hosts: fix Wireguard DNS settings

2025-01-31 04:58:01 +00:00 · 2023-02-06 19:32:55 +08:00 · 2023-02-06 19:32:55 +08:00 · efdbc4c103
commit efdbc4c103
parent 12abc5146e
3 changed files with 22 additions and 16 deletions
--- a/hosts/ni/default.nix
+++ b/hosts/ni/default.nix
@ -203,8 +203,6 @@ in
  networking.wg-quick.interfaces.wireguard0 = {
    privateKeyFile = config.sops.secrets."ni/wireguard/private-key".path;

-    dns = with wireguardPeers.server; [ IPv4 IPv6 ];
-
    address = with wireguardPeers.desktop; [
      "${IPv4}/24"
      "${IPv6}/96"
--- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
+++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
@ -5,15 +5,11 @@
 # from nixos-generators.
 let
  inherit (builtins) toString;
-  inherit (import ./networks.nix) interfaces preferredInternalTLD privateIPv6Prefix;
+  inherit (import ./networks.nix) interfaces;

  # This is just referring to the same interface just with alternative names.
  mainEthernetInterfaceNames = [ "ens3" "enp0s3" ];
  internalEthernetInterfaceNames = [ "ens10" "enp0s10" ];
-
-  internalDomains = [
-    "~${config.networking.domain}.${preferredInternalTLD}"
-  ];
 in
 {
  imports = [
@ -57,14 +53,16 @@ in
  # The internal DNS server of choice.
  services.dnsmasq = {
    enable = true;
-    settings.listen-address = with interfaces.internal; [ IPv4.address IPv6.address ];
+    settings = {
+      listen-address = with interfaces.internal; [ IPv4.address IPv6.address ];
+      port = 3908;
+    };
  };

  # The main DNS server (not exactly by choice).
  services.resolved = {
    enable = true;
    dnssec = "true";
-    domains = internalDomains;
  };

  # The interface configuration is based from the following discussion:
@ -93,7 +91,6 @@ in
        };
      };

-      # The internal server.
      "20-lan" = with interfaces.internal; {
        matchConfig.Name = lib.concatStringsSep " " internalEthernetInterfaceNames;

@ -106,11 +103,6 @@ in
          IPv4.gateway
          IPv6.gateway
        ];
-
-        networkConfig = {
-          DNS = [ interfaces.internal.IPv4.address ];
-          Domains = lib.concatStringsSep " " internalDomains;
-        };
      };
    };
  };
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@ -5,12 +5,16 @@
 let
  acmeName = "wireguard.${config.networking.domain}";
  inherit (builtins) toString;
-  inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
+  inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers preferredInternalTLD;

  wireguardIFName = "wireguard0";

  desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/24" "${IPv6}/96" ];
  phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/24" "${IPv6}/96" ];
+
+  internalDomains = [
+    "~${config.networking.domain}.${preferredInternalTLD}"
+  ];
 in
 {
  environment.systemPackages = [ pkgs.wireguard-tools ];
@ -52,6 +56,18 @@ in

    networks."99-${wireguardIFName}" = {
      matchConfig.Name = wireguardIFName;
+
+      networkConfig = {
+        DNS = with interfaces.internal; let
+          internalDNSPort = config.services.dnsmasq.settings.port;
+        in [
+          "${IPv4.address}:${toString internalDNSPort}"
+          "${IPv6.address}:${toString internalDNSPort}"
+        ];
+        Domains = lib.concatStringsSep " " internalDomains;
+        DNSDefaultRoute = false;
+      };
+
      address = with interfaces.wireguard0; [
        "${IPv4.address}/32"
        "${IPv6.address}/128"