diff --git a/hosts/haru/services/adguardhome/adguardhome.nix b/hosts/haru/services/adguardhome/adguardhome.nix new file mode 100644 index 0000000..e2a505c --- /dev/null +++ b/hosts/haru/services/adguardhome/adguardhome.nix @@ -0,0 +1,27 @@ +_: { + imports = [ + ./filters.nix + ./rewrites.nix + ]; + networking.firewall.allowedTCPPorts = [53 443 80 3000]; + networking.firewall.allowedUDPPorts = [53]; + services.adguardhome = { + enable = true; + openFirewall = true; + mutableSettings = true; + settings = { + bind_port = 3000; + bind_host = "0.0.0.0"; + statistics = { + enabled = true; + ignored = [ + "youporn.com" + "pornhub.com" + "xvideos.com" + "onlyfans.com" + "fansly.com" + ]; + }; + }; + }; +} diff --git a/hosts/haru/services/adguardhome/filters.nix b/hosts/haru/services/adguardhome/filters.nix new file mode 100644 index 0000000..eb418ec --- /dev/null +++ b/hosts/haru/services/adguardhome/filters.nix @@ -0,0 +1,170 @@ +_: { + services.adguardhome.settings = { + filters = [ + { + name = "blocklistproject"; + enabled = true; + url = "https://blocklistproject.github.io/Lists/ads.txt"; + id = 1; + } + { + name = "StevenBlack"; + enabled = true; + url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; + id = 2; + } + { + name = "adaway"; + enabled = true; + url = "https://adaway.org/hosts.txt"; + id = 3; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/AdguardDNS.txt"; + id = 4; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/Admiral.txt"; + id = 5; + } + { + name = "anudeepND"; + enabled = true; + url = "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"; + id = 6; + } + { + name = "simple_ad"; + enabled = true; + url = "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"; + id = 7; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/Easylist.txt"; + id = 8; + } + { + name = "pgl.yoyo.org"; + enabled = true; + url = "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"; + id = 9; + } + { + name = "UncheckyAds"; + enabled = true; + url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"; + id = 10; + } + { + name = "bigdargon"; + enabled = true; + url = "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"; + id = 11; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/Easyprivacy.txt"; + id = 12; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/Prigent-Ads.txt"; + id = 13; + } + { + name = "FadeMind"; + enabled = true; + url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"; + id = 14; + } + { + name = "crazy-max"; + enabled = true; + url = "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"; + id = 15; + } + { + name = "hostfiles.frogeye.fr"; + enabled = true; + url = "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"; + id = 16; + } + { + name = "DandelionSprout"; + enabled = true; + url = "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"; + id = 17; + } + { + name = "osint.digitalside.it"; + enabled = true; + url = "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"; + id = 18; + } + { + name = "simple_malvertising"; + enabled = true; + url = "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"; + id = 19; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/Prigent-Crypto.txt"; + id = 20; + } + { + name = "FadeMind"; + enabled = true; + url = "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"; + id = 21; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/RPiList-Phishing.txt"; + id = 22; + } + { + name = "v.fire.blog"; + enabled = true; + url = "https://v.firebog.net/hosts/RPiList-Malware.txt"; + id = 23; + } + { + name = "zerodot1.gitlab.io"; + enabled = true; + url = "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"; + id = 24; + } + { + name = "StevenBlack"; + enabled = true; + url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts"; + id = 25; + } + ]; + whitelist_filters = [ + { + name = "whitelist"; + enabled = true; + url = "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"; + id = 1; + } + { + name = "whitelist - optionals"; + enabled = true; + url = "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt"; + id = 1; + } + ]; + }; +} diff --git a/hosts/haru/services/adguardhome/rewrites.nix b/hosts/haru/services/adguardhome/rewrites.nix new file mode 100644 index 0000000..b9b1a41 --- /dev/null +++ b/hosts/haru/services/adguardhome/rewrites.nix @@ -0,0 +1,74 @@ +_: { + services.adguardhome.settings = { + dns.rewrites = [ + { + domain = "adguardhome.internal.flake.sh"; + answer = "192.168.1.103"; + } + { + domain = "dashboard.internal.flake.sh"; + answer = "192.168.1.98"; + } + { + domain = "truenas.internal.flake.sh"; + answer = "192.168.1.199"; + } + { + domain = "assistant.internal.flake.sh"; + answer = "192.168.1.189"; + } + { + domain = "udm.internal.flake.s"; + answer = "192.168.1.1"; + } + { + domain = "pve.internal.flake.sh"; + answer = "192.168.1.37"; + } + { + domain = "pbs.internal.flake.sh"; + answer = "192.168.1.38"; + } + { + domain = "jellyfin.internal.flake.sh"; + answer = "192.168.1.98"; + } + { + domain = "jellyseerr.internal.flake.sh"; + answer = "192.168.1.98"; + } + { + domain = "sonarr.internal.flake.sh"; + answer = "192.168.1.54"; + } + { + domain = "radarr.internal.flake.sh"; + answer = "192.168.1.54"; + } + { + domain = "whisparr.internal.flake.sh"; + answer = "192.168.1.54"; + } + { + domain = "prowlarr.internal.flake.sh"; + answer = "192.168.1.54"; + } + { + domain = "stash.internal.flake.sh"; + answer = "192.168.1.98"; + } + { + domain = "nextcloud.internal.flake.sh"; + answer = "192.168.1.199"; + } + { + domain = "wallos.internal.flake.sh"; + answer = "192.168.1.98"; + } + { + domain = "synology.internal.flake.sh"; + answer = "192.168.1.71"; + } + ]; + }; +} diff --git a/hosts/haru/services/blocky.nix b/hosts/haru/services/blocky.nix deleted file mode 100644 index 6040818..0000000 --- a/hosts/haru/services/blocky.nix +++ /dev/null @@ -1,138 +0,0 @@ -{pkgs, ...}: { - networking.firewall.allowedTCPPorts = [53 4000]; - networking.firewall.allowedUDPPorts = [53]; - - environment.systemPackages = [pkgs.blocky]; - - services.blocky = { - enable = true; - settings = { - connectIPVersion = "v4"; - upstreamTimeout = "30s"; - startVerifyUpstream = false; - minTlsServeVersion = "1.2"; - log = { - level = "debug"; - privacy = true; - }; - ports = { - dns = 53; - http = 4000; - https = 443; - }; - upstream.default = [ - "1.1.1.1" - "1.0.0.1" - "9.9.9.9" - "https://1.1.1.1/dns-query" - "https://dns.quad9.net/dns-query" - "https://dns-unfiltered.adguard.com/dns-query" - ]; - blocking = { - loading = { - strategy = "fast"; - concurrency = 8; - }; - blackLists = { - ads = [ - "https://blocklistproject.github.io/Lists/ads.txt" - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://adaway.org/hosts.txt" - "https://v.firebog.net/hosts/AdguardDNS.txt" - "https://v.firebog.net/hosts/Admiral.txt" - "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" - "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" - "https://v.firebog.net/hosts/Easylist.txt" - "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" - "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" - ]; - tracking = [ - "https://v.firebog.net/hosts/Easyprivacy.txt" - "https://v.firebog.net/hosts/Prigent-Ads.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" - "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" - "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" - ]; - malicious = [ - "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" - "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" - "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" - "https://v.firebog.net/hosts/Prigent-Crypto.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" - "https://v.firebog.net/hosts/RPiList-Phishing.txt" - "https://v.firebog.net/hosts/RPiList-Malware.txt" - ]; - misc = [ - "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" - "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts" - ]; - }; - whiteLists = { - default = [ - "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" - "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt" - ]; - }; - clientGroupsBlock = { - default = [ - "ads" - "tracking" - "malicious" - "misc" - ]; - }; - }; - customDNS = { - customTTL = "1h"; - mapping = { - # infra - - "truenas.internal.flake.sh" = "192.168.1.199"; - "assistant.internal.flake.sh" = "192.168.1.189"; - "dashboard.internal.flake.sh" = "192.168.1.98"; - "udm.internal.flake.sh" = "192.168.1.1"; - "pve.internal.flake.sh" = "192.168.1.37"; - "pbs.internal.flake.sh" = "192.168.1.38"; - - # media - - "jellyfin.internal.flake.sh" = "192.168.1.98"; - "jellyseerr.internal.flake.sh" = "192.168.1.98"; - "sonarr.internal.flake.sh" = "192.168.1.54"; - "radarr.internal.flake.sh" = "192.168.1.54"; - "readarr.internal.flake.sh" = "192.168.1.54"; - "whisparr.internal.flake.sh" = "192.168.1.54"; - "prowlarr.internal.flake.sh" = "192.168.1.54"; - "stash.internal.flake.sh" = "192.168.1.98"; - "nextcloud.internal.flake.sh" = "192.168.1.199"; - - # misc - - "wallos.internal.flake.sh" = "192.168.1.98"; - "synology.internal.flake.sh" = "192.168.1.71"; - }; - }; - redis = { - address = "100.94.214.100:6381"; - password = "blocky"; - database = 2; - required = false; - connectionAttempts = 10; - connectionCooldown = "5s"; - }; - caching = { - minTime = "2h"; - maxTime = "12h"; - maxItemsCount = 0; - prefetching = true; - prefetchExpires = "2h"; - prefetchThreshold = 5; - }; - prometheus = { - enable = true; - path = "/metrics"; - }; - }; - }; -} diff --git a/hosts/haru/services/default.nix b/hosts/haru/services/default.nix index 06c90a7..262fce6 100644 --- a/hosts/haru/services/default.nix +++ b/hosts/haru/services/default.nix @@ -1,5 +1,5 @@ _: { imports = [ - ./blocky.nix + ./adguardhome/adguardhome.nix ]; }