diff options
| author | tv <tv@krebsco.de> | 2018-11-26 14:49:13 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2018-11-26 14:49:13 +0100 |
| commit | 9649f565102847e15f157fffc11d78efb08644b3 (patch) | |
| tree | fb50713a6879ee5e47934c2b2b04e8eb18e1f829 /tv | |
| parent | 8978d5b8523eb6d75139ff92dec5bfdbaf3507d6 (diff) | |
tv dnsmasq service: init
Diffstat (limited to 'tv')
| -rw-r--r-- | tv/3modules/default.nix | 1 | ||||
| -rw-r--r-- | tv/3modules/dnsmasq.nix | 57 |
2 files changed, 58 insertions, 0 deletions
diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix index 493cc8b..6172feb 100644 --- a/tv/3modules/default.nix +++ b/tv/3modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./charybdis + ./dnsmasq.nix ./ejabberd ./hosts.nix ./iptables.nix diff --git a/tv/3modules/dnsmasq.nix b/tv/3modules/dnsmasq.nix new file mode 100644 index 0000000..ec927f9 --- /dev/null +++ b/tv/3modules/dnsmasq.nix @@ -0,0 +1,57 @@ +with import <stockholm/lib>; +{ config, ... }: let + cfg = config.tv.dnsmasq; +in { + + options.tv.dnsmasq = { + enable = mkEnableOption "tv.dnsmasq"; + dhcp-range = mkOption { + type = types.str; + }; + interface = mkOption { + type = types.str; + }; + address = mkOption { + type = types.str; + }; + prefixLength = mkOption { + type = types.addCheck types.int (x: x >= 0 && x <= 32); + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { + networking.dhcpcd.denyInterfaces = [ cfg.interface ]; + services.dnsmasq.resolveLocalQueries = false; + networking.interfaces.${cfg.interface} = { + ipv4.addresses = singleton { + address = cfg.address; + prefixLength = cfg.prefixLength; + }; + }; + services.dnsmasq.enable = true; + services.dnsmasq.extraConfig = '' + dhcp-range=${cfg.dhcp-range} + interface=${cfg.interface} + ''; + tv.iptables.extra.filter.INPUT = [ + "-i ${cfg.interface} -p tcp -m tcp --dport bootps -j ACCEPT" + "-i ${cfg.interface} -p udp -m udp --dport bootps -j ACCEPT" + "-i ${cfg.interface} -p tcp -m tcp --dport domain -j ACCEPT" + "-i ${cfg.interface} -p udp -m udp --dport domain -j ACCEPT" + ]; + } + { + # enable forwarding + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + tv.iptables.extra.filter.FORWARD = [ + "-m state --state RELATED,ESTABLISHED -j ACCEPT" + "-i ${cfg.interface} -j ACCEPT" + ]; + tv.iptables.extra.nat.POSTROUTING = [ + "-j MASQUERADE" + ]; + } + ]); + +} |