tailscale/adguard: use agh as ts dns

2024-05-25 15:47:17 +02:00 · 2024-05-25 15:47:17 +02:00 · c265b5d649
commit c265b5d649
parent 40426ab5f8
11 changed files with 52 additions and 3 deletions
--- a/agenix/hosts/argon/adguardhome-sync/environment.age
+++ b/agenix/hosts/argon/adguardhome-sync/environment.age
--- a/agenix/hosts/tanker/headscale/acls.age
+++ b/agenix/hosts/tanker/headscale/acls.age
--- a/home/config/direnv/direnvrc
+++ b/home/config/direnv/direnvrc
@ -11,7 +11,7 @@ project() {
 # Languages

 project_erlang() {
-  export ERL_AFLAGS="-kernel shell_history enabled"
+  export ERL_AFLAGS="-kernel shell_history enabled -kernel shell_history_path '\"$(direnv_layout_dir)/erl_history\"'"

  export REBAR_CACHE_DIR=$(direnv_layout_dir)/rebar
  export REBAR_GLOBAL_CONFIG_DIR=$(direnv_layout_dir)/rebar/config
--- a/system/hosts/argon.nix
+++ b/system/hosts/argon.nix
@ -32,7 +32,7 @@ in
    # ../nixos/telegraf.nix

    ../nixos/tailscale.nix
-    ../nixos/tailscale-argon.nix
+    ../nixos/tailscale-nodns.nix

    ../nixos/unbound.nix

--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@ -26,6 +26,7 @@ in
    ../nixos/ddg.nix

    ../nixos/tailscale.nix
+    ../nixos/tailscale-nodns.nix

    ../nixos/unbound.nix

--- a/system/hosts/tanker.nix
+++ b/system/hosts/tanker.nix
@ -55,6 +55,7 @@ in
    ../nixos/matrix

    ../nixos/tailscale.nix
+    ../nixos/tailscale-nodns.nix

    ../nixos/websites-tanker.nix

--- a/system/nixos/adguardhome.nix
+++ b/system/nixos/adguardhome.nix
@ -27,6 +27,30 @@
          allow_unencrypted_doh = true;
          strict_sni_check = true;
        };
+
+        dns = {
+          # Based on: https://pkg.go.dev/github.com/Potterli20/golibs-fork/netutil#IsLocallyServed
+          private_networks = [
+            "10.0.0.0/8"
+            "127.0.0.0/8"
+            "169.254.0.0/16"
+            "172.16.0.0/12"
+            "192.0.2.0/24"
+            "192.168.0.0/16"
+            "198.51.100.0/24"
+            "203.0.113.0/24"
+            "255.255.255.255/32"
+
+            "::/128"
+            "::1/128"
+            "2001:db8::/32"
+            "fd00::/8"
+            "fe80::/10"
+
+            "100.64.10.0/24"
+            "fd7a:115c:a1e0:1010::/64"
+          ];
+        };
      };

    # settings = {
--- a/system/nixos/headscale.nix
+++ b/system/nixos/headscale.nix
@ -28,7 +28,7 @@ in
        acl_policy_path = config.age.secrets.headscale-acls.path;

        dns_config = {
-          override_local_dns = false;
+          override_local_dns = true;

          nameservers = [
            "100.64.10.1"
--- a/system/nixos/tailscale-nodns.nix
+++ b/system/nixos/tailscale-nodns.nix
--- a/system/nixos/tailscale.nix
+++ b/system/nixos/tailscale.nix
@ -13,6 +13,7 @@ in
    extraUpFlags = [
      "--login-server"
      headscale
+      "--stateful-filtering"
    ];
  };
 }
--- a/system/nixos/unbound.nix
+++ b/system/nixos/unbound.nix
@ -24,15 +24,37 @@
        num-threads = 1;
        so-rcvbuf = "1m";

+        unblock-lan-zones = true;
+        insecure-lan-zones = true;
+
        private-address = [
          "192.168.0.0/16"
          "169.254.0.0/16"
          "172.16.0.0/12"
          "10.0.0.0/8"
+          "100.64.10.0/24"
          "fd00::/8"
          "fe80::/10"
+          "fd7a:115c:a1e0:1010::/64"
+        ];
+      };
+
+      forward-zone = [
+        {
+          name = "10.64.100.in-addr.arpa.";
+          forward-addr = "100.100.100.100";
+        }
+
+        {
+          name = "0.1.0.1.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.";
+          forward-addr = "100.100.100.100";
+        }
+
+        {
+          name = "in-addr.arpa.";
+          forward-addr = "10.0.0.1";
+        }
      ];
    };
  };
-  };
 }