feat(utsuho): dnsmasq

generate.nix

@@ -24,25 +24,17 @@
   mkNodeSystem = system: {
     network = let
       inherit (system.config.proxmox) network;
-      inherit (network) internal;
-      inherit (network.interfaces) net0;
-      mapAddress6 = prefix: interface:
-        if interface.address6 == "dhcp" then null
-        else if interface.address6 == "auto" then "${prefix}${interface.slaac.postfix}"
-        else mapNullable (removeSuffix "/64") interface.address6;
-      mapAddress4 = interface:
-        if elem interface.address4 [ "dhcp" "auto" ] then null
-        else mapNullable (removeSuffix "/24") interface.address4;
+      inherit (network) internal local;
     in {
       int = if internal.interface != null then {
         inherit (internal.interface) macAddress;
-        address6 = mapAddress6 "fd0c::" internal.interface;
-        address4 = mapAddress4 internal.interface;
+        address4 = removeSuffix "/24" internal.interface.address4;
+        address6 = removeSuffix "/64" internal.interface.address6;
       } else null;
-      local = if network.interfaces.net0.bridge or null == "vmbr0" then {
-        inherit (net0) macAddress;
-        address6 = mapAddress6 "fd0a::" net0;
-        address4 = mapAddress4 net0;
+      local = if local.interface != null then {
+        inherit (local.interface) macAddress;
+        address4 = mapNullable (removeSuffix "/24") local.interface.local.address4;
+        address6 = mapNullable (removeSuffix "/64") local.interface.local.address6;
       } else null;
       tail = warn "TODO: generate network.tail" null;
     };

modules/nixos/access.nix

@@ -139,10 +139,10 @@ in {
     firewall = {
       interfaces.local = {
         nftables.conditions = [
-          "ip saddr { ${concatStringsSep ", " cfg.cidrForNetwork.local.v4} }"
+          "ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }"
           (
             mkIf networking.enableIPv6
-            "ip6 saddr { $localrange6, ${concatStringsSep ", " cfg.cidrForNetwork.local.v6} }"
+            "ip6 saddr { $localrange6, ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }"
           )
         ];
       };

modules/nixos/network/resolve.nix

@@ -0,0 +1,70 @@
+{config, lib, ...}: let
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
+  inherit (lib.lists) filter optional;
+  inherit (lib.strings) hasInfix concatStrings;
+  inherit (config.services) resolved;
+  enabledNameservers = filter (ns: ns.enable) (config.networking.nameservers');
+  nameserverModule = {config, ...}: let
+    dnsPort = 53;
+    mkResolvedValue = { address, port, interface ? null, host ? null }: let
+      isIpv6 = hasInfix ":" address;
+      isPlain = port == dnsPort && interface == null && host == null;
+      addr = if isIpv6 && !isPlain then "[${address}]" else address;
+    in concatStrings (
+      [ addr ]
+      ++ optional (port != dnsPort) ":${toString port}"
+      ++ optional (interface != null) "%${interface}"
+      ++ optional (host != null) "#${host}"
+    );
+  in {
+    options = with lib.types; {
+      enable = mkEnableOption "nameserver" // {
+        default = true;
+      };
+      address = mkOption {
+        type = str;
+      };
+      port = mkOption {
+        type = port;
+        default = dnsPort;
+      };
+      interface = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      host = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      resolvedValue = mkOption {
+        type = str;
+        readOnly = true;
+      };
+      value = mkOption {
+        type = str;
+        internal = true;
+      };
+    };
+    config = {
+      resolvedValue = mkOptionDefault (mkResolvedValue {
+        inherit (config) address port interface host;
+      });
+      value = mkOptionDefault (mkResolvedValue {
+        inherit (config) address port;
+      });
+    };
+  };
+in {
+  options.networking = with lib.types; {
+    nameservers' = mkOption {
+      type = listOf (submodule nameserverModule);
+      default = { };
+    };
+  };
+  config = {
+    networking.nameservers = mkIf (config.networking.nameservers' != [ ]) (
+      map (ns: if resolved.enable then ns.resolvedValue else ns.value) enabledNameservers
+    );
+  };
+}

