainers = with lib.maintainers; [ fabianrig ]; +} diff --git a/systems/x86_64-linux/dns-1/default.nix b/systems/x86_64-linux/dns-1/default.nix new file mode 100644 index 0000000..cc79198 --- /dev/null +++ b/systems/x86_64-linux/dns-1/default.nix @@ -0,0 +1,52 @@ +{ + lib, + pkgs, + namespace, + ... +}: +with lib.${namespace}; +{ + imports = [ + ./hardware-configuration.nix + ./networking.nix + ]; + + boot.loader = { + grub.enable = false; + }; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + users.users.philipp = { + isNormalUser = true; + description = "Philipp Böhm"; + extraGroups = [ + "wheel" + ]; + }; + + awesome-flake = { + services = { + ssh = enabled; + technitium-dns-server = { + enable = true; + openFirewall = true; + }; + }; + + cli = { + neovim = enabled; + eza = enabled; + nh = enabled; + }; + }; + + # Set your time zone + time.timeZone = "Europe/Berlin"; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.11"; +} diff --git a/systems/x86_64-linux/dns-1/hardware-configuration.nix b/systems/x86_64-linux/dns-1/hardware-configuration.nix new file mode 100644 index 0000000..b3d6685 --- /dev/null +++ b/systems/x86_64-linux/dns-1/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/0cf4622b-0da7-4c05-b603-3b3228b63941"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F9CE-788D"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/systems/x86_64-linux/dns-1/networking.nix b/systems/x86_64-linux/dns-1/networking.nix new file mode 100644 index 0000000..add808d --- /dev/null +++ b/systems/x86_64-linux/dns-1/networking.nix @@ -0,0 +1,28 @@ +{ + networking = { + hostName = "dns-1"; + firewall.enable = false; + networkmanager.enable = false; + dhcpcd.enable = false; + nameservers = [ + "1.1.1.1" + "8.8.8.8" + ]; + defaultGateway.address = "192.168.5.1"; + interfaces.ens18 = { + ipv4.addresses = [ + { + address = "192.168.5.100"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "fd00:192:168:5::100"; + prefixLength = 64; + } + ]; + }; + }; + +}