From b4b10c57262b557f623247447f10d5366d136765 Mon Sep 17 00:00:00 2001
From: Jonni Liljamo <jonni@liljamo.com>
Date: Sun, 18 Aug 2024 14:18:12 +0300
Subject: [PATCH] feat: rest of lxc common, working dns configuration

---
 .sops.yaml                       |   7 +++
 hosts/dns/default.nix            |  17 ++++++
 roles/prometheus.nix             |  12 ++++
 secrets/dns/secrets.yaml         |  34 +++++++++++
 systems/hosts/default.nix        |   2 +-
 systems/hosts/dns/default.nix    | 102 +++++++++++++++++++++++++++++++
 systems/profiles/lxc/default.nix |   8 ++-
 systems/profiles/lxc/lxc.nix     |   2 +
 systems/profiles/lxc/roles.nix   |  15 +++++
 9 files changed, 197 insertions(+), 2 deletions(-)
 create mode 100644 hosts/dns/default.nix
 create mode 100644 secrets/dns/secrets.yaml
 create mode 100644 systems/hosts/dns/default.nix
 create mode 100644 systems/profiles/lxc/roles.nix

diff --git a/.sops.yaml b/.sops.yaml
index bae6809..e729cf1 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &liljamo_gpg 848EEBCEE9F0D29D25C321A658577946A65EB712
   - &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn
   - &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
+  - &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
 creation_rules:
   - path_regex: secrets/arwen/[^/]+\.yaml$
     key_groups:
@@ -15,3 +16,9 @@ creation_rules:
       - *liljamo_gpg
       age:
       - *alice
+  - path_regex: secrets/dns/[^/]+\.yaml$
+    key_groups:
+    - pgp:
+      - *liljamo_gpg
+      age:
+      - *dns
diff --git a/hosts/dns/default.nix b/hosts/dns/default.nix
new file mode 100644
index 0000000..d840393
--- /dev/null
+++ b/hosts/dns/default.nix
@@ -0,0 +1,17 @@
+{config, ...}: {
+  sops.secrets.rootPwd.neededForUsers = true;
+  sops.secrets.liljamoPwd.neededForUsers = true;
+
+  roles.base = {
+    root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+    primaryUser = {
+      username = "liljamo";
+      hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+    };
+  };
+
+  roles.tailscale = {
+    enable = true;
+    enableSSH = true;
+  };
+}
diff --git a/roles/prometheus.nix b/roles/prometheus.nix
index c8f1f5a..862adf4 100644
--- a/roles/prometheus.nix
+++ b/roles/prometheus.nix
@@ -20,6 +20,7 @@ in {
                 enable = lib.mkEnableOption "node exporter";
                 port = lib.mkOption {
                   type = lib.types.port;
+                  default = 9100;
                 };
                 extraFlags = lib.mkOption {
                   type = lib.types.listOf lib.types.str;
@@ -32,6 +33,10 @@ in {
             type = lib.types.submodule {
               options = {
                 enable = lib.mkEnableOption "systemd exporter";
+                port = lib.mkOption {
+                  type = lib.types.port;
+                  default = 9558;
+                };
               };
             };
           };
@@ -41,12 +46,19 @@ in {
   };
 