modules/system/access.nix

@@ -10,16 +10,26 @@
   inherit (inputs.self.lib) systems;
   inherit (inputs.self.lib.lib) domain;
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.strings) removeSuffix;
   cfg = config.access;
   systemConfig = config;
   systemAccess = access;
+  hasInt = config.proxmox.enabled && config.proxmox.network.internal.interface != null;
+  hasLocal = config.proxmox.enabled && config.proxmox.network.local.interface != null;
+  hasTail = cfg.tailscale.enable;
   nixosModule = {
     config,
     system,
+    access,
     ...
   }: let
     cfg = config.networking.access;
+    addressForAttr = if config.networking.enableIPv6 then "address6ForNetwork" else "address4ForNetwork";
+    has'Int = system.proxmox.enabled && system.proxmox.network.internal.interface != null;
+    has'Local = system.proxmox.enabled && system.proxmox.network.local.interface != null;
+    has'Tail' = config.services.tailscale.enable;
+    has'Tail = lib.warnIf (hasTail != has'Tail') "tailscale set incorrectly in system.access for ${config.networking.hostName}" has'Tail';
   in {
     options.networking.access = with lib.types; {
       global.enable =
@@ -34,8 +44,22 @@
     };
     config = {
       networking.access = {
-        moduleArgAttrs = {
-          inherit (systemAccess) hostnameForNetwork;
+        moduleArgAttrs = let
+          mkGetAddressFor = addressForAttr: hostName: network: let
+            forSystem = access.systemFor hostName;
+            err = throw "no lan interface found between ${config.networking.hostName} and ${hostName}";
+          in {
+            lan =
+              if has'Int then forSystem.access.${addressForAttr}.int or forSystem.access.${addressForAttr}.local or err
+              else if hasLocal then forSystem.access.${addressForAttr}.local or err
+              else err;
+            ${if has'Local then "local" else null} = forSystem.access.${addressForAttr}.local or err;
+            ${if has'Int then "int" else null} = forSystem.access.${addressForAttr}.int or err;
+            # TODO: tail
+          }.${network} or err;
+        in {
+          inherit (systemAccess) hostnameForNetwork address4ForNetwork address6ForNetwork;
+          addressForNetwork = systemAccess.${addressForAttr};
           systemFor = hostName:
             if hostName == config.networking.hostName
             then systemConfig
@@ -52,6 +76,21 @@
             if hostName == config.networking.hostName
             then config
             else systemAccess.nixosForOrNull hostName;
+          getAddressFor = mkGetAddressFor addressForAttr;
+          getAddress4For = mkGetAddressFor "address4ForNetwork";
+          getAddress6For = mkGetAddressFor "address6ForNetwork";
+          getHostnameFor = hostName: network: let
+            forSystem = access.systemFor hostName;
+            err = throw "no ${network} interface found between ${config.networking.hostName} and ${hostName}";
+          in {
+            lan =
+              if hasInt then forSystem.access.hostnameForNetwork.int or forSystem.access.hostnameForNetwork.local or err
+              else if hasLocal then forSystem.access.hostnameForNetwork.local or err
+              else err;
+            ${if has'Local then "local" else null} = forSystem.access.hostnameForNetwork.local or err;
+            ${if has'Int then "int" else null} = forSystem.access.hostnameForNetwork.int or err;
+            ${if has'Tail then "tail" else null} = forSystem.access.hostnameForNetwork.tail or err;
+          }.${network} or err;
         };
       };
       networking.tempAddresses = mkIf cfg.global.enable (
@@ -77,22 +116,71 @@ in {
       type = attrsOf str;
       default = {};
     };
+    address4ForNetwork = mkOption {
+      type = attrsOf str;
+      default = {};
+    };
+    address6ForNetwork = mkOption {
+      type = attrsOf str;
+      default = {};
+    };
   };
   config = {
     modules = [
       nixosModule
     ];
 
