xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

modules/network: init kresd

Browse source
This commit is contained in:
xinyangli 2025-03-23 21:36:05 +08:00
parent effcdee7f9
commit e45eb7807f
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
5 changed files with 98116 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
machines/calcite/configuration.nix
View file

@ -22,8 +22,17 @@ in
signing.enable = true;
};
comin.enable = true;
network.localdns.enable = true;
};
nix.settings.substituters = [
"https://nix-community.cachix.org"
];
nix.settings.trusted-public-keys = [
# Compare to the key published at https://nix-community.org/cache
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@ -56,6 +65,7 @@ in
security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
networking.hostName = "calcite";
@ -198,6 +208,7 @@ in
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.avahi.enable = true;
services.pipewire = {
enable = true;
wireplumber.enable = true;
@ -206,6 +217,23 @@ in
pulse.enable = true;
# If you want to use JACK applications, uncomment this
jack.enable = true;
# Airplay client
raopOpenFirewall = true;
extraConfig.pipewire = {
"10-airplay" = {
"context.modules" = [
{
name = "libpipewire-module-raop-discover";
# increase the buffer size if you get dropouts/glitches
# args = {
# "raop.latency.ms" = 500;
# };
}
];
};
};
};
# Define a user account. Don't forget to set a password with passwd.

28
machines/calcite/network.nix
View file

@ -4,11 +4,14 @@
lib,
...
}:
let
inherit (config.my-lib.settings)
internalDomain
;
in
{
imports = [ ];
# Enable networking
networking = {
networkmanager = {
enable = true;
@ -21,27 +24,6 @@
};
};
networking.resolvconf = {
enable = true;
dnsExtensionMechanism = false;
useLocalResolver = false;
};
services.kresd = {
enable = true;
listenPlain = [ ];
extraConfig = ''
log_level("notice")
net.listen('127.0.0.1', 53)
modules = { 'hints > iterate', 'stats', 'predict' }
cache.size = 100 * MB
trust_anchors.remove(".")
policy.add(policy.all(policy.TLS_FORWARD( {
{ "8.8.8.8", hostname="dns.google" } })))
'';
# policy.add(policy.suffix(policy.FORWARD({ "100.100.100.100" }), policy.todnames({ 'coho-tet.ts.net' })))
};
# Enable Tailscale
services.tailscale = {
enable = true;

97992
modules/nixos/common-settings/china-domains.txt Normal file
View file

File diff suppressed because it is too large Load diff

87
modules/nixos/common-settings/network.nix Normal file
View file

@ -0,0 +1,87 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkOption mkIf;
inherit (config.my-lib.settings)
internalDomain
;
cfg = config.commonSettings.network;
in
{
options.commonSettings.network = {
localdns = {
enable = mkEnableOption "Local DNS resolver";
cacheSize = mkOption {
type = lib.types.int;
description = "Max cache size for knot-resolver in MB";
default = 100;
};
};
};
config = {
networking.resolvconf = mkIf cfg.localdns.enable {
enable = true;
dnsExtensionMechanism = false;
useLocalResolver = true;
};
services.kresd = mkIf cfg.localdns.enable {
enable = true;
listenPlain = [ "127.0.0.1:53" ];
listenTLS = [ "127.0.0.1:853" ];
extraConfig =
let
listToLuaTable =
x:
lib.pipe x [
(builtins.split "\n")
(builtins.filter (s: s != [ ] && s != ""))
(lib.strings.concatMapStrings (x: "'${x}',"))
];
chinaDomains = listToLuaTable (builtins.readFile ./china-domain.txt);
globalSettings = ''
log_level("notice")
modules = { 'hints > iterate', 'stats', 'predict' }
cache.size = ${cfg.localdns.cacheSize} * MB
trust_anchors.remove(".")
'';
tsSettings = ''
internalDomains = policy.todnames({'${internalDomain}'})
policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
'';
proxySettings = ''
policy.add(policy.domains(
policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
{ todname('hk-00.namely.icu') }))
policy.add(policy.domains(
policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
{ todname('la-00.namely.icu') }))
policy.add(policy.domains(
policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
{ todname('fra-00.namely.icu') }))
'';
mainlandSettings = ''
chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
policy.add(policy.suffix(policy.TLS_FORWARD({
{ "223.5.5.5", hostname="dns.alidns.com" },
{ "223.6.6.6", hostname="dns.alidns.com" },
}), chinaDomains))
policy.add(policy.all(policy.TLS_FORWARD({
{ "8.8.8.8", hostname="dns.google" },
{ "8.8.4.4", hostname="dns.google" },
})))
'';
overseaSettings = ''
policy.add(policy.all(policy.TLS_FORWARD({
{ "8.8.8.8", hostname="dns.google" },
{ "8.8.4.4", hostname="dns.google" },
})))
'';
in
globalSettings
+ (if config.services.dae.enable then proxySettings else "")
+ (if config.services.tailscale.enable then tsSettings else "")
+ (if config.inMainland then mainlandSettings else overseaSettings);
};
};
}

4
scripts/update-china-list.sh Executable file
View file

@ -0,0 +1,4 @@
output_file="modules/nixos/common-settings/china-domains.txt"
curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"