router: add authoritative dns server

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -19,13 +19,14 @@
     };
 
     custom.defaults = true;
+    custom.impermanence.enable = true;
+    custom.locations.autoServe = true;
+
+    services.nsd.port = 8854;
 
     ## Interactive password
     custom.users.jake.password = true;
 
-    ## Impermanence
-    custom.impermanence.enable = true;
-
     ## Networking
     networking = {
       firewall.enable = lib.mkForce false;
@@ -99,6 +100,9 @@
 
               ip protocol icmp counter accept comment "accept all ICMP types"
 
+              iifname "lo" udp dport ${toString config.services.nsd.port} accept comment "Public DNS"
+              iifname "lo" tcp dport ${toString config.services.nsd.port} accept comment "Public DNS"
+
               iifname "eth0" tcp dport 22 counter accept comment "SSH"
               iifname "eth0" udp dport 4242 counter accept comment "Nebula Lighthouse"
 
@@ -137,6 +141,9 @@
             chain prerouting {
               type nat hook prerouting priority filter; policy accept;
 
+              iifname eth0 udp dport 53 counter redirect to ${toString config.services.nsd.port}
+              iifname eth0 tcp dport 53 counter redirect to ${toString config.services.nsd.port}
+
               iifname eth0 tcp dport 32400 counter dnat to 10.64.50.27
               iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
             }

modules/locations.nix

@@ -19,7 +19,10 @@ in
     {
       custom.locations.locations = {
         services = {
-          authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
+          authoritative_dns = [
+            "boron.cx.ts.hillion.co.uk"
+            "router.home.ts.hillion.co.uk"
+          ];
           downloads = "phoenix.st.ts.hillion.co.uk";
           frigate = "phoenix.st.ts.hillion.co.uk";
           gitea = "boron.cx.ts.hillion.co.uk";