-    access = {
-      hostnameForNetwork = {
-        local = mkOptionDefault "${cfg.hostName}.local.${cfg.domain}";
-        tail = mkIf cfg.tailscale.enable (mkOptionDefault "${cfg.hostName}.tail.${cfg.domain}");
-        global = mkIf cfg.global.enable (mkOptionDefault "${cfg.hostName}.${cfg.domain}");
+    access = let
+      local'interface = config.proxmox.network.local.interface;
+      int'interface = config.proxmox.network.internal.interface;
+      hasInt4 = hasInt && int'interface.address4 != null;
+      hasInt6 = hasInt && int'interface.address6 != null;
+      hasLocal4 = hasLocal && local'interface.local.address4 or null != null;
+      hasLocal6 = hasLocal && local'interface.local.address6 or null != null;
+    in {
+      hostnameForNetwork = let
+        int = "${cfg.hostName}.int.${cfg.domain}";
+        local = "${cfg.hostName}.local.${cfg.domain}";
+        tail = "${cfg.hostName}.tail.${cfg.domain}";
+        global = "${cfg.hostName}.${cfg.domain}";
+      in {
+        lan = mkMerge [
+          (mkIf hasInt (mkDefault int))
+          (mkOptionDefault local)
+        ];
+        int = mkIf hasInt (mkOptionDefault int);
+        local = mkOptionDefault local;
+        tail = mkIf hasTail (mkOptionDefault tail);
+        global = mkIf cfg.global.enable (mkOptionDefault global);
+      };
+      address4ForNetwork = let
+        int = removeSuffix "/24" int'interface.address4;
+        local = removeSuffix "/24" local'interface.local.address4;
+      in {
+        lan = mkMerge [
+          (mkIf hasInt4 (mkDefault int))
+          (mkIf hasLocal4 (mkOptionDefault local))
+        ];
+        int = mkIf hasInt4 (mkOptionDefault int);
+        local = mkIf hasLocal4 (mkOptionDefault local);
+        # TODO: tail
+      };
+      address6ForNetwork = let
+        int = removeSuffix "/64" int'interface.address6;
+        local = removeSuffix "/64" local'interface.local.address6;
+      in {
+        lan = mkMerge [
+          (mkIf hasInt6 (mkDefault int))
+          (mkIf hasLocal6 (mkOptionDefault local))
+        ];
+        int = mkIf hasInt6 (mkOptionDefault int);
+        local = mkIf hasLocal6 (mkOptionDefault local);
+        # TODO: tail
       };
     };
 
     _module.args.access = {
-      inherit (cfg) hostnameForNetwork;
+      inherit (cfg) hostnameForNetwork address4ForNetwork address6ForNetwork;
       systemFor = hostName: systems.${hostName}.config;
       systemForOrNull = hostName: systems.${hostName}.config or null;
       nixosFor = hostName: nixosConfigurations.${hostName}.config or (access.systemFor hostName).built.config;

modules/system/proxmox/network.nix

@@ -3,7 +3,7 @@
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkMerge mkOptionDefault mkOverride;
   inherit (lib.attrsets) attrValues;
-  inherit (lib.lists) elem findSingle;
+  inherit (lib.lists) elem findSingle findFirst;
   inherit (lib.strings) hasPrefix removePrefix replaceStrings;
   inherit (lib.trivial) mapNullable;
   mkAlmostOptionDefault = mkOverride 1250;
@@ -52,7 +52,7 @@
       };
       mdns = {
         enable = mkEnableOption "mDNS" // {
-          default = system.proxmox.node.name == "reisen" && config.id == "net0";
+          default = config.local.enable && config.id == "net0";
         };
       };
       slaac = {
@@ -63,6 +63,18 @@
       internal = {
         enable = mkEnableOption "internal network interface";
       };
+      local = {
+        enable = mkOption {
+          type = bool;
+          default = system.proxmox.node.name == "reisen" && config.id == "net0" && config.bridge == "vmbr0";
+        };
+        address4 = mkOption {
+          type = nullOr str;
+        };
+        address6 = mkOption {
+          type = nullOr str;
+        };
+      };
       networkd = {
         enable = mkEnableOption "systemd.network" // {
           default = true;
@@ -73,7 +85,17 @@
       };
     };
     config = let
+      hasAddr4 = ! elem config.address4 [ null "dhcp" ];
+      hasAddr6 = ! elem config.address6 [ null "dhcp" "auto" ];
       conf = {
+        local = mkIf config.local.enable {
+          address4 = mkOptionDefault (if hasAddr4 then config.address4 else null);
+          address6 = mkOptionDefault (
+            if config.address6 == "auto" && config.slaac.postfix != null then "fd0a::${config.slaac.postfix}"
+            else if hasAddr6 then config.address6
+            else null
+          );
+        };
         name = mkMerge [
           (mkIf (hasPrefix "net" config.id && system.proxmox.container.enable) (mkOptionDefault ("eth" + removePrefix "net" config.id)))
           # VMs have names like `ens18` for net0...
@@ -146,10 +168,16 @@ in {
         type = nullOr unspecified;
       };
     };
+    local = {
+      interface = mkOption {
+        type = nullOr unspecified;
+      };
+    };
   };
   config.proxmox.network = {
     internal = {
       interface = mkOptionDefault (findSingle (interface: interface.internal.enable) null (throw "expected only one internal network interface") (attrValues cfg.interfaces));
     };
+    local.interface = mkOptionDefault (findFirst (interface: interface.local.enable) null (attrValues cfg.interfaces));
   };
 }

nixos/access/freepbx.nix

@@ -3,19 +3,18 @@
   lib,
   ...
 }: let
-  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.options) mkOption;
   inherit (lib.modules) mkIf mkDefault;
   inherit (lib.lists) head optional;
   inherit (lib.strings) splitString;
   inherit (config.services) nginx;
   access = nginx.access.freepbx;
-  freepbx = config.lib.access.systemFor "freepbx";
   hasSsl = nginx.virtualHosts.freepbx'ucp.listen'.ucpSsl.enable;
 in {
   options.services.nginx.access.freepbx = with lib.types; {
     host = mkOption {
       type = str;
-      default = freepbx.access.hostnameForNetwork.local;
+      default = config.lib.access.getHostnameFor "freepbx" "lan";
     };
     url = mkOption {
       type = str;

nixos/base/network.nix

@@ -12,6 +12,11 @@ in {
     nftables.enable = true;
     domain = mkDefault domain;
     hostName = mkOverride 25 name;
+    nameservers' = [
+      #{ address = "8.8.8.8"; host = "dns.google"; }
+      { address = "1.1.1.1"; host = "cloudflare-dns.com"; }
+      { address = "1.0.0.1"; host = "cloudflare-dns.com"; }
+    ];
   };
 
   # work around https://github.com/NixOS/nixpkgs/issues/132646

nixos/dnsmasq.nix

@@ -0,0 +1,92 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}: let
+  inherit (inputs.self.lib) generate;
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkBefore mkDefault mkForce;
+  inherit (lib.attrsets) filterAttrs mapAttrsToList nameValuePair listToAttrs;
+  inherit (lib.lists) filter concatLists;
+  inherit (lib.strings) hasPrefix replaceStrings concatStringsSep;
+  inherit (lib.trivial) mapNullable;
+  cfg = config.services.dnsmasq;
+  mkHostRecordPairs = systemName: system: [
+    (mkHostRecordPair "int" systemName system)
+    (mkHostRecordPair "local" systemName system)
+    #(mkHostRecordPair "tail" systemName system)
+  ];
+  mapDynamic4 = replaceStrings [ "10.1.1." ] [ "0.0.0." ];
+  mapDynamic6 = replaceStrings [ "fd0a::" ] [ "2001::" ];
+  mkDynamicHostRecord = systemName: system: let
+    address4 = system.network.local.address4 or null;
+    address6 = system.network.local.address6 or null;
+  in concatStringsSep "," ([
+    "${systemName}.${config.networking.domain}"
+  ] ++ lib.optional (address4 != null)
+    (toString (mapNullable mapDynamic4 address4))
+  ++ lib.optional (address6 != null)
+    (toString (mapNullable mapDynamic6 address6))
+  ++ lib.singleton
+    cfg.dynamic.interface
+  );
+  mkHostRecordPair = network: systemName: system: let
+    address4 = system.network.${network}.address4 or null;
+    address6 = system.network.${network}.address6 or null;
+  in nameValuePair
+    "${systemName}.${network}.${config.networking.domain}"
+    (concatStringsSep "," (
+    lib.optional (address4 != null)
+      (toString address4)
+    ++ lib.optional (address6 != null)
+      (toString address6)
+    ));
+  systemHosts = filterAttrs (_: value: value != "") (
+    listToAttrs (concatLists (mapAttrsToList mkHostRecordPairs generate.reisen.systems))
+  );
+  mkHostRecord = name: record: "${name},${record}";
+  filterns = ns: !hasPrefix "127.0.0" ns || ns == "::1";
+  filterns' = ns: ns.enable && filterns ns.address;
+in {
+  options.services.dnsmasq = with lib.types; {
+    resolveLocalQueries' = mkOption {
+      type = bool;
+      description = "add to resolv.conf, ignore the origin upstream option thanks";
+      default = true;
+    };
+    dynamic.interface = mkOption {
+      type = str;
+      default = "eth0";
+    };
+  };
+  config = {
+    services.dnsmasq = {
+      enable = mkDefault true;
+      resolveLocalQueries = mkForce false;
+      settings = {
+        host-record = mapAttrsToList mkHostRecord systemHosts;
+        dynamic-host = mapAttrsToList mkDynamicHostRecord generate.reisen.systems;
+        server =
+          if config.networking.nameservers' != [ ] then map (ns: ns.address) (filter filterns' config.networking.nameservers')
+          else filter filterns config.networking.nameservers
+        ;
+        max-cache-ttl = 60;
+      };
+    };
+    services.resolved = mkIf cfg.enable {
+      extraConfig = ''
+        DNSStubListener=no
+      '';
+    };
+    networking = mkIf cfg.enable {
+      firewall = {
+        interfaces.local.allowedTCPPorts = [ 53 ];
+        interfaces.local.allowedUDPPorts = [ 53 ];
+      };
+      nameservers' = mkIf cfg.resolveLocalQueries' (mkBefore [
+        { address = "127.0.0.1"; }
+      ]);
+    };
+  };
+}

nixos/reisen-ct/network.nix

@@ -1,11 +1,13 @@
 {
   lib,
   config,
+  inputs,
   options,
   meta,
+  access,
   ...
 }: let
-  inherit (lib.modules) mkIf;
+  inherit (lib.modules) mkIf mkBefore;
 in {
   imports = let
     inherit (meta) nixos;
@@ -24,6 +26,9 @@ in {
     linkConfig.Multicast = true;
     networkConfig.MulticastDNS = true;
   };
+  networking.nameservers' = mkIf (!config.services.dnsmasq.enable && config.networking.hostName != "utsuho" && config.networking.hostName != "ct") (mkBefore [
+    { address = access.getAddressFor "utsuho" "lan"; }
+  ]);
 
   boot.kernel.sysctl = {
     # not sure how to get it to overlap with subgid/idmap...

nixos/zigbee2mqtt.nix

@@ -46,4 +46,8 @@ in {
   services.udev.extraRules = mkIf cfg.enable ''
     SUBSYSTEM=="tty", ATTRS{interface}=="Sonoff Zigbee 3.0 USB Dongle Plus", OWNER="zigbee2mqtt", SYMLINK+="ttyZigbee"
   '';
+
+  networking.firewall.interfaces.local.allowedTCPPorts = mkIf cfg.enable [
+    cfg.settings.frontend.port
+  ];
 }

systems/freeipa/default.nix

@@ -16,6 +16,10 @@ _: {
     };
   };
   extern.files = {
+    "/etc/systemd/resolved.conf" = {
+      source = ./resolved.conf;
+      mode = "0644";
+    };
     "/etc/NetworkManager/system-connections/ens18.nmconnection" = {
       source = ./ens18.nmconnection;
       mode = "0600";

systems/freeipa/ens18.nmconnection

@@ -10,7 +10,7 @@ timestamp=1706677871
 
 [ipv4]
 address1=10.1.1.46/24,10.1.1.1
-dns=1.1.1.1;
+dns=10.1.1.38;1.1.1.1;1.0.0.1;
 method=manual
 
