Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

fix: made crab-hole dns accessible from other devices

Browse source
This commit is contained in:
Leyla Becker 2025-10-20 20:01:07 -05:00
parent e8f7331b6c
commit d19d535d85
2 changed files with 37 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
configurations/nixos/defiant/configuration.nix
View file

@ -348,7 +348,7 @@
openFirewall = true; openFirewall = true;
show_doc = true; show_doc = true;
downstreams = { downstreams = {
loopback = { host = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
}; };

44
modules/nixos-modules/server/crab-hole/crab-hole.nix
View file

@ -27,9 +27,19 @@ in {
show_doc = lib.mkEnableOption "OpenAPI documentation (loads content from third party websites)"; show_doc = lib.mkEnableOption "OpenAPI documentation (loads content from third party websites)";
downstreams = { downstreams = {
loopback = { host = {
enable = lib.mkEnableOption "loopback downstream DNS server on localhost:53"; enable = lib.mkEnableOption "host downstream DNS server accessible from network on all interfaces";
openFirewall = lib.mkEnableOption "automatic port forwarding for the loopback downstream"; port = lib.mkOption {
type = lib.types.port;
default = 53;
description = "Port for the host downstream DNS server to listen on.";
};
openFirewall = lib.mkEnableOption "automatic port forwarding for the host downstream";
disableSystemdResolved = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to automatically disable systemd-resolved when using port 53. Set to false if you want to handle the conflict manually.";
};
}; };
}; };
@ -82,6 +92,24 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Assertions for proper configuration
assertions = [
{
assertion = !(cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && config.services.resolved.enable && cfg.downstreams.host.disableSystemdResolved);
message = "crab-hole host downstream cannot use port 53 while systemd-resolved is enabled. Either disable systemd-resolved or use a different port.";
}
{
assertion = !(cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && !cfg.downstreams.host.disableSystemdResolved && config.services.resolved.enable);
message = "crab-hole host downstream is configured to use port 53 but systemd-resolved is still enabled and disableSystemdResolved is false. Set disableSystemdResolved = true or manually disable systemd-resolved.";
}
];
# Automatically disable systemd-resolved if using port 53
services.resolved.enable = lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && cfg.downstreams.host.disableSystemdResolved) (lib.mkForce false);
# Configure DNS nameservers when disabling systemd-resolved
networking.nameservers = lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && cfg.downstreams.host.disableSystemdResolved) (lib.mkDefault ["127.0.0.1" "1.1.1.1" "8.8.8.8"]);
services.crab-hole.settings = lib.mkMerge [ services.crab-hole.settings = lib.mkMerge [
{ {
api = { api = {
@ -92,12 +120,12 @@ in {
downstream = cfg.extraDownstreams; downstream = cfg.extraDownstreams;
upstream.name_servers = cfg.extraUpstreams; upstream.name_servers = cfg.extraUpstreams;
} }
(lib.mkIf cfg.downstreams.loopback.enable { (lib.mkIf cfg.downstreams.host.enable {
downstream = [ downstream = [
{ {
protocol = "udp"; protocol = "udp";
listen = "localhost"; listen = "0.0.0.0";
port = 53; port = cfg.downstreams.host.port;
} }
]; ];
}) })
@ -136,8 +164,8 @@ in {
(lib.mkIf cfg.openFirewall { (lib.mkIf cfg.openFirewall {
allowedTCPPorts = [cfg.port]; allowedTCPPorts = [cfg.port];
}) })
(lib.mkIf (cfg.downstreams.loopback.enable && cfg.downstreams.loopback.openFirewall) { (lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.openFirewall) {
allowedUDPPorts = [53]; allowedUDPPorts = [cfg.downstreams.host.port];
}) })
]; ];
}; };