   config = {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.exporters.openFirewall [
+      cfg.exporters.node.port
+      cfg.exporters.systemd.port
+    ];
+
     services.prometheus.exporters = {
       node = lib.mkIf cfg.exporters.node.enable {
+        enable = true;
         port = cfg.exporters.node.port;
         extraFlags = cfg.exporters.node.extraFlags;
       };
       systemd = lib.mkIf cfg.exporters.systemd.enable {
+        enable = true;
         port = cfg.exporters.systemd.port;
       };
     };
diff --git a/secrets/dns/secrets.yaml b/secrets/dns/secrets.yaml
new file mode 100644
index 0000000..3a28f4d
--- /dev/null
+++ b/secrets/dns/secrets.yaml
@@ -0,0 +1,34 @@
+rootPwd: ENC[AES256_GCM,data:cuZt7paSCrVK7rp88SXhrFmko7YLIWgNG3KNmcelCBJBvoCAlLwSdfXMKljMGWTBB5qs+GQTSYlbPlqjRfWEX/imABrivg8YMGNn4o8O0hkWvyc9IYCGFVaTJkrB5gNpkMLEHda05Wvf/w==,iv:n+tuhDnyYIe9xl9YYPkhMnh5W/g3Ceg7E5Nuy5pu97s=,tag:aq37MjrsizGuwIHgDGt2dw==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:MMissiTedcpmM7cWGm3PL3/7mrRMLcHatf4BHTcrR1BjGkpEuSIwFxQGgbhulj2Taa4djdL7013tS6Jbb+Hz/o/yL1SrKDD5w0y1hwXcjfDYTsys9uly5UoCtQDLG0gFn4FLxv00ATufdw==,iv:psHrWXFAsUKcgDnDjAOdAOo6bF8h8yr/MLyJeC1+cRI=,tag:BC4EaIT3Rqw/2W1LXxxIvA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUjk1RFVHS0FEdEVBUlll
+            UHdFMkF0c2pHeU03d1BCdS95SnY1QTNZanhzCmlXaEU3SzZwSXNxSzN2VGdYVGxy
+            ekplWlU2WlpZVVd3VWpVejR4eDMvZ00KLS0tIHFPU3BSbGhKS1FPMWhZdXNmQnVH
+            ZVRRZ1hkRllRd1BGTmU0STVQNWVGT1UKE4PBQjAlb0NCI8vrAv9GpsmJFBkR6qRw
+            4RYHGreTyTgE1NLyf4d+AMIrTmfIXixx4SeiInO4tmMct6ds1gwMAw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-18T09:49:50Z"
+    mac: ENC[AES256_GCM,data:No+EUPIds/phGQHY+Lw/8Ict+iLn+0509oXcx2sW2OjGnGU3mJ4uFPrtpoEJ/JWyHUwKhVkuNmqNT4zYe+qVnGUYxnTDFnjcC+nlcIxIkI9vxQhDYruS0FitxuG6BK+6YLmOszmMIEHf2MZUfK5MFvPqAn2gQbzPXzNj+fzW2xo=,iv:seFsJRgJbrHATjTuJ1y55WrrOait56oXSjvB41i29kY=,tag:Zi0N+niUxzqhKytwAZ5RpA==,type:str]
+    pgp:
+        - created_at: "2024-08-18T09:36:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D8ab0ENzkR4wSAQdAVIcbSeZWtHEDhkfeggDV3LSknWNTM4RIdFEm2rHonAQw
+            U3K6g+u+bjBdef2CjIgLeTGrY9/+W3ZdfqhQjAGrEYfY553NKbkOFwKXQvOkkZxK
+            1GgBCQIQicMZu47070ML7Em5DW9u+npjWc2Mv37B4sWDbrMr+4v2HzHdKhmdpAXS
+            AlAZYs+AOVWrMEWzuAvfuqQzRSVM0QLRg0n+9ITCL5dfcAAQe/oUo+AOpsrvDn33
+            fsHSuGxQWapf2w==
+            =GCrz
+            -----END PGP MESSAGE-----
+          fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix
index 99d81f2..d969f4f 100644
--- a/systems/hosts/default.nix
+++ b/systems/hosts/default.nix
@@ -19,6 +19,6 @@
   dns = {
     system = "x86_64-linux";
     profile = lxc;
-    moduels = [];
+    modules = [];
   };
 }
diff --git a/systems/hosts/dns/default.nix b/systems/hosts/dns/default.nix
new file mode 100644
index 0000000..fb3504c
--- /dev/null
+++ b/systems/hosts/dns/default.nix
@@ -0,0 +1,102 @@
+{...}: let
+  proxyAlias = "proxy.home.arpa";
+  proxyIP = "10.1.2.10";
+
+  defaultDnsServers = ["https://dns.quad9.net/dns-query"];
+  bootstrapDnsServers = ["9.9.9.9"];
+
+  portDns = 53;
+  portDoT = 853;
+  portWebDoH = 80;
+
+  rlUrl = ".rustylily.home.arpa";
+  uwUrl = ".uwulpine.home.arpa";
+in {
+  networking.firewall.allowedTCPPorts = [
+    portDoT
+    portWebDoH
+  ];
+  networking.firewall.allowedUDPPorts = [portDns];
+
+  services.blocky = {
