From 46df9b8aa8260900943cf0255d68314eb41a0706 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Wed, 20 Dec 2023 16:43:20 +0000 Subject: [PATCH] nixos/britway: Setup split DNS --- nixos/boxes/britway/tailscale.nix | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/nixos/boxes/britway/tailscale.nix b/nixos/boxes/britway/tailscale.nix index ac315bd..48c5a1c 100644 --- a/nixos/boxes/britway/tailscale.nix +++ b/nixos/boxes/britway/tailscale.nix @@ -24,6 +24,12 @@ let lib.my.c.home.prefixes.all.v4 lib.my.c.home.prefixes.all.v6 ]; + pubNameservers = [ + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; in { config = { @@ -45,20 +51,19 @@ in noise.private_key_path = "/var/lib/headscale/noise_private.key"; ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ]; dns_config = { - domains = [ - domain - lib.my.c.colony.domain - lib.my.c.home.domain - ]; - nameservers = [ - "1.1.1.1" - "1.0.0.1" - "2606:4700:4700::1111" - "2606:4700:4700::1001" - ]; + restricted_nameservers = { + "${domain}" = pubNameservers; + "${lib.my.c.colony.domain}" = with allAssignments.estuary.internal; [ + ipv4.address ipv6.address + ]; + "${lib.my.c.home.domain}" = lib.my.c.home.routersPubV4 ++ ([ + allAssignments.river.as211024.ipv6.address + allAssignments.stream.as211024.ipv6.address + ]); + }; magic_dns = true; base_domain = "ts.${pubDomain}"; - override_local_dns = true; + override_local_dns = false; }; oidc = { only_start_if_oidc_is_available = true; @@ -77,7 +82,9 @@ in openFirewall = true; interfaceName = "tailscale0"; extraUpFlags = [ + "--operator=${config.my.user.config.name}" "--login-server=https://ts.nul.ie" + "--netfilter-mode=off" "--advertise-exit-node" "--advertise-routes=${advRoutes}" ];