1 files changed, 60 insertions, 0 deletions

diff --git a/modules/dnsmasq.nix b/modules/dnsmasq.nix
new file mode 100644
index 0000000..b12cea3
--- /dev/null
+++ b/modules/dnsmasq.nix
@@ -0,0 +1,60 @@
+# TODO kill this in favor of unbound
+{ config, lib, mylib, ... }: let
+  cfg = config.tv.dnsmasq;
+in {
+
+  options.tv.dnsmasq = {
+    enable = lib.mkEnableOption "tv.dnsmasq";
+    dhcp-range = lib.mkOption {
+      type = lib.types.str;
+    };
+    interface = lib.mkOption {
+      type = lib.types.str;
+    };
+    address = lib.mkOption {
+      type = lib.types.str;
+    };
+    prefixLength = lib.mkOption {
+      type = lib.types.addCheck lib.types.int (x: x >= 0 && x <= 32);
+    };
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      networking.dhcpcd.denyInterfaces = [ cfg.interface ];
+      services.dnsmasq.resolveLocalQueries = false;
+      networking.interfaces.${cfg.interface} = {
+        ipv4.addresses = [
+          {
+            address = cfg.address;
+            prefixLength = cfg.prefixLength;
+          }
+        ];
+      };
+      services.dnsmasq.enable = true;
+      services.dnsmasq.extraConfig = ''
+        bind-interfaces
+        dhcp-range=${cfg.dhcp-range}
+        listen-address=${cfg.address}
+      '';
+      tv.iptables.extra.filter.INPUT = [
+        "-i ${cfg.interface} -p tcp -m tcp --dport bootps -j ACCEPT"
+        "-i ${cfg.interface} -p udp -m udp --dport bootps -j ACCEPT"
+        "-i ${cfg.interface} -p tcp -m tcp --dport domain -j ACCEPT"
+        "-i ${cfg.interface} -p udp -m udp --dport domain -j ACCEPT"
+      ];
+    }
+    {
+      # enable forwarding
+      boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+      tv.iptables.extra.filter.FORWARD = [
+        "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        "-i ${cfg.interface} -j ACCEPT"
+      ];
+      tv.iptables.extra.nat.POSTROUTING = [
+        "-j MASQUERADE"
+      ];
+    }
+  ]);
+
+}