{ pkgs, lib, config, credentials, host, ... }: let domain = "i.sourcephile.fr"; dnsIface = "iode"; gwIface = config.networking.defaultGateway.interface; in { systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = "password:${credentials}/iodine/password.secret"; systemd.sockets.iodined = { enable = true; listenDatagrams = [ "127.0.0.1:1053" ]; socketConfig.BindToDevice = "lo"; socketConfig.ReusePort = true; wantedBy = [ "sockets.target" ]; }; services.iodine.server = { enable = true; ip = "10.53.53.1/24"; passwordFile = "$CREDENTIALS_DIRECTORY/password"; inherit domain; extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}"; }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.ruleset = '' table inet filter { chain input { iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS" } chain forward { iifname ${dnsIface} oifname ${gwIface} counter accept iifname ${gwIface} oifname ${dnsIface} counter accept } } table inet nat { chain postrouting { iifname ${dnsIface} oifname ${gwIface} masquerade } } ''; services.unbound.settings.server = { interface = [ "10.53.53.1" ]; access-control = [ "10.53.53.0/24 allow" ]; }; }