nixos-config/profiles/servers/blocky.nix

{ dnsmasq-list ? [], ... }:
let
  nodeAddress = "192.168.0.5";
  upstream-dns = "100.64.0.1";
in {
  services.headscale-auth.blocky = {
    ephemeral = true;
    outPath = "/tmp/blocky-authkey";
    before = [ "container@blocky.service" ];
  };
  containers.blocky = {
    autoStart = true;
    enableTun = true;
    ephemeral = true;
    privateNetwork = true;
    hostBridge = "br0";
    localAddress = "${nodeAddress}/24";
    tmpfs = [ "/" ];
    bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";
    config = { config, lib, ... }:
    let
      grafanaPort = config.services.grafana.settings.server.http_port;
      blockyPort = config.services.blocky.settings.ports.dns;
      blockyHttpPort = config.services.blocky.settings.ports.http;
    in {
      networking = {
        defaultGateway = "192.168.0.1";
        hostName = "blocky-node";
        nameservers = [ "127.0.0.1" ];
        enableIPv6 = false;
        useHostResolvConf = false;
        firewall = {
          enable = true;
          allowedTCPPorts = [ blockyPort grafanaPort ];
          allowedUDPPorts = [ blockyPort ];
        };
        hosts = {
          "192.168.0.10" = [ "wg.ataraxiadev.com" ];
        };
      };
      # ephemeral tailscale node
      services.tailscale = {
        enable = true;
        useRoutingFeatures = "client";
        authKeyFile = "/tmp/blocky-authkey";
        extraUpFlags = [
          "--login-server=https://wg.ataraxiadev.com"
          "--accept-dns=false"
          "--advertise-exit-node=false"
        ];
      };
      systemd.services.tailscaled.serviceConfig.Environment = let
        cfg = config.services.tailscale;
      in lib.mkForce [
        "PORT=${toString cfg.port}"
        ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} --state=mem:"''
      ];

      services.dnsmasq = {
        enable = true;
        alwaysKeepRunning = true;
        resolveLocalQueries = false;
        settings = {
          port = 5353;
          no-resolv = true;
          no-hosts = true;
          listen-address = "127.0.0.1";
          no-dhcp-interface = "";
          address = dnsmasq-list ++ [];
        };
      };
      services.blocky = {
        enable = true;
        settings = {
          upstream.default = [ upstream-dns ];
          upstreamTimeout = "10s";
          blocking = {
            blackLists.telemetry = [ ../../misc/telemetry.hosts ];
            clientGroupsBlock.default = [ "telemetry" ];
          };
          conditional = {
            fallbackUpstream = true;
            mapping = {
              "ataraxiadev.com" = "127.0.0.1:5353";
            };
          };
          # drop ipv6 requests
          filtering.queryTypes = [ "AAAA" ];
          caching = {
            minTime = "0m";
            maxTime = "12h";
            cacheTimeNegative = "1m";
            prefetching = true;
          };
          ports = {
            dns = 53;
            http = "127.0.0.1:4000";
          };
          prometheus.enable = true;
          queryLog.type = "console";
        };
      };
      services.prometheus = {
        enable = true;
        listenAddress = "127.0.0.1";
        globalConfig.scrape_interval = "15s";
        globalConfig.evaluation_interval = "15s";
        scrapeConfigs = [{
          job_name = "blocky";
          static_configs = [{
            targets = [ blockyHttpPort ];
          }];
        }];
      };
      services.grafana = {
        enable = true;
        settings = {
          analytics.reporting_enabled = false;
          server = {
            domain = "${nodeAddress}:${toString grafanaPort}";
            http_addr = nodeAddress;
            enable_gzip = true;
          };
          panels.disable_sanitize_html = true;
        };
        provision = {
          enable = true;
          datasources.settings = {
            datasources = [{
              name = "Prometheus";
              type = "prometheus";
              access = "proxy";
              orgId = 1;
