167 lines
5.7 KiB
Nix
167 lines
5.7 KiB
Nix
{pkgs, ...}: {
|
|
networking.firewall.allowedTCPPorts = [53 4000];
|
|
networking.firewall.allowedUDPPorts = [53];
|
|
|
|
environment.systemPackages = [pkgs.blocky];
|
|
|
|
services.blocky = {
|
|
enable = true;
|
|
settings = {
|
|
connectIPVersion = "v4";
|
|
upstreamTimeout = "5s";
|
|
startVerifyUpstream = false;
|
|
minTlsServeVersion = "1.2";
|
|
log = {
|
|
level = "debug";
|
|
privacy = true;
|
|
};
|
|
ports = {
|
|
dns = 53;
|
|
http = 4000;
|
|
https = 443;
|
|
tls = 853;
|
|
};
|
|
upstreams = {
|
|
strategy = "strict";
|
|
timeout = "30s";
|
|
init.strategy = "fast";
|
|
groups = {
|
|
default = [
|
|
"tcp+udp:127.0.0.1:5335"
|
|
"tcp-tls:dns.quad9.net"
|
|
];
|
|
};
|
|
};
|
|
blocking = {
|
|
loading = {
|
|
strategy = "fast";
|
|
concurrency = 8;
|
|
refreshPeriod = "4h";
|
|
};
|
|
blackLists = {
|
|
ads = [
|
|
"https://blocklistproject.github.io/Lists/ads.txt"
|
|
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
|
"https://adaway.org/hosts.txt"
|
|
"https://v.firebog.net/hosts/AdguardDNS.txt"
|
|
"https://v.firebog.net/hosts/Admiral.txt"
|
|
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
|
|
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
|
|
"https://v.firebog.net/hosts/Easylist.txt"
|
|
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
|
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
|
|
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
|
|
];
|
|
tracking = [
|
|
"https://v.firebog.net/hosts/Easyprivacy.txt"
|
|
"https://v.firebog.net/hosts/Prigent-Ads.txt"
|
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
|
|
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
|
|
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
|
|
];
|
|
malicious = [
|
|
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
|
|
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
|
|
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
|
|
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
|
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
|
|
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
|
|
"https://v.firebog.net/hosts/RPiList-Malware.txt"
|
|
];
|
|
misc = [
|
|
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
|
|
"https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts"
|
|
];
|
|
catchall = [
|
|
"https://big.oisd.nl/domainswild"
|
|
];
|
|
};
|
|
whiteLists = let
|
|
customWhitelist = pkgs.writeText "misc.txt" ''
|
|
ax.phobos.apple.com.edgesuite.net
|
|
amp-api-edge.apps.apple.com
|
|
(\.|^)dscx\.akamaiedge\.net$
|
|
(\.|^)wac\.phicdn\.net$
|
|
*.flake.sh
|
|
*.clickhouse.com
|
|
*.discord.com
|
|
'';
|
|
in {
|
|
ads = [
|
|
"https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"
|
|
"https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt"
|
|
];
|
|
misc = [customWhitelist];
|
|
};
|
|
clientGroupsBlock = {
|
|
default = [
|
|
"ads"
|
|
"tracking"
|
|
"malicious"
|
|
"misc"
|
|
"catchall"
|
|
];
|
|
};
|
|
};
|
|
customDNS = {
|
|
customTTL = "1h";
|
|
mapping = let
|
|
yukiIp = "192.168.1.98";
|
|
in {
|
|
# infra
|
|
|
|
"truenas.internal.flake.sh" = "192.168.1.199";
|
|
"hass.internal.flake.sh" = "${yukiIp}";
|
|
"dashboard.internal.flake.sh" = "${yukiIp}";
|
|
"udm.internal.flake.sh" = "192.168.1.1";
|
|
"pve.internal.flake.sh" = "192.168.1.37";
|
|
"pbs.internal.flake.sh" = "192.168.1.38";
|
|
|
|
# media
|
|
|
|
"jellyfin.internal.flake.sh" = "${yukiIp}";
|
|
"jellyseerr.internal.flake.sh" = "${yukiIp}";
|
|
"sonarr.internal.flake.sh" = "${yukiIp}";
|
|
"radarr.internal.flake.sh" = "${yukiIp}";
|
|
"readarr.internal.flake.sh" = "${yukiIp}";
|
|
"lidarr.internal.flake.sh" = "${yukiIp}";
|
|
"whisparr.internal.flake.sh" = "${yukiIp}";
|
|
"bazarr.internal.flake.sh" = "${yukiIp}";
|
|
"prowlarr.internal.flake.sh" = "${yukiIp}";
|
|
"stash.internal.flake.sh" = "${yukiIp}";
|
|
"nextcloud.internal.flake.sh" = "192.168.1.199";
|
|
|
|
# misc
|
|
|
|
"wallos.internal.flake.sh" = "${yukiIp}";
|
|
"synology.internal.flake.sh" = "192.168.1.71";
|
|
"paperless.internal.flake.sh" = "${yukiIp}";
|
|
"rss.internal.flake.sh" = "${yukiIp}";
|
|
};
|
|
};
|
|
redis = {
|
|
address = "192.168.1.211:6381";
|
|
password = "blocky";
|
|
database = 0;
|
|
required = false;
|
|
connectionAttempts = 10;
|
|
connectionCooldown = "5s";
|
|
};
|
|
caching = {
|
|
minTime = "2h";
|
|
maxTime = "12h";
|
|
maxItemsCount = 0;
|
|
prefetching = true;
|
|
prefetchExpires = "2h";
|
|
prefetchThreshold = 5;
|
|
};
|
|
prometheus = {
|
|
enable = true;
|
|
path = "/metrics";
|
|
};
|
|
queryLog = {
|
|
type = "console";
|
|
};
|
|
};
|
|
};
|
|
}
|