fix: nb ddev networking
This commit is contained in:
parent
431ab4e49c
commit
5191597f63
1 changed files with 17 additions and 79 deletions
|
|
@ -1,95 +1,29 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
ddev-dns-update = pkgs.writeShellScriptBin "ddev-dns-update" ''
|
||||
set -e
|
||||
hosts_file="/var/lib/dnsmasq/ddev-hosts"
|
||||
new_hosts=$(${pkgs.coreutils}/bin/mktemp)
|
||||
trap '${pkgs.coreutils}/bin/rm -f "$new_hosts"' EXIT
|
||||
|
||||
# Get running DDEV project names
|
||||
running=$(${pkgs.ddev}/bin/ddev list --json-output 2>/dev/null \
|
||||
| ${pkgs.jq}/bin/jq -r '.raw[]? | select(.status == "running") | .name // empty' 2>/dev/null) || true
|
||||
|
||||
# Build hosts entries
|
||||
for name in $running; do
|
||||
echo "127.0.0.1 $name.ddev.site" >> "$new_hosts"
|
||||
done
|
||||
|
||||
# Only reload dnsmasq if content changed
|
||||
if ! ${pkgs.diffutils}/bin/cmp -s "$new_hosts" "$hosts_file"; then
|
||||
${pkgs.coreutils}/bin/cp "$new_hosts" "$hosts_file"
|
||||
/run/wrappers/bin/sudo /run/current-system/systemd/bin/systemctl reload dnsmasq.service 2>/dev/null || true
|
||||
fi
|
||||
'';
|
||||
in
|
||||
{
|
||||
# Enable systemd-resolved with split DNS for ddev.site
|
||||
# Let DDEV manage /etc/hosts entries for its projects via `ddev-hostname`.
|
||||
# Setting a mode makes setup-etc.pl copy the rendered file into /etc/ instead
|
||||
# of symlinking to /etc/static/hosts, so DDEV can mutate it at runtime.
|
||||
# Trade-off: every nixos-rebuild/boot resets /etc/hosts to the rendered
|
||||
# content, so the user must re-run `ddev start` after a reboot/rebuild.
|
||||
environment.etc.hosts.mode = "0644";
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
dnssec = "false";
|
||||
extraConfig = ''
|
||||
DNS=127.0.0.1:5353
|
||||
Domains=~ddev.site
|
||||
'';
|
||||
};
|
||||
|
||||
# Integrate NetworkManager with systemd-resolved
|
||||
networking.networkmanager.dns = "systemd-resolved";
|
||||
|
||||
# Local dnsmasq for .ddev.site resolution (port 5353)
|
||||
# Dynamic hosts file resolves running DDEV projects to 127.0.0.1;
|
||||
# unmatched .ddev.site queries forward to VPN DNS (returns dev server IP)
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
resolveLocalQueries = false;
|
||||
settings = {
|
||||
port = 5353;
|
||||
listen-address = "127.0.0.1";
|
||||
bind-interfaces = true;
|
||||
server = [ "/ddev.site/10.42.97.1" ];
|
||||
addn-hosts = "/var/lib/dnsmasq/ddev-hosts";
|
||||
};
|
||||
};
|
||||
|
||||
# Ensure hosts file exists before dnsmasq starts (owned by dominik so the
|
||||
# user-level service can write it)
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/dnsmasq 0755 root root -"
|
||||
"f /var/lib/dnsmasq/ddev-hosts 0644 dominik root -"
|
||||
];
|
||||
|
||||
# Poll running DDEV projects and update dnsmasq hosts
|
||||
# Runs as dominik because ddev needs user-level Docker access
|
||||
systemd.services.ddev-dns-update = {
|
||||
description = "Update dnsmasq hosts for running DDEV projects";
|
||||
after = [ "dnsmasq.service" "docker.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "dominik";
|
||||
ExecStart = "${ddev-dns-update}/bin/ddev-dns-update";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.ddev-dns-update = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "30s";
|
||||
OnUnitActiveSec = "10s";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ ddev-dns-update ];
|
||||
|
||||
# DDEV shells out to `sudo ddev-hostname` to edit /etc/hosts. Allow it
|
||||
# without a password prompt. Using the /run/current-system path keeps the
|
||||
# rule valid across DDEV package updates.
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
users = [ "dominik" ];
|
||||
commands = [
|
||||
{
|
||||
command = "${ddev-dns-update}/bin/ddev-dns-update";
|
||||
options = [ "NOPASSWD" ];
|
||||
}
|
||||
{
|
||||
command = "/run/current-system/systemd/bin/systemctl reload dnsmasq.service";
|
||||
command = "/run/current-system/sw/bin/ddev-hostname";
|
||||
options = [ "NOPASSWD" ];
|
||||
}
|
||||
];
|
||||
|
|
@ -122,11 +56,15 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
# Use resolvectl for systemd-resolved integration
|
||||
# Route *.ddev.site queries through wg0's DNS while the VPN is up so
|
||||
# remote project hostnames resolve to the dev server. DDEV's hosts-file
|
||||
# override then shadows those with 127.0.0.1 for locally running
|
||||
# projects. When wg0 is down, queries fall back to the public
|
||||
# *.ddev.site wildcard (→ 127.0.0.1).
|
||||
# Note: No postDown needed - systemd-resolved automatically handles interface removal
|
||||
postSetup = ''
|
||||
${pkgs.systemd}/bin/resolvectl dns wg0 10.42.97.1
|
||||
${pkgs.systemd}/bin/resolvectl domain wg0 cloonar.com
|
||||
${pkgs.systemd}/bin/resolvectl domain wg0 cloonar.com '~ddev.site'
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue