snowflake/hosts/haru/services/blocky.nix
2024-08-31 10:06:32 -04:00

167 lines
5.7 KiB
Nix

{pkgs, ...}: {
networking.firewall.allowedTCPPorts = [53 4000];
networking.firewall.allowedUDPPorts = [53];
environment.systemPackages = [pkgs.blocky];
services.blocky = {
enable = true;
settings = {
connectIPVersion = "v4";
upstreamTimeout = "5s";
startVerifyUpstream = false;
minTlsServeVersion = "1.2";
log = {
level = "debug";
privacy = true;
};
ports = {
dns = 53;
http = 4000;
https = 443;
tls = 853;
};
upstreams = {
strategy = "strict";
timeout = "30s";
init.strategy = "fast";
groups = {
default = [
"tcp+udp:127.0.0.1:5335"
"tcp-tls:dns.quad9.net"
];
};
};
blocking = {
loading = {
strategy = "fast";
concurrency = 8;
refreshPeriod = "4h";
};
blackLists = {
ads = [
"https://blocklistproject.github.io/Lists/ads.txt"
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://adaway.org/hosts.txt"
"https://v.firebog.net/hosts/AdguardDNS.txt"
"https://v.firebog.net/hosts/Admiral.txt"
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
"https://v.firebog.net/hosts/Easylist.txt"
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
];
tracking = [
"https://v.firebog.net/hosts/Easyprivacy.txt"
"https://v.firebog.net/hosts/Prigent-Ads.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
];
malicious = [
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
"https://v.firebog.net/hosts/RPiList-Malware.txt"
];
misc = [
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
"https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts"
];
catchall = [
"https://big.oisd.nl/domainswild"
];
};
whiteLists = let
customWhitelist = pkgs.writeText "misc.txt" ''
ax.phobos.apple.com.edgesuite.net
amp-api-edge.apps.apple.com
(\.|^)dscx\.akamaiedge\.net$
(\.|^)wac\.phicdn\.net$
*.flake.sh
*.clickhouse.com
*.discord.com
'';
in {
ads = [
"https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"
"https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt"
];
misc = [customWhitelist];
};
clientGroupsBlock = {
default = [
"ads"
"tracking"
"malicious"
"misc"
"catchall"
];
};
};
customDNS = {
customTTL = "1h";
mapping = let
yukiIp = "192.168.1.98";
in {
# infra
"truenas.internal.flake.sh" = "192.168.1.199";
"hass.internal.flake.sh" = "${yukiIp}";
"dashboard.internal.flake.sh" = "${yukiIp}";
"udm.internal.flake.sh" = "192.168.1.1";
"pve.internal.flake.sh" = "192.168.1.37";
"pbs.internal.flake.sh" = "192.168.1.38";
# media
"jellyfin.internal.flake.sh" = "${yukiIp}";
"jellyseerr.internal.flake.sh" = "${yukiIp}";
"sonarr.internal.flake.sh" = "${yukiIp}";
"radarr.internal.flake.sh" = "${yukiIp}";
"readarr.internal.flake.sh" = "${yukiIp}";
"lidarr.internal.flake.sh" = "${yukiIp}";
"whisparr.internal.flake.sh" = "${yukiIp}";
"bazarr.internal.flake.sh" = "${yukiIp}";
"prowlarr.internal.flake.sh" = "${yukiIp}";
"stash.internal.flake.sh" = "${yukiIp}";
"nextcloud.internal.flake.sh" = "192.168.1.199";
# misc
"wallos.internal.flake.sh" = "${yukiIp}";
"synology.internal.flake.sh" = "192.168.1.71";
"paperless.internal.flake.sh" = "${yukiIp}";
"rss.internal.flake.sh" = "${yukiIp}";
};
};
redis = {
address = "192.168.1.211:6381";
password = "blocky";
database = 0;
required = false;
connectionAttempts = 10;
connectionCooldown = "5s";
};
caching = {
minTime = "2h";
maxTime = "12h";
maxItemsCount = 0;
prefetching = true;
prefetchExpires = "2h";
prefetchThreshold = 5;
};
prometheus = {
enable = true;
path = "/metrics";
};
queryLog = {
type = "console";
};
};
};
}