host/tatos: add forwarding traffic to dnscrypt-proxy2

This commit is contained in:
Dmitriy Pleshevskiy 2024-04-16 17:57:37 +03:00
parent c14dae659d
commit e0ded86454
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
2 changed files with 29 additions and 15 deletions

View file

@ -0,0 +1,28 @@
{ lib, ... }:
let dnsport = 53; in
{
services.dnscrypt-proxy2.settings.listen_addresses = [ "[::1]:51" ];
# Forward loopback traffic on port 53 to dnscrypt-proxy2.
networking.firewall.extraCommands = ''
ip6tables --table nat --flush OUTPUT
${lib.flip (lib.concatMapStringsSep "\n") [ "udp" "tcp" ] (proto: ''
ip6tables --table nat --append OUTPUT \
--protocol ${proto} --destination ::1 --destination-port 53 \
--jump REDIRECT --to-ports 51
'')}
'';
networking.firewall = {
allowedTCPPorts = [ dnsport ];
allowedUDPPorts = [ dnsport ];
};
services.dnsmasq = {
enable = true;
settings = {
interface = "wg0";
};
};
};

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
# Source: https://habr.com/ru/companies/xakep/articles/699000/ # Source: https://habr.com/ru/companies/xakep/articles/699000/
@ -9,8 +9,6 @@ let
port = tatosData.wireguard.port; port = tatosData.wireguard.port;
update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { }; update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
dnsport = 53;
in in
{ {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -23,18 +21,6 @@ in
internalInterfaces = [ "wg0" ]; internalInterfaces = [ "wg0" ];
}; };
networking.firewall = {
allowedTCPPorts = [ dnsport ];
allowedUDPPorts = [ dnsport port ];
};
services.dnsmasq = {
enable = true;
settings = {
interface = "wg0";
};
};
environment.systemPackages = [ update_ru_routes ]; environment.systemPackages = [ update_ru_routes ];
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {