]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/iodine.nix
losurdo: docker: enable service
[sourcephile-nix.git] / hosts / mermet / iodine.nix
1 { config, inputs, hostName, host, ... }:
2 let
3 domain = "i.sourcephile.fr";
4 dnsIface = "iode";
5 gwIface = config.networking.defaultGateway.interface;
6 in
7 {
8 systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = [
9 "password:${iodine/password.cred}"
10 ];
11 systemd.sockets.iodined = {
12 enable = true;
13 listenDatagrams = [ "127.0.0.1:1053" ];
14 socketConfig.BindToDevice = "lo";
15 socketConfig.ReusePort = true;
16 wantedBy = [ "sockets.target" ];
17 };
18 services.iodine.server = {
19 enable = true;
20 ip = "10.53.53.1/24";
21 passwordFile = "$CREDENTIALS_DIRECTORY/password";
22 inherit domain;
23 extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}";
24 };
25 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
26 networking.nftables.ruleset = ''
27 table inet filter {
28 chain input {
29 iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS"
30 }
31 chain forward {
32 iifname ${dnsIface} oifname ${gwIface} counter accept
33 iifname ${gwIface} oifname ${dnsIface} counter accept
34 }
35 }
36 table inet nat {
37 chain postrouting {
38 iifname ${dnsIface} oifname ${gwIface} masquerade
39 }
40 }
41 '';
42 services.unbound.settings.server = {
43 interface = [ "10.53.53.1" ];
44 access-control = [ "10.53.53.0/24 allow" ];
45 };
46 }