hosts/mermet/iodine.nix

   1 { pkgs, lib, config, inputs, hostName, host, ... }:
   2 let
   3   domain = "i.sourcephile.fr";
   4   dnsIface = "iode";
   5   gwIface = config.networking.defaultGateway.interface;
   6 in
   7 {
   8 systemd.services.iodined.serviceConfig.LoadCredentialEncrypted =
   9   [ "password:${inputs.self}/hosts/${hostName}/iodine/password.cred" ];
  10 systemd.sockets.iodined = {
  11   enable = true;
  12   listenDatagrams = [ "127.0.0.1:1053" ];
  13   socketConfig.BindToDevice = "lo";
  14   socketConfig.ReusePort = true;
  15   wantedBy = [ "sockets.target" ];
  16 };
  17 services.iodine.server = {
  18   enable = true;
  19   ip = "10.53.53.1/24";
  20   passwordFile = "$CREDENTIALS_DIRECTORY/password";
  21   inherit domain;
  22   extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}";
  23 };
  24 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  25 networking.nftables.ruleset = ''
  26   table inet filter {
  27     chain input {
  28       iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS"
  29     }
  30     chain forward {
  31       iifname ${dnsIface} oifname ${gwIface} counter accept
  32       iifname ${gwIface} oifname ${dnsIface} counter accept
  33     }
  34   }
  35   table inet nat {
  36     chain postrouting {
  37       iifname ${dnsIface} oifname ${gwIface} masquerade
  38     }
  39   }
  40 '';
  41 services.unbound.settings.server = {
  42   interface = [ "10.53.53.1" ];
  43   access-control = [ "10.53.53.0/24 allow" ];
  44 };
  45 }