              uid = "Y4SSG429DWCGDQ3R";
              url = "http://127.0.0.1:${toString config.services.prometheus.port}";
              isDefault = true;
              jsonData = {
                graphiteVersion = "1.1";
                tlsAuth = false;
                tlsAuthWithCACert = false;
              };
              version = 1;
              editable = true;
            }];
          };
          dashboards = {
            settings = {
              providers = [{
                name = "My Dashboards";
                options.path = "/etc/grafana-dashboards";
              }];
            };
          };
        };
      };
      environment.etc = {
        "grafana-dashboards/blocky_rev3.json" = {
          source = ../../misc/grafana_blocky_rev3.json;
          group = "grafana";
          user = "grafana";
        };
      };
      system.stateVersion = "23.11";
    };
  };
}
deadnix, cleanup 2024-02-08 23:21:10 +03:00			`{ dnsmasq-list ? [], ... }:`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`let`
			`nodeAddress = "192.168.0.5";`
fix blocky container 2024-01-21 16:32:37 +03:00			`upstream-dns = "100.64.0.1";`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`in {`
module for requesting headscale auth key 2024-01-25 21:01:09 +03:00			`services.headscale-auth.blocky = {`
			`ephemeral = true;`
			`outPath = "/tmp/blocky-authkey";`
fix blocky container 2024-01-21 16:32:37 +03:00			`before = [ "container@blocky.service" ];`
			`};`
update many homelab services 2023-01-26 00:43:11 +03:00			`containers.blocky = {`
			`autoStart = true;`
fix blocky container 2024-01-21 16:32:37 +03:00			`enableTun = true;`
update many homelab services 2023-01-26 00:43:11 +03:00			`ephemeral = true;`
			`privateNetwork = true;`
			`hostBridge = "br0";`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`localAddress = "${nodeAddress}/24";`
update many homelab services 2023-01-26 00:43:11 +03:00			`tmpfs = [ "/" ];`
fix blocky container 2024-01-21 16:32:37 +03:00			`bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";`
deadnix, cleanup 2024-02-08 23:21:10 +03:00			`config = { config, lib, ... }:`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`let`
			`grafanaPort = config.services.grafana.settings.server.http_port;`
server changes 2023-12-18 02:08:29 +03:00			`blockyPort = config.services.blocky.settings.ports.dns;`
			`blockyHttpPort = config.services.blocky.settings.ports.http;`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`in {`
update many homelab services 2023-01-26 00:43:11 +03:00			`networking = {`
			`defaultGateway = "192.168.0.1";`
			`hostName = "blocky-node";`
fix blocky container 2024-01-21 16:32:37 +03:00			`nameservers = [ "127.0.0.1" ];`
update many homelab services 2023-01-26 00:43:11 +03:00			`enableIPv6 = false;`
			`useHostResolvConf = false;`
			`firewall = {`
			`enable = true;`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`allowedTCPPorts = [ blockyPort grafanaPort ];`
			`allowedUDPPorts = [ blockyPort ];`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
fix tailscale in blocky container 2024-01-21 20:36:34 +03:00			`hosts = {`
			`"192.168.0.10" = [ "wg.ataraxiadev.com" ];`
			`};`
server changes 2023-12-18 02:08:29 +03:00			`};`
fix blocky container 2024-01-21 16:32:37 +03:00			`# ephemeral tailscale node`
			`services.tailscale = {`
			`enable = true;`
			`useRoutingFeatures = "client";`
			`authKeyFile = "/tmp/blocky-authkey";`
fix tailscale in blocky container 2024-01-21 20:36:34 +03:00			`extraUpFlags = [`
			`"--login-server=https://wg.ataraxiadev.com"`
			`"--accept-dns=false"`
			`"--advertise-exit-node=false"`
			`];`
fix blocky container 2024-01-21 16:32:37 +03:00			`};`
			`systemd.services.tailscaled.serviceConfig.Environment = let`
			`cfg = config.services.tailscale;`
			`in lib.mkForce [`
			`"PORT=${toString cfg.port}"`
			`''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} --state=mem:"''`
			`];`

server changes 2023-12-18 02:08:29 +03:00			`services.dnsmasq = {`
			`enable = true;`
			`alwaysKeepRunning = true;`
			`resolveLocalQueries = false;`
			`settings = {`
			`port = 5353;`
			`no-resolv = true;`
			`no-hosts = true;`
			`listen-address = "127.0.0.1";`
			`no-dhcp-interface = "";`
big hypervisor and servers refactor 2024-01-21 17:40:07 +03:00			`address = dnsmasq-list ++ [];`
server changes 2023-12-18 02:08:29 +03:00			`};`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
			`services.blocky = {`
			`enable = true;`
			`settings = {`
fix blocky container 2024-01-21 16:32:37 +03:00			`upstream.default = [ upstream-dns ];`
server changes 2023-12-18 02:08:29 +03:00			`upstreamTimeout = "10s";`
add custom hosts to block 2024-01-21 17:40:23 +03:00			`blocking = {`
			`blackLists.telemetry = [ ../../misc/telemetry.hosts ];`
			`clientGroupsBlock.default = [ "telemetry" ];`
			`};`
			`conditional = {`
			`fallbackUpstream = true;`
			`mapping = {`
			`"ataraxiadev.com" = "127.0.0.1:5353";`
			`};`
			`};`
			`# drop ipv6 requests`
			`filtering.queryTypes = [ "AAAA" ];`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`caching = {`
server changes 2023-12-18 02:08:29 +03:00			`minTime = "0m";`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`maxTime = "12h";`
			`cacheTimeNegative = "1m";`
			`prefetching = true;`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
server changes 2023-12-18 02:08:29 +03:00			`ports = {`
			`dns = 53;`
			`http = "127.0.0.1:4000";`
			`};`
update many homelab services 2023-01-26 00:43:11 +03:00			`prometheus.enable = true;`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`queryLog.type = "console";`
server changes 2023-12-18 02:08:29 +03:00			`};`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
			`services.prometheus = {`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`enable = true;`
			`listenAddress = "127.0.0.1";`
			`globalConfig.scrape_interval = "15s";`
			`globalConfig.evaluation_interval = "15s";`
update many homelab services 2023-01-26 00:43:11 +03:00			`scrapeConfigs = [{`
			`job_name = "blocky";`
			`static_configs = [{`
server changes 2023-12-18 02:08:29 +03:00			`targets = [ blockyHttpPort ];`
update many homelab services 2023-01-26 00:43:11 +03:00			`}];`
			`}];`
			`};`
			`services.grafana = {`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`enable = true;`
update many homelab services 2023-01-26 00:43:11 +03:00			`settings = {`
			`analytics.reporting_enabled = false;`
server changes 2023-12-18 02:08:29 +03:00			`server = {`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`domain = "${nodeAddress}:${toString grafanaPort}";`
			`http_addr = nodeAddress;`
update many homelab services 2023-01-26 00:43:11 +03:00			`enable_gzip = true;`
			`};`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`panels.disable_sanitize_html = true;`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`provision = {`
			`enable = true;`
			`datasources.settings = {`
			`datasources = [{`
			`name = "Prometheus";`
			`type = "prometheus";`
			`access = "proxy";`
			`orgId = 1;`
			`uid = "Y4SSG429DWCGDQ3R";`
			`url = "http://127.0.0.1:${toString config.services.prometheus.port}";`
			`isDefault = true;`
			`jsonData = {`
			`graphiteVersion = "1.1";`
			`tlsAuth = false;`
			`tlsAuthWithCACert = false;`
			`};`
			`version = 1;`
			`editable = true;`
			`}];`
			`};`
			`dashboards = {`
			`settings = {`
			`providers = [{`
			`name = "My Dashboards";`
			`options.path = "/etc/grafana-dashboards";`
			`}];`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`};`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
			`};`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`environment.etc = {`
			`"grafana-dashboards/blocky_rev3.json" = {`
			`source = ../../misc/grafana_blocky_rev3.json;`
			`group = "grafana";`
			`user = "grafana";`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
			`};`
fix blocky container 2024-01-21 16:32:37 +03:00			`system.stateVersion = "23.11";`
update many homelab services 2023-01-26 00:43:11 +03:00			`};`
			`};`
			`}`