router: add authoritative dns server

2024-12-19 17:27:13 +00:00 · 2024-12-19 17:27:13 +00:00 · 69a35e5343
commit 69a35e5343
parent 4ce6f89836
3 changed files with 18 additions and 8 deletions
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@ -19,13 +19,14 @@
    };
    custom.defaults = true;
    custom.impermanence.enable = true;
    custom.locations.autoServe = true;
    services.nsd.interfaces = [ "eth0" ];
    ## Interactive password
    custom.users.jake.password = true;
    ## Impermanence
    custom.impermanence.enable = true;
    ## Networking
    networking = {
      firewall.enable = lib.mkForce false;
@ -99,8 +100,11 @@
              ip protocol icmp counter accept comment "accept all ICMP types"
-              iifname "eth0" tcp dport 22 counter accept comment "SSH"
+              iifname "eth0" tcp dport    22 counter accept comment "SSH"
-              iifname "eth0" udp dport 4242 counter accept comment "Nebula Lighthouse"
+              iifname "eth0" tcp dport    53 counter accept comment "Public DNS"
              iifname "eth0" udp dport    53 counter accept comment "Public DNS"
              iifname "eth0" udp dport  4242 counter accept comment "Nebula Lighthouse"
              iifname { "eth0", "cameras" } ct state { established, related } counter accept
              iifname { "eth0", "cameras" } drop
@ -128,8 +132,8 @@
              iifname "tailscale0" oifname { "eth1", "eth2" } counter accept comment "Allow LAN access from Tailscale"
              iifname { "eth1", "eth2" } oifname "tailscale0" ct state { established,related } counter accept comment "Allow established back to Tailscale"
              ip daddr 10.64.50.21 tcp dport  7654 counter accept comment "Tang"
              ip daddr 10.64.50.27 tcp dport 32400 counter accept comment "Plex"
              ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
            }
          }
@ -137,8 +141,8 @@
            chain prerouting {
              type nat hook prerouting priority filter; policy accept;
              iifname eth0 tcp dport  7654 counter dnat to 10.64.50.21
              iifname eth0 tcp dport 32400 counter dnat to 10.64.50.27
              iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
            }
            chain postrouting {
@ -321,6 +325,7 @@
      unbound = {
        enable = true;
        settings = {
          server = {
            interface = [
--- a/modules/locations.nix
+++ b/modules/locations.nix
@ -19,7 +19,10 @@ in
    {
      custom.locations.locations = {
        services = {
-          authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
+          authoritative_dns = [
            "boron.cx.ts.hillion.co.uk"
            "router.home.ts.hillion.co.uk"
          ];
          downloads = "phoenix.st.ts.hillion.co.uk";
          frigate = "phoenix.st.ts.hillion.co.uk";
          gitea = "boron.cx.ts.hillion.co.uk";
--- a/modules/services/authoritative_dns.nix
+++ b/modules/services/authoritative_dns.nix
@ -30,6 +30,7 @@ in
            )
            86400 NS ns1.hillion.co.uk.
            86400 NS ns2.hillion.co.uk.
            ca                    21600 CNAME sodium.pop.ts.hillion.co.uk.
            prometheus            21600 CNAME ${config.custom.locations.locations.services.prometheus}.
@ -61,6 +62,7 @@ in
            )
            86400 NS ns1.jakehillion.me.
            86400 NS ns2.jakehillion.me.
            frigate               21600 CNAME ${config.custom.locations.locations.services.frigate}.