 [ipv6]

systems/freeipa/int.nmconnection

@@ -4,6 +4,7 @@ type=ethernet
 interface-name=ens19
 [ipv4]
 address1=10.9.1.170/24
+dns=10.9.1.76;
 may-fail=true
 method=manual
 [ipv6]

systems/freeipa/resolved.conf

@@ -0,0 +1,2 @@
+[Resolve]
+DNS=fd0c::4c 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com

systems/hakurei/nixos.nix

@@ -84,6 +84,7 @@ in {
       domain = config.networking.fqdn;
       extraDomainNames = [
         access.hostnameForNetwork.local
+        access.hostnameForNetwork.int
         (mkIf config.services.tailscale.enable access.hostnameForNetwork.tail)
       ];
     };
@@ -201,14 +202,16 @@ in {
 
   services.nginx = let
     inherit (nginx) access;
+    #inherit (config.lib.access) getHostnameFor;
+    getHostnameFor = config.lib.access.getAddress4For;
   in {
     vouch.enableLocal = false;
     access.plex = assert plex.enable; {
-      url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}";
+      url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}";
       externalPort = 41324;
     };
     access.unifi = assert unifi.enable; {
-      host = utsuho.lib.access.hostnameForNetwork.local;
+      host = getHostnameFor "utsuho" "lan";
     };
     access.freeipa = {
       host = "idp.local.${config.networking.domain}";
@@ -232,7 +235,7 @@ in {
         inherit (keycloak.services) vouch-proxy;
       in assert vouch-proxy.enable; {
         ssl.cert.enable = true;
-        locations."/".proxyPass = "http://${keycloak.lib.access.hostnameForNetwork.local}:${toString vouch-proxy.settings.vouch.port}";
+        locations."/".proxyPass = "http://${getHostnameFor "keycloak" "lan"}:${toString vouch-proxy.settings.vouch.port}";
       };
       vouch'local = let
         vouch-proxy = config.services.vouch-proxy;
@@ -250,25 +253,25 @@ in {
         # not the real hass record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
-        locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}";
+        locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}:${toString home-assistant.config.http.server_port}";
       };
       zigbee2mqtt = assert zigbee2mqtt.enable; {
         # not the real z2m record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
-        locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString zigbee2mqtt.settings.frontend.port}";
+        locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}:${toString zigbee2mqtt.settings.frontend.port}";
       };
       grocy = {
         # not the real grocy record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
-        locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
+        locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}";
       };
       barcodebuddy = {
         # not the real bbuddy record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
-        locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
+        locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}";
       };
       freepbx = {
         ssl.cert.enable = true;
@@ -283,7 +286,7 @@ in {
         ssl.cert.enable = true;
       };
       invidious'int = {
-        locations."/".proxyPass = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
+        locations."/".proxyPass = "http://${getHostnameFor "mediabox" "lan"}:${toString mediabox.services.invidious.port}";
       };
     };
   };

systems/tei/cloudflared.nix

@@ -14,10 +14,10 @@
   accessHostFor = {
     hostName,
     system ? nixosFor hostName,
-    access ? "local",
+    network ? "lan",
     ...
   }: let
-    host = system.lib.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}");
+    host = access.getHostnameFor hostName network;
   in
     if hostName == config.networking.hostName
     then "localhost"

systems/utsuho/nixos.nix

@@ -12,6 +12,7 @@ in {
     nixos.nginx
     nixos.access.unifi
     nixos.unifi
+    nixos.dnsmasq
   ];
 
   services.cloudflared = let