1 { pkgs, lib, config, inputs, hostName, host, ... }:
3 domain = "i.sourcephile.fr";
5 gwIface = config.networking.defaultGateway.interface;
8 systemd.services.iodined.serviceConfig.LoadCredentialEncrypted =
9 [ "password:${inputs.self}/hosts/${hostName}/iodine/password.cred" ];
10 systemd.sockets.iodined = {
12 listenDatagrams = [ "127.0.0.1:1053" ];
13 socketConfig.BindToDevice = "lo";
14 socketConfig.ReusePort = true;
15 wantedBy = [ "sockets.target" ];
17 services.iodine.server = {
20 passwordFile = "$CREDENTIALS_DIRECTORY/password";
22 extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}";
24 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
25 networking.nftables.ruleset = ''
28 iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS"
31 iifname ${dnsIface} oifname ${gwIface} counter accept
32 iifname ${gwIface} oifname ${dnsIface} counter accept
37 iifname ${dnsIface} oifname ${gwIface} masquerade
41 services.unbound.settings.server = {
42 interface = [ "10.53.53.1" ];
43 access-control = [ "10.53.53.0/24 allow" ];