From 112cf3877e6339119f0a4cff88fccfe34231dc97 Mon Sep 17 00:00:00 2001 From: notohh Date: Mon, 15 Jan 2024 00:01:16 -0500 Subject: [PATCH] haru: remove agh, switch to blocky + unbound --- hosts/haru/networking.nix | 3 +- .../haru/services/adguardhome/adguardhome.nix | 54 ------ hosts/haru/services/adguardhome/filters.nix | 170 ------------------ hosts/haru/services/adguardhome/rewrites.nix | 78 -------- hosts/haru/services/blocky.nix | 137 ++++++++++++++ hosts/haru/services/default.nix | 3 +- hosts/haru/services/unbound.nix | 37 ++++ 7 files changed, 177 insertions(+), 305 deletions(-) delete mode 100644 hosts/haru/services/adguardhome/adguardhome.nix delete mode 100644 hosts/haru/services/adguardhome/filters.nix delete mode 100644 hosts/haru/services/adguardhome/rewrites.nix create mode 100644 hosts/haru/services/blocky.nix create mode 100644 hosts/haru/services/unbound.nix diff --git a/hosts/haru/networking.nix b/hosts/haru/networking.nix index 11382db..0785126 100644 --- a/hosts/haru/networking.nix +++ b/hosts/haru/networking.nix @@ -8,8 +8,7 @@ _: { }; environment.etc = { "resolv.conf".text = '' - nameserver 1.1.1.1 - nameserver 1.0.0.1 + nameserver 9.9.9.9 ''; }; } diff --git a/hosts/haru/services/adguardhome/adguardhome.nix b/hosts/haru/services/adguardhome/adguardhome.nix deleted file mode 100644 index 9e42f4d..0000000 --- a/hosts/haru/services/adguardhome/adguardhome.nix +++ /dev/null @@ -1,54 +0,0 @@ -{config, ...}: { - imports = [ - ./filters.nix - ./rewrites.nix - ]; - sops.secrets.nextdns = {owner = "adguardhome";}; - - users.users.adguardhome = { - isSystemUser = true; - group = "adguardhome"; - }; - users.groups.adguardhome = {}; - - networking.firewall.allowedTCPPorts = [53 3000]; - networking.firewall.allowedUDPPorts = [53]; - - services.adguardhome = { - enable = true; - openFirewall = true; - mutableSettings = true; - settings = { - bind_port = 3000; - bind_host = "192.168.1.103"; - os = { - user = "adguardhome"; - group = "adguardhome"; - }; - dns = { - upstream_dns_file = config.sops.secrets.nextdns.path; - enable_dnssec = true; - cache_optimistic = true; - bootstrap_dns = [ - "9.9.9.10" - "149.112.112.10" - "2620:fe::10" - "2620:fe::fe:10" - ]; - }; - statistics = { - enabled = true; - interval = "336h"; - ignored = [ - # i dont wanna see what people are watching - "youporn.com" - "pornhub.com" - "xvideos.com" - "onlyfans.com" - "fansly.com" - "xnxx.com" - ]; - }; - }; - }; -} diff --git a/hosts/haru/services/adguardhome/filters.nix b/hosts/haru/services/adguardhome/filters.nix deleted file mode 100644 index eb418ec..0000000 --- a/hosts/haru/services/adguardhome/filters.nix +++ /dev/null @@ -1,170 +0,0 @@ -_: { - services.adguardhome.settings = { - filters = [ - { - name = "blocklistproject"; - enabled = true; - url = "https://blocklistproject.github.io/Lists/ads.txt"; - id = 1; - } - { - name = "StevenBlack"; - enabled = true; - url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; - id = 2; - } - { - name = "adaway"; - enabled = true; - url = "https://adaway.org/hosts.txt"; - id = 3; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/AdguardDNS.txt"; - id = 4; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/Admiral.txt"; - id = 5; - } - { - name = "anudeepND"; - enabled = true; - url = "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"; - id = 6; - } - { - name = "simple_ad"; - enabled = true; - url = "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"; - id = 7; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/Easylist.txt"; - id = 8; - } - { - name = "pgl.yoyo.org"; - enabled = true; - url = "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"; - id = 9; - } - { - name = "UncheckyAds"; - enabled = true; - url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"; - id = 10; - } - { - name = "bigdargon"; - enabled = true; - url = "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"; - id = 11; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/Easyprivacy.txt"; - id = 12; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/Prigent-Ads.txt"; - id = 13; - } - { - name = "FadeMind"; - enabled = true; - url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"; - id = 14; - } - { - name = "crazy-max"; - enabled = true; - url = "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"; - id = 15; - } - { - name = "hostfiles.frogeye.fr"; - enabled = true; - url = "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"; - id = 16; - } - { - name = "DandelionSprout"; - enabled = true; - url = "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"; - id = 17; - } - { - name = "osint.digitalside.it"; - enabled = true; - url = "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"; - id = 18; - } - { - name = "simple_malvertising"; - enabled = true; - url = "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"; - id = 19; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/Prigent-Crypto.txt"; - id = 20; - } - { - name = "FadeMind"; - enabled = true; - url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"; - id = 21; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/RPiList-Phishing.txt"; - id = 22; - } - { - name = "v.fire.blog"; - enabled = true; - url = "https://v.firebog.net/hosts/RPiList-Malware.txt"; - id = 23; - } - { - name = "zerodot1.gitlab.io"; - enabled = true; - url = "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"; - id = 24; - } - { - name = "StevenBlack"; - enabled = true; - url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts"; - id = 25; - } - ]; - whitelist_filters = [ - { - name = "whitelist"; - enabled = true; - url = "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"; - id = 1; - } - { - name = "whitelist - optionals"; - enabled = true; - url = "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt"; - id = 1; - } - ]; - }; -} diff --git a/hosts/haru/services/adguardhome/rewrites.nix b/hosts/haru/services/adguardhome/rewrites.nix deleted file mode 100644 index b8fed38..0000000 --- a/hosts/haru/services/adguardhome/rewrites.nix +++ /dev/null @@ -1,78 +0,0 @@ -_: { - services.adguardhome.settings = { - dns.rewrites = [ - { - domain = "adguardhome.internal.flake.sh"; - answer = "192.168.1.103"; - } - { - domain = "dashboard.internal.flake.sh"; - answer = "192.168.1.98"; - } - { - domain = "truenas.internal.flake.sh"; - answer = "192.168.1.199"; - } - { - domain = "assistant.internal.flake.sh"; - answer = "192.168.1.189"; - } - { - domain = "udm.internal.flake.sh"; - answer = "192.168.1.1"; - } - { - domain = "pve.internal.flake.sh"; - answer = "192.168.1.37"; - } - { - domain = "pbs.internal.flake.sh"; - answer = "192.168.1.38"; - } - { - domain = "jellyfin.internal.flake.sh"; - answer = "192.168.1.98"; - } - { - domain = "jellyseerr.internal.flake.sh"; - answer = "192.168.1.98"; - } - { - domain = "sonarr.internal.flake.sh"; - answer = "192.168.1.54"; - } - { - domain = "radarr.internal.flake.sh"; - answer = "192.168.1.54"; - } - { - domain = "bazarr.internal.flake.sh"; - answer = "192.168.1.54"; - } - { - domain = "whisparr.internal.flake.sh"; - answer = "192.168.1.54"; - } - { - domain = "prowlarr.internal.flake.sh"; - answer = "192.168.1.54"; - } - { - domain = "stash.internal.flake.sh"; - answer = "192.168.1.98"; - } - { - domain = "nextcloud.internal.flake.sh"; - answer = "192.168.1.199"; - } - { - domain = "wallos.internal.flake.sh"; - answer = "192.168.1.98"; - } - { - domain = "synology.internal.flake.sh"; - answer = "192.168.1.71"; - } - ]; - }; -} diff --git a/hosts/haru/services/blocky.nix b/hosts/haru/services/blocky.nix new file mode 100644 index 0000000..09733ca --- /dev/null +++ b/hosts/haru/services/blocky.nix @@ -0,0 +1,137 @@ +{ + pkgs, + config, + ... +}: { + networking.firewall.allowedTCPPorts = [53 4000]; + networking.firewall.allowedUDPPorts = [53]; + + environment.systemPackages = [pkgs.blocky]; + + services.blocky = { + enable = true; + settings = { + connectIPVersion = "v4"; + upstreamTimeout = "30s"; + startVerifyUpstream = false; + minTlsServeVersion = "1.2"; + log = { + level = "debug"; + privacy = true; + }; + ports = { + dns = 53; + http = 4000; + https = 443; + }; + upstream.default = ["tcp+udp:127.0.0.1:5335"]; + blocking = { + loading = { + strategy = "fast"; + concurrency = 