public-inbox: fix to support the current nixpkgs

[sourcephile-nix.git] / hosts / mermet / iodine.nix

diff --git a/hosts/mermet/iodine.nix b/hosts/mermet/iodine.nix
index 1f7fd6960dafa266bb94e83eb2fb25ae777f3d61..4c30ffc61877dc26657fceb4215ff62286426cd9 100644 (file)
--- a/hosts/mermet/iodine.nix
+++ b/hosts/mermet/iodine.nix
@@ -1,32 +1,46 @@
-{ pkgs, lib, config, credentials, host, ... }:
+{ config, inputs, hostName, host, ... }:
 let
   domain = "i.sourcephile.fr";
-  iface = "iode";
-  gateway = config.networking.defaultGateway.interface;
+  dnsIface = "iode";
+  gwIface = config.networking.defaultGateway.interface;
 in
 {
-systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = "password:${credentials}/iodine/password.secret";
-systemd.sockets.iodined = {
-  enable = true;
-  listenDatagrams = [ "127.0.0.1:1053" ];
-  socketConfig.BindToDevice = "lo";
-  socketConfig.ReusePort = true;
-  wantedBy = [ "sockets.target" ];
-};
-services.iodine.server = {
-  enable = true;
-  ip = "10.53.53.1/24";
-  passwordFile = "$CREDENTIALS_DIRECTORY/password";
-  inherit domain;
-  extraConfig = "-4 -c -d ${iface} -i 1800 -n ${host.ipv4}";
-};
-boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-networking.nftables.ruleset = ''
-  # Forwarding
-  add rule inet filter forward iifname "${iface}" oifname "${gateway}" counter accept
-  add rule inet filter forward iifname "${gateway}" oifname "${iface}" counter accept
-
-  # Masquerading
-  add rule inet nat postrouting iifname "${iface}" oifname "${gateway}" masquerade
-'';
+  systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = [
+    "password:${iodine/password.cred}"
+  ];
+  systemd.sockets.iodined = {
+    enable = true;
+    listenDatagrams = [ "127.0.0.1:1053" ];
+    socketConfig.BindToDevice = "lo";
+    socketConfig.ReusePort = true;
+    wantedBy = [ "sockets.target" ];
+  };
+  services.iodine.server = {
+    enable = true;
+    ip = "10.53.53.1/24";
+    passwordFile = "$CREDENTIALS_DIRECTORY/password";
+    inherit domain;
+    extraConfig = "-4 -c -d ${dnsIface} -i 1800 -n ${host.ipv4}";
+  };
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input {
+        iifname ${dnsIface} udp dport domain counter accept comment "unbound: DNS"
+      }
+      chain forward {
+        iifname ${dnsIface} oifname ${gwIface} counter accept
+        iifname ${gwIface} oifname ${dnsIface} counter accept
+      }
+    }
+    table inet nat {
+      chain postrouting {
+        iifname ${dnsIface} oifname ${gwIface} masquerade
+      }
+    }
+  '';
+  services.unbound.settings.server = {
+    interface = [ "10.53.53.1" ];
+    access-control = [ "10.53.53.0/24 allow" ];
+  };
 }