+    enable = true;
+    settings = {
+      upstreams = {
+        groups = {
+          default = defaultDnsServers;
+        };
+        timeout = "2s";
+      };
+      customDNS = {
+        customTTL = "1h";
+        mapping = {
+          "${proxyAlias}" = proxyIP;
+
+          "dns${rlUrl}" = proxyIP;
+
+          "multi.media${rlUrl}" = proxyIP;
+          "books.media${rlUrl}" = proxyIP;
+          "nextcloud${rlUrl}" = proxyIP;
+
+          "metrics${rlUrl}" = proxyIP;
+
+          "portainer${uwUrl}" = proxyIP;
+          "registry${uwUrl}" = proxyIP;
+          "registryui${uwUrl}" = proxyIP;
+        };
+      };
+      blocking = {
+        blackLists = {
+          ads = [
+            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+          ];
+        };
+        whiteLists = {};
+        clientGroupsBlock = {
+          default = ["ads"];
+        };
+        # 'zeroIp' is default, and returns 0.0.0.0
+        # 'nxDomain' would return a NXDOMAIN code
+        blockType = "zeroIp";
+        blockTTL = "6h";
+        # how often to refresh lists
+        loading = {
+          downloads = {
+            timeout = "5m";
+            attempts = 5;
+            cooldown = "30s";
+          };
+          refreshPeriod = "4h";
+          strategy = "blocking";
+        };
+      };
+      caching = {
+        minTime = "0m";
+        maxTime = "60m";
+        maxItemsCount = 10000;
+        prefetching = false;
+        # cache NXDOMAIN results for only a short time
+        cacheTimeNegative = "5m";
+      };
+      prometheus = {
+        enable = true;
+        path = "/metrics";
+      };
+      minTlsServeVersion = "1.3";
+      bootstrapDns = bootstrapDnsServers;
+      ports = {
+        dns = portDns;
+        tls = portDoT;
+        http = portWebDoH;
+      };
+      log = {
+        level = "info";
+        format = "text";
+        timestamp = true;
+        privacy = true;
+      };
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/systems/profiles/lxc/default.nix b/systems/profiles/lxc/default.nix
index e5fb0f5..b547b75 100644
--- a/systems/profiles/lxc/default.nix
+++ b/systems/profiles/lxc/default.nix
@@ -1,11 +1,17 @@
-inputs @ {sops-nix, ...}: {
+inputs @ {
+  home-manager,
+  sops-nix,
+  ...
+}: {
   modules = [
     sops-nix.nixosModules.sops
+    home-manager.nixosModules.home-manager
 
     ../../../modules
     ../../../roles
 
     ./lxc.nix
+    ./roles.nix
   ];
   specialArgs = {
     inherit inputs;
diff --git a/systems/profiles/lxc/lxc.nix b/systems/profiles/lxc/lxc.nix
index d222e63..c6f73c0 100644
--- a/systems/profiles/lxc/lxc.nix
+++ b/systems/profiles/lxc/lxc.nix
@@ -4,6 +4,8 @@
   lib,
   ...
 }: {
+  sops.defaultSopsFile = ../../../secrets/${config.networking.hostName}/secrets.yaml;
+
   boot.isContainer = true;
 
   # Install new init script
diff --git a/systems/profiles/lxc/roles.nix b/systems/profiles/lxc/roles.nix
new file mode 100644
index 0000000..ff82fc2
--- /dev/null
+++ b/systems/profiles/lxc/roles.nix
@@ -0,0 +1,15 @@
+{
+  roles.prometheus.exporters = {
+    openFirewall = true;
+    node = {
+      enable = true;
+      extraFlags = [
+        "--collector.disable-defaults"
+        "--collector.filesystem"
+        "--collector.stat"
+        "--collector.time"
+      ];
+    };
+    systemd.enable = true;
+  };
+}
-- 
2.44.1