8; + }; + blackLists = { + ads = [ + "https://blocklistproject.github.io/Lists/ads.txt" + "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" + "https://adaway.org/hosts.txt" + "https://v.firebog.net/hosts/AdguardDNS.txt" + "https://v.firebog.net/hosts/Admiral.txt" + "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" + "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" + "https://v.firebog.net/hosts/Easylist.txt" + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" + "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" + ]; + tracking = [ + "https://v.firebog.net/hosts/Easyprivacy.txt" + "https://v.firebog.net/hosts/Prigent-Ads.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" + "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" + "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" + ]; + malicious = [ + "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" + "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" + "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" + "https://v.firebog.net/hosts/Prigent-Crypto.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" + "https://v.firebog.net/hosts/RPiList-Phishing.txt" + "https://v.firebog.net/hosts/RPiList-Malware.txt" + ]; + misc = [ + "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" + "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts" + ]; + }; + whiteLists = { + default = [ + "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" + "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt" + ]; + }; + clientGroupsBlock = { + default = [ + "ads" + "tracking" + "malicious" + "misc" + ]; + }; + }; + customDNS = { + customTTL = "1h"; + mapping = { + # infra + + "truenas.internal.flake.sh" = "192.168.1.199"; + "assistant.internal.flake.sh" = "192.168.1.189"; + "dashboard.internal.flake.sh" = "192.168.1.98"; + "udm.internal.flake.sh" = "192.168.1.1"; + "pve.internal.flake.sh" = "192.168.1.37"; + "pbs.internal.flake.sh" = "192.168.1.38"; + + # media + + "jellyfin.internal.flake.sh" = "192.168.1.98"; + "jellyseerr.internal.flake.sh" = "192.168.1.98"; + "sonarr.internal.flake.sh" = "192.168.1.54"; + "radarr.internal.flake.sh" = "192.168.1.54"; + "readarr.internal.flake.sh" = "192.168.1.54"; + "lidarr.internal.flake.sh" = "192.168.1.54"; + "whisparr.internal.flake.sh" = "192.168.1.54"; + "bazarr.internal.flake.sh" = "192.168.1.54"; + "prowlarr.internal.flake.sh" = "192.168.1.54"; + "stash.internal.flake.sh" = "192.168.1.98"; + "nextcloud.internal.flake.sh" = "192.168.1.199"; + + # misc + + "wallos.internal.flake.sh" = "192.168.1.98"; + "synology.internal.flake.sh" = "192.168.1.71"; + }; + }; + redis = { + address = "100.94.214.100:6381"; + password = "blocky"; + database = 2; + required = false; + connectionAttempts = 10; + connectionCooldown = "5s"; + }; + caching = { + minTime = "2h"; + maxTime = "12h"; + maxItemsCount = 0; + prefetching = true; + prefetchExpires = "2h"; + prefetchThreshold = 5; + }; + prometheus = { + enable = true; + path = "/metrics"; + }; + }; + }; +} diff --git a/hosts/haru/services/default.nix b/hosts/haru/services/default.nix index 262fce6..0268779 100644 --- a/hosts/haru/services/default.nix +++ b/hosts/haru/services/default.nix @@ -1,5 +1,6 @@ _: { imports = [ - ./adguardhome/adguardhome.nix + ./blocky.nix + ./unbound.nix ]; } diff --git a/hosts/haru/services/unbound.nix b/hosts/haru/services/unbound.nix new file mode 100644 index 0000000..e7fd877 --- /dev/null +++ b/hosts/haru/services/unbound.nix @@ -0,0 +1,37 @@ +_: { + services.unbound = { + enable = true; + + resolveLocalQueries = false; + settings = { + server = { + verbosity = 0; + interface = "0.0.0.0"; + port = 5335; + do-ip4 = true; + do-udp = true; + do-tcp = true; + harden-glue = true; + harden-dnssec-stripped = true; + use-caps-for-id = false; + edns-buffer-size = 1232; + prefetch = true; + num-threads = 2; + so-rcvbuf = "1m"; + access-control = [ + "10.0.0.0/8 allow" + "172.16.0.0/12 allow" + "192.168.0.0/16 allow" + ]; + private-address = [ + "192.168.0.0/16" + "169.254.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + "fd00::/8" + "fe80::/10" + ]; + }; + }; + }; +}