notohh/snowflake
notohh/snowflake
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity

haru: remove agh, switch to blocky + unbound

Browse source
This commit is contained in:
notohh 2024-01-15 00:01:16 -05:00
parent bfb4a893ed
commit 112cf3877e
Signed by: notohh
GPG key ID: BD47506D475EE86D
7 changed files with 177 additions and 305 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
hosts/haru/networking.nix
View file

@ -8,8 +8,7 @@ _: {
}; };
environment.etc = { environment.etc = {
"resolv.conf".text = '' "resolv.conf".text = ''
nameserver 1.1.1.1 nameserver 9.9.9.9
nameserver 1.0.0.1
''; '';
}; };
} }

54
hosts/haru/services/adguardhome/adguardhome.nix
View file

@ -1,54 +0,0 @@
{config, ...}: {
imports = [
./filters.nix
./rewrites.nix
];
sops.secrets.nextdns = {owner = "adguardhome";};
users.users.adguardhome = {
isSystemUser = true;
group = "adguardhome";
};
users.groups.adguardhome = {};
networking.firewall.allowedTCPPorts = [53 3000];
networking.firewall.allowedUDPPorts = [53];
services.adguardhome = {
enable = true;
openFirewall = true;
mutableSettings = true;
settings = {
bind_port = 3000;
bind_host = "192.168.1.103";
os = {
user = "adguardhome";
group = "adguardhome";
};
dns = {
upstream_dns_file = config.sops.secrets.nextdns.path;
enable_dnssec = true;
cache_optimistic = true;
bootstrap_dns = [
"9.9.9.10"
"149.112.112.10"
"2620:fe::10"
"2620:fe::fe:10"
];
};
statistics = {
enabled = true;
interval = "336h";
ignored = [
# i dont wanna see what people are watching
"youporn.com"
"pornhub.com"
"xvideos.com"
"onlyfans.com"
"fansly.com"
"xnxx.com"
];
};
};
};
}

170
hosts/haru/services/adguardhome/filters.nix
View file

@ -1,170 +0,0 @@
_: {
services.adguardhome.settings = {
filters = [
{
name = "blocklistproject";
enabled = true;
url = "https://blocklistproject.github.io/Lists/ads.txt";
id = 1;
}
{
name = "StevenBlack";
enabled = true;
url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts";
id = 2;
}
{
name = "adaway";
enabled = true;
url = "https://adaway.org/hosts.txt";
id = 3;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/AdguardDNS.txt";
id = 4;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/Admiral.txt";
id = 5;
}
{
name = "anudeepND";
enabled = true;
url = "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt";
id = 6;
}
{
name = "simple_ad";
enabled = true;
url = "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt";
id = 7;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/Easylist.txt";
id = 8;
}
{
name = "pgl.yoyo.org";
enabled = true;
url = "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext";
id = 9;
}
{
name = "UncheckyAds";
enabled = true;
url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts";
id = 10;
}
{
name = "bigdargon";
enabled = true;
url = "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts";
id = 11;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/Easyprivacy.txt";
id = 12;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/Prigent-Ads.txt";
id = 13;
}
{
name = "FadeMind";
enabled = true;
url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts";
id = 14;
}
{
name = "crazy-max";
enabled = true;
url = "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt";
id = 15;
}
{
name = "hostfiles.frogeye.fr";
enabled = true;
url = "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt";
id = 16;
}
{
name = "DandelionSprout";
enabled = true;
url = "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt";
id = 17;
}
{
name = "osint.digitalside.it";
enabled = true;
url = "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt";
id = 18;
}
{
name = "simple_malvertising";
enabled = true;
url = "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt";
id = 19;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/Prigent-Crypto.txt";
id = 20;
}
{
name = "FadeMind";
enabled = true;
url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts";
id = 21;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/RPiList-Phishing.txt";
id = 22;
}
{
name = "v.fire.blog";
enabled = true;
url = "https://v.firebog.net/hosts/RPiList-Malware.txt";
id = 23;
}
{
name = "zerodot1.gitlab.io";
enabled = true;
url = "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser";
id = 24;
}
{
name = "StevenBlack";
enabled = true;
url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts";
id = 25;
}
];
whitelist_filters = [
{
name = "whitelist";
enabled = true;
url = "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt";
id = 1;
}
{
name = "whitelist - optionals";
enabled = true;
url = "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt";
id = 1;
}
];
};
}

