Add global dns-blocking dnsmasq service

Signed-off-by: Mel <einebeere@gmail.com>

5 files changed, 76 insertions, 3 deletions

diff --git a/flake.lock b/flake.lock
index ad13e17..66c938b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -68,12 +68,29 @@
         "type": "github"
       }
     },
+    "oisd": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1729966322,
+        "narHash": "sha256-3Qnz98SRzzFZ8n5oKcpsW4PqGHkfk+Ef+5WKxeY68BI=",
+        "owner": "sjhgvr",
+        "repo": "oisd",
+        "rev": "7634ebcc1036111300e5f0436cbea18c281a9151",
+        "type": "github"
+      },
+      "original": {
+        "owner": "sjhgvr",
+        "repo": "oisd",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "flake-compat": "flake-compat",
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "oisd": "oisd"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 82f0f09..c0adac4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,6 +10,11 @@
     };
 
     flake-compat.url = "github:edolstra/flake-compat";
+  
+    oisd = {
+      url = "github:sjhgvr/oisd";
+      flake = false;
+    };
   };
 
   outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, home-manager, ... }:
diff --git a/machines/corsac/default.nix b/machines/corsac/default.nix
index b118d10..956f7a7 100644
--- a/machines/corsac/default.nix
+++ b/machines/corsac/default.nix
@@ -6,6 +6,8 @@
 
     ./hardware.nix
     ./devices.nix
+  
+    ../../modules/dns.nix
   ];
 
   system.stateVersion = "24.05";
diff --git a/machines/corsac/devices.nix b/machines/corsac/devices.nix
index 71ef8d2..0c4ddd7 100644
--- a/machines/corsac/devices.nix
+++ b/machines/corsac/devices.nix
@@ -11,6 +11,15 @@
     initrd.systemd.enable = true; 
   };
 
-  # internet
-  networking.networkmanager.enable = true;
+  networking = {
+    useDHCP = false;
+    # todo: configure properly
+    firewall.enable = false;
+  };
+
+  systemd.network.enable = true;
+  systemd.network.networks."20-wired" = {
+    name = "enp1s0";
+    DHCP = "yes";
+  };
 }
diff --git a/modules/dns.nix b/modules/dns.nix
new file mode 100644
index 0000000..c3512e4
--- /dev/null
+++ b/modules/dns.nix
@@ -0,0 +1,40 @@
+{ oisd, ... }:
+
+let
+  cloudflareServers = [
+    "1.1.1.1" "1.0.0.1"
+    "2606:4700:4700::1111" "2606:4700:4700::1001"
+  ];
+
+  quad9Servers = [
+    "9.9.9.9" "149.112.112.112"
+    "2620:fe::fe" "2620:fe::9"
+  ];
+
+  upstreamServers = cloudflareServers ++ quad9Servers;
+in
+{
+  services.resolved.enable = false;
+
+  services.dnsmasq = {
+    enable = true;
+
+    # Ref: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
+    settings = {
+      interface = [ "enp1s0" "tailscale0" ];
+      bind-dynamic = true;
+
+      server = upstreamServers;
+      cache-size = 4096;
+
+      no-resolv = true;
+      bogus-priv = true;
+      domain-needed = true;
+      localise-queries = true;
+
+      conf-file = "${oisd}/dnsmasq2_big.txt";
+
+      log-queries = true;
+    };
+  };
+}