diff options
| author | lassulus <lassulus@lassul.us> | 2018-11-28 18:55:08 +0100 |
|---|---|---|
| committer | lassulus <lassulus@lassul.us> | 2018-11-28 18:55:08 +0100 |
| commit | 35ac49f0bb4c49cd6365c12207e38e91f4a74db6 (patch) | |
| tree | 3d4c2548e1a5a97f2572431b53bc28f8f22c6d99 /tv/3modules | |
| parent | 81aeaeb52f0a9e155b2f6ddab5c2e4312bcd807d (diff) | |
| parent | 066140ec0e24bd0f58931c7abe268bdb91181038 (diff) | |
Merge remote-tracking branch 'ni/master' into ci
Diffstat (limited to 'tv/3modules')
| -rw-r--r-- | tv/3modules/default.nix | 1 | ||||
| -rw-r--r-- | tv/3modules/dnsmasq.nix | 57 |
2 files changed, 58 insertions, 0 deletions
diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix index 493cc8b..6172feb 100644 --- a/tv/3modules/default.nix +++ b/tv/3modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./charybdis + ./dnsmasq.nix ./ejabberd ./hosts.nix ./iptables.nix diff --git a/tv/3modules/dnsmasq.nix b/tv/3modules/dnsmasq.nix new file mode 100644 index 0000000..ec927f9 --- /dev/null +++ b/tv/3modules/dnsmasq.nix @@ -0,0 +1,57 @@ +with import <stockholm/lib>; +{ config, ... }: let + cfg = config.tv.dnsmasq; +in { + + options.tv.dnsmasq = { + enable = mkEnableOption "tv.dnsmasq"; + dhcp-range = mkOption { + type = types.str; + }; + interface = mkOption { + type = types.str; + }; + address = mkOption { + type = types.str; + }; + prefixLength = mkOption { + type = types.addCheck types.int (x: x >= 0 && x <= 32); + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { + networking.dhcpcd.denyInterfaces = [ cfg.interface ]; + services.dnsmasq.resolveLocalQueries = false; + networking.interfaces.${cfg.interface} = { + ipv4.addresses = singleton { + address = cfg.address; + prefixLength = cfg.prefixLength; + }; + }; + services.dnsmasq.enable = true; + services.dnsmasq.extraConfig = '' + dhcp-range=${cfg.dhcp-range} + interface=${cfg.interface} + ''; + tv.iptables.extra.filter.INPUT = [ + "-i ${cfg.interface} -p tcp -m tcp --dport bootps -j ACCEPT" + "-i ${cfg.interface} -p udp -m udp --dport bootps -j ACCEPT" + "-i ${cfg.interface} -p tcp -m tcp --dport domain -j ACCEPT" + "-i ${cfg.interface} -p udp -m udp --dport domain -j ACCEPT" + ]; + } + { + # enable forwarding + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + tv.iptables.extra.filter.FORWARD = [ + "-m state --state RELATED,ESTABLISHED -j ACCEPT" + "-i ${cfg.interface} -j ACCEPT" + ]; + tv.iptables.extra.nat.POSTROUTING = [ + "-j MASQUERADE" + ]; + } + ]); + +} |