nixos/britway: Use internal addresses for DNS
This commit is contained in:
parent
0a86a649a6
commit
f58b71e8d3
@ -49,15 +49,19 @@ in
|
|||||||
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
||||||
ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
|
ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
|
||||||
dns_config = {
|
dns_config = {
|
||||||
|
# Use IPs that will route inside the VPN to prevent interception
|
||||||
|
# (e.g. DNS rebinding filtering)
|
||||||
restricted_nameservers = {
|
restricted_nameservers = {
|
||||||
"${domain}" = pubNameservers;
|
"${domain}" = pubNameservers;
|
||||||
"${lib.my.c.colony.domain}" = with allAssignments.estuary.internal; [
|
"${lib.my.c.colony.domain}" = with allAssignments.estuary.base; [
|
||||||
ipv4.address ipv6.address
|
ipv4.address ipv6.address
|
||||||
];
|
];
|
||||||
"${lib.my.c.home.domain}" = lib.my.c.home.routersPubV4 ++ ([
|
"${lib.my.c.home.domain}" = with allAssignments; [
|
||||||
allAssignments.river.as211024.ipv6.address
|
river.hi.ipv4.address
|
||||||
allAssignments.stream.as211024.ipv6.address
|
river.hi.ipv6.address
|
||||||
]);
|
stream.hi.ipv4.address
|
||||||
|
stream.hi.ipv6.address
|
||||||
|
];
|
||||||
};
|
};
|
||||||
magic_dns = true;
|
magic_dns = true;
|
||||||
base_domain = "ts.${pubDomain}";
|
base_domain = "ts.${pubDomain}";
|
||||||
|
|||||||
@ -52,7 +52,7 @@ in
|
|||||||
allowFrom = [
|
allowFrom = [
|
||||||
"127.0.0.0/8" "::1/128"
|
"127.0.0.0/8" "::1/128"
|
||||||
prefixes.all.v4 prefixes.all.v6
|
prefixes.all.v4 prefixes.all.v6
|
||||||
];
|
] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
|||||||
@ -42,7 +42,7 @@ in
|
|||||||
"127.0.0.0/8" "::1/128"
|
"127.0.0.0/8" "::1/128"
|
||||||
prefixes.hi.v4 prefixes.hi.v6
|
prefixes.hi.v4 prefixes.hi.v6
|
||||||
prefixes.lo.v4 prefixes.lo.v6
|
prefixes.lo.v4 prefixes.lo.v6
|
||||||
];
|
] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
|||||||
@ -55,7 +55,7 @@ in
|
|||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "domain-search";
|
name = "domain-search";
|
||||||
data = "${domain}, dyn.${domain}";
|
data = "${domain}, dyn.${domain}, ${lib.my.c.colony.domain}, ${lib.my.c.britway.domain}";
|
||||||
always-send = true;
|
always-send = true;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|||||||
@ -11,7 +11,7 @@ let
|
|||||||
AdvLinkMTU ${toString prefixes."${name}".mtu};
|
AdvLinkMTU ${toString prefixes."${name}".mtu};
|
||||||
prefix ${prefixes."${name}".v6} {};
|
prefix ${prefixes."${name}".v6} {};
|
||||||
RDNSS ${net.cidr.host 1 prefixes."${name}".v6} ${net.cidr.host 2 prefixes."${name}".v6} {};
|
RDNSS ${net.cidr.host 1 prefixes."${name}".v6} ${net.cidr.host 2 prefixes."${name}".v6} {};
|
||||||
DNSSL ${domain} dyn.${domain} {};
|
DNSSL ${domain} dyn.${domain} ${lib.my.c.colony.domain} ${lib.my.c.britway.domain} {};
|
||||||
};
|
};
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user