78
hosts/haru/services/adguardhome/rewrites.nix
View file

@ -1,78 +0,0 @@
_: {
services.adguardhome.settings = {
dns.rewrites = [
{
domain = "adguardhome.internal.flake.sh";
answer = "192.168.1.103";
}
{
domain = "dashboard.internal.flake.sh";
answer = "192.168.1.98";
}
{
domain = "truenas.internal.flake.sh";
answer = "192.168.1.199";
}
{
domain = "assistant.internal.flake.sh";
answer = "192.168.1.189";
}
{
domain = "udm.internal.flake.sh";
answer = "192.168.1.1";
}
{
domain = "pve.internal.flake.sh";
answer = "192.168.1.37";
}
{
domain = "pbs.internal.flake.sh";
answer = "192.168.1.38";
}
{
domain = "jellyfin.internal.flake.sh";
answer = "192.168.1.98";
}
{
domain = "jellyseerr.internal.flake.sh";
answer = "192.168.1.98";
}
{
domain = "sonarr.internal.flake.sh";
answer = "192.168.1.54";
}
{
domain = "radarr.internal.flake.sh";
answer = "192.168.1.54";
}
{
domain = "bazarr.internal.flake.sh";
answer = "192.168.1.54";
}
{
domain = "whisparr.internal.flake.sh";
answer = "192.168.1.54";
}
{
domain = "prowlarr.internal.flake.sh";
answer = "192.168.1.54";
}
{
domain = "stash.internal.flake.sh";
answer = "192.168.1.98";
}
{
domain = "nextcloud.internal.flake.sh";
answer = "192.168.1.199";
}
{
domain = "wallos.internal.flake.sh";
answer = "192.168.1.98";
}
{
domain = "synology.internal.flake.sh";
answer = "192.168.1.71";
}
];
};
}

137
hosts/haru/services/blocky.nix Normal file
View file

@ -0,0 +1,137 @@
{
pkgs,
config,
...
}: {
networking.firewall.allowedTCPPorts = [53 4000];
networking.firewall.allowedUDPPorts = [53];
environment.systemPackages = [pkgs.blocky];
services.blocky = {
enable = true;
settings = {
connectIPVersion = "v4";
upstreamTimeout = "30s";
startVerifyUpstream = false;
minTlsServeVersion = "1.2";
log = {
level = "debug";
privacy = true;
};
ports = {
dns = 53;
http = 4000;
https = 443;
};
upstream.default = ["tcp+udp:127.0.0.1:5335"];
blocking = {
loading = {
strategy = "fast";
concurrency = 8;
};
blackLists = {
ads = [
"https://blocklistproject.github.io/Lists/ads.txt"
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://adaway.org/hosts.txt"
"https://v.firebog.net/hosts/AdguardDNS.txt"
"https://v.firebog.net/hosts/Admiral.txt"
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
"https://v.firebog.net/hosts/Easylist.txt"
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
];
tracking = [
"https://v.firebog.net/hosts/Easyprivacy.txt"
"https://v.firebog.net/hosts/Prigent-Ads.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
];
malicious = [
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
"https://v.firebog.net/hosts/RPiList-Malware.txt"
];
misc = [
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
"https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts"
];
};
whiteLists = {
default = [
"https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"
"https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt"
];
};
clientGroupsBlock = {
default = [
"ads"
"tracking"
"malicious"
"misc"
];
};
};
customDNS = {
customTTL = "1h";
mapping = {
# infra
"truenas.internal.flake.sh" = "192.168.1.199";
"assistant.internal.flake.sh" = "192.168.1.189";
"dashboard.internal.flake.sh" = "192.168.1.98";
"udm.internal.flake.sh" = "192.168.1.1";
"pve.internal.flake.sh" = "192.168.1.37";
"pbs.internal.flake.sh" = "192.168.1.38";
# media
"jellyfin.internal.flake.sh" = "192.168.1.98";
"jellyseerr.internal.flake.sh" = "192.168.1.98";
"sonarr.internal.flake.sh" = "192.168.1.54";
"radarr.internal.flake.sh" = "192.168.1.54";
"readarr.internal.flake.sh" = "192.168.1.54";
"lidarr.internal.flake.sh" = "192.168.1.54";
"whisparr.internal.flake.sh" = "192.168.1.54";
"bazarr.internal.flake.sh" = "192.168.1.54";
"prowlarr.internal.flake.sh" = "192.168.1.54";
"stash.internal.flake.sh" = "192.168.1.98";
"nextcloud.internal.flake.sh" = "192.168.1.199";
# misc
"wallos.internal.flake.sh" = "192.168.1.98";
"synology.internal.flake.sh" = "192.168.1.71";
};
};
redis = {
address = "100.94.214.100:6381";
password = "blocky";
database = 2;
required = false;
connectionAttempts = 10;
connectionCooldown = "5s";
};
caching = {
minTime = "2h";
maxTime = "12h";
maxItemsCount = 0;
prefetching = true;
prefetchExpires = "2h";
prefetchThreshold = 5;
};
prometheus = {
enable = true;
path = "/metrics";
};
};
};
}

3
hosts/haru/services/default.nix
View file

@ -1,5 +1,6 @@
_: { _: {
imports = [ imports = [
./adguardhome/adguardhome.nix ./blocky.nix
./unbound.nix
]; ];
} }

37
hosts/haru/services/unbound.nix Normal file
View file

@ -0,0 +1,37 @@
_: {
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
verbosity = 0;
interface = "0.0.0.0";
port = 5335;
do-ip4 = true;
do-udp = true;
do-tcp = true;
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
prefetch = true;
num-threads = 2;
so-rcvbuf = "1m";
access-control = [
"10.0.0.0/8 allow"
"172.16.0.0/12 allow"
"192.168.0.0/16 allow"
];
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
};
};
};
}