DEVELOPMENT ENVIRONMENT

~liljamo/nix-arta

ref: b8c3e871449260e22e469d2d76f3ebfa6f03f056 nix-arta/lxc/hosts/dns/default.nix -rw-r--r-- 2.5 KiB
b8c3e871Jonni Liljamo fix: tamma secrets path 9 days ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

{
  config,
  util,
  ...
}: let
  proxyAlias = "proxy.home.arpa";
  proxyIP = "10.1.2.10";

  defaultDnsServers = ["https://dns10.quad9.net/dns-query"];
  bootstrapDnsServers = ["9.9.9.9"];

  portDns = 53;
  portDoT = 853;
  portWebDoH = 80;

  rlUrl = ".rustylily.home.arpa";
  uwUrl = ".uwulpine.home.arpa";
in {
  sops.secrets.rootPwd.neededForUsers = true;

  roles.base.root.hashedPasswordFile = config.sops.secrets.rootPwd.path;

  networking.firewall.allowedTCPPorts = [
    portDoT
    portWebDoH
  ];
  networking.firewall.allowedUDPPorts = [portDns];

  services.blocky = {
    enable = true;
    settings = {
      upstreams = {
        groups = {
          default = defaultDnsServers;
        };
        timeout = "2s";
      };
      customDNS = {
        customTTL = "1h";
        mapping =
          {
            "${proxyAlias}" = proxyIP;

            "dns${rlUrl}" = proxyIP;

            "multi.media${rlUrl}" = proxyIP;
            "books.media${rlUrl}" = proxyIP;
            "nextcloud${rlUrl}" = proxyIP;

            "metrics${rlUrl}" = proxyIP;

            "portainer${uwUrl}" = proxyIP;
            "registry${uwUrl}" = proxyIP;
            "registryui${uwUrl}" = proxyIP;
          }
          // util.getDNSEntries;
      };
      blocking = {
        blackLists = {
          ads = [
            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
          ];
        };
        whiteLists = {};
        clientGroupsBlock = {
          default = ["ads"];
        };
        # 'zeroIp' is default and returns 0.0.0.0
        # 'nxDomain' would return a NXDOMAIN code.
        blockType = "zeroIp";
        blockTTL = "6h";
        # How often to refresh lists.
        loading = {
          downloads = {
            timeout = "5m";
            attempts = 5;
            cooldown = "30s";
          };
          refreshPeriod = "4h";
          strategy = "blocking";
        };
      };
      caching = {
        minTime = "0m";
        maxTime = "60m";
        maxItemsCount = 10000;
        prefetching = false;
        # Cache NXDOMAIN results for only a short time.
        cacheTimeNegative = "5m";
      };
      prometheus = {
        enable = true;
        path = "/metrics";
      };
      minTlsServeVersion = "1.3";
      bootstrapDns = bootstrapDnsServers;
      ports = {
        dns = portDns;
        tls = portDoT;
        http = portWebDoH;
      };
      log = {
        level = "info";
        format = "text";
        timestamp = true;
        privacy = true;
      };
    };
  };

  system.stateVersion = "24.05";
}