hosts: init haru

hosts/default.nix

@@ -173,4 +173,24 @@ in {
       }
     ];
   };
+  haru = nixosSystem {
+    inherit system;
+    specialArgs = {inherit inputs;};
+    modules = [
+      ./haru
+      sopsModule
+      hmModule
+      {
+        home-manager = {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+          users.notoh = {
+            imports = [
+              ./haru/home.nix
+            ];
+          };
+        };
+      }
+    ];
+  };
 }

hosts/deploy.nix

@@ -60,5 +60,15 @@ inputs: {
       sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
       magicRollback = true;
     };
+    haru = {
+      hostname = "100.73.192.45";
+      profiles.system = {
+        user = "root";
+        path = activate.nixos inputs.self.nixosConfigurations.haru;
+      };
+      sshUser = "root";
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
+      magicRollback = true;
+    };
   };
 }

hosts/haru/default.nix

@@ -0,0 +1,33 @@
+{...}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./services
+    ./networking.nix
+    ../../modules
+  ];
+
+  boot.loader = {
+    grub = {
+      enable = true;
+      configurationLimit = 5;
+      device = "/dev/sda";
+      useOSProber = false;
+    };
+  };
+
+  networking = {
+    hostName = "haru";
+  };
+
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+  };
+
+  users.users.notoh.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdSO5g6IZQUzeH0Xf7hEVjKZ4cAWn/DjN+GQ2Ujd+qD haru"
+  ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
+  ];
+}

hosts/haru/hardware-configuration.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/06177115-2e39-493b-81fb-5a1980ae0534";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/c879fa21-fd80-422c-9aef-0becce5ff19c";}
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/haru/home.nix

@@ -0,0 +1,14 @@
+{...}: {
+  imports = [
+    ../../home
+  ];
+
+  systemd.user.startServices = "sd-switch";
+  programs.home-manager.enable = true;
+
+  home = {
+    username = "notoh";
+    homeDirectory = "/home/notoh";
+    stateVersion = "23.05";
+  };
+}

hosts/haru/networking.nix

@@ -0,0 +1,17 @@
+_: {
+  networking = {
+    networkmanager.enable = true;
+    nameservers = ["1.1.1.1"];
+    firewall = {
+      enable = true;
+    };
+  };
+  environment.etc = {
+    "resolv.conf".text = ''
+      nameserver 1.1.1.1
+      nameserver 1.0.0.1
+    '';
+  };
+
+  services.tailscale.enable = true;
+}

hosts/haru/services/blocky.nix

@@ -0,0 +1,132 @@
+{...}: {
+  networking.firewall.allowedTCPPorts = [53 4000];
+  networking.firewall.allowedUDPPorts = [53];
+
+  services.blocky = {
+    enable = true;
+    settings = {
+      connectIPVersion = "v4";
+      upstreamTimeout = "30s";
+      startVerifyUpstream = false;
+      minTlsServeVersion = "1.2";
+      log = {
+        level = "debug";
+        privacy = true;
+      };
+      ports = {
+        dns = 53;
+        http = 4000;
+        https = 443;
+      };
+      upstream.default = [
+        "1.1.1.1"
+        "1.0.0.1"
+        "9.9.9.9"
+        "https://1.1.1.1/dns-query"
+        "https://dns.quad9.net/dns-query"
+        "https://dns-unfiltered.adguard.com/dns-query"
+      ];
+      blocking = {
+        loading = {
+          strategy = "fast";
+          concurrency = 8;
+        };
+        blackLists = {
+          ads = [
+            "https://blocklistproject.github.io/Lists/ads.txt"
+            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+            "https://adaway.org/hosts.txt"
+            "https://v.firebog.net/hosts/AdguardDNS.txt"
+            "https://v.firebog.net/hosts/Admiral.txt"
+            "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
+            "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
+            "https://v.firebog.net/hosts/Easylist.txt"
+            "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
+            "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
+          ];
+          tracking = [
+            "https://v.firebog.net/hosts/Easyprivacy.txt"
+            "https://v.firebog.net/hosts/Prigent-Ads.txt"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
+            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
+            "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
+          ];
+          malicious = [
+            "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
+            "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
+            "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
+            "https://v.firebog.net/hosts/Prigent-Crypto.txt"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
+            "https://v.firebog.net/hosts/RPiList-Phishing.txt"
+            "https://v.firebog.net/hosts/RPiList-Malware.txt"
+          ];
+          misc = [
+            "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
+            "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts"
+          ];
+        };
+        whiteLists = {
+          default = [
+            "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"
+            # "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt"
+          ];
+        };
+        clientGroupsBlock = {
+          default = [
+            "ads"
+            "tracking"
+            "malicious"
+            "misc"
+          ];
+        };
+      };
+      customDNS = {
+        customTTL = "1h";
+        mapping = {
+          # infra
+
+          "truenas.internal.flake.sh" = "192.168.1.199";
+          "assistant.internal.flake.sh" = "192.168.1.189";
+          "dashboard.internal.flake.sh" = "192.168.1.36";
+          "udm.internal.flake.sh" = "192.168.1.1";
+          "pve.internal.flake.sh" = "192.168.1.37";
+
+          # media
+
+          "jellyfin.internal.flake.sh" = "192.168.1.36";
+          "jellyseerr.internal.flake.sh" = "192.168.1.36";
+          "sonarr.internal.flake.sh" = "192.168.1.54";
+          "radarr.internal.flake.sh" = "192.168.1.54";
+          "bazarr.internal.flake.sh" = "192.168.1.54";
+          "prowlarr.internal.flake.sh" = "192.168.1.54";
+          "stash.internal.flake.sh" = "192.168.1.36";
+
+          # misc
+
+          "wallos.internal.flake.sh" = "192.168.1.36";
+        };
+      };
+      redis = {
+        address = "100.94.214.100:6381";
+        password = "blocky";
+        database = 2;
+        required = false;
+        connectionAttempts = 10;
+        connectionCooldown = "5s";
+      };
+      caching = {
+        minTime = "2h";
+        maxTime = "12h";
+        maxItemsCount = 0;
+        prefetching = true;
+        prefetchExpires = "2h";
+        prefetchThreshold = 5;
+      };
+      prometheus = {
+        enable = true;
+        path = "/metrics";
+      };
+    };
+  };
+}

hosts/haru/services/default.nix

@@ -0,0 +1,5 @@
+_: {
+  imports = [
+    ./blocky.nix
+  ];
+}