1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
{ config, pkgs, ... }:
{
dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; {
home.NS = [ "home.ctu.cx." ];
home.A = [ (a "195.39.246.42") ];
home.AAAA = [ "2a0f:4ac0:acab::1" ];
};
systemd.services.dnsmasq.onFailure = [ "email-notify@%i.service" ];
services = {
resolved.enable = false;
dnsmasq = {
enable = true;
settings = {
local-service = true;
no-resolv = true;
no-hosts = true;
domain-needed = true;
bogus-priv = true;
enable-ra = true;
quiet-ra = true;
server = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" "8.8.4.4" ];
local = "/home.ctu.cx/";
domain = "home.ctu.cx";
auth-ttl = 600;
auth-server = "home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1";
auth-zone = "home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64";
host-record = [
"home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1"
];
cname = [
"briefkasten.home.ctu.cx, home.ctu.cx"
"dnsmasq.home.ctu.cx, home.ctu.cx"
];
address = [
"/briefkasten/10.0.0.1"
"/ads1700w/10.0.0.10"
"/scanner/10.0.0.10"
];
dhcp-authoritative = true;
dhcp-rapid-commit = true;
dhcp-sequential-ip = true;
dhcp-range = [
"private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h"
"public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h"
" 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h"
];
dhcp-option = [
"option6:information-refresh-time, 6h"
"option6:dns-server, [2a0f:4ac0:acab::1]"
"private, option:router, 10.0.0.1"
"private, option:dns-server, 10.0.0.1"
"public, option:router, 195.39.246.42"
"public, option:dns-server, 195.39.246.42"
];
dhcp-host = [
"48:a9:8a:8e:dd:0b, accesspoint, 10.0.0.2"
"5c:f3:70:b9:35:9c, ctux-ads1700w, 10.0.0.10"
"34:31:c4:46:88:31, pbx, 10.0.0.20"
"id:bc:6e:e2:03:99:40, nadia-work, [2a0f:4ac0:acab::37]"
"bc:6e:e2:03:99:40, nadia-work, 195.39.246.37"
"id:1c:57:dc:40:dc:b2, blechkasten, [2a0f:4ac0:acab::43]"
"1c:57:dc:40:dc:b2, blechkasten, 195.39.246.43"
"id:00:e0:4c:02:13:75, desktop, [2a0f:4ac0:acab::44]"
"00:e0:4c:02:13:75, desktop, 195.39.246.44"
"id:f4:3b:d8:cb:7c:49, coladose, [2a0f:4ac0:acab::45]"
"f4:3b:d8:cb:7c:49, coladose, 195.39.246.45"
];
};
};
fcgiwrap.instances.dnsmasq = {
process.user = "dnsmasq";
process.group = "dnsmasq";
socket.user = "nginx";
socket.group = "nginx";
};
nginx = {
enable = true;
virtualHosts."dnsmasq.home.ctu.cx" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations = {
"/".extraConfig = ''
include "${pkgs.nginx}/conf/fastcgi_params";
fastcgi_param SCRIPT_FILENAME "${pkgs.dnsmasq-lease-overview}/bin/overview";
fastcgi_param LEASE_PATH "/var/lib/dnsmasq/dnsmasq.leases";
fastcgi_param MIKROTIK_HOST "http://10.0.0.2";
fastcgi_param MIKROTIK_USER "leah";
fastcgi_param MIKROTIK_PASSWORD "nie5eevaeNohZuyugh2Eo6phaif9ahngiel8oom2aj7cooGohbaiqui9dah4Thie";
fastcgi_param QUERY_STRING $args;
fastcgi_pass unix:${config.services.fcgiwrap.instances.dnsmasq.socket.address};
'';
};
};
};
};
}