AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

change blocky config on hypervisor

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-06-27 01:25:28 +03:00
parent dcb0386f8e
commit 8bdfac6b8c
6 changed files with 218 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
machines/Home-Hypervisor/default.nix
View File

@ -1,6 +1,5 @@
{ modulesPath, inputs, lib, pkgs, config, options, ... }:
let
persistRoot = config.autoinstall.persist.persistRoot or "/persist";
let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
in {
imports = with inputs.self; [
./boot.nix
@ -13,7 +12,6 @@ in {
nixosProfiles.acme
nixosProfiles.authentik
nixosProfiles.battery-historian
nixosProfiles.blocky
nixosProfiles.duplicacy
nixosProfiles.fail2ban
# nixosProfiles.firefox-syncserver
@ -41,6 +39,11 @@ in {
nixosProfiles.matrix
nixosProfiles.atticd
nixosProfiles.attic
(import nixosProfiles.blocky {
inherit config;
inherit (import ./dns-mapping.nix) dns-mapping;
})
];
deviceSpecific.devInfo = {
@ -54,9 +57,7 @@ in {
speed = 500;
size = 500;
};
gpu = {
vendor = "other";
};
gpu = { vendor = "other"; };
bigScreen = false;
ram = 12;
fileSystem = "zfs";
@ -98,7 +99,8 @@ in {
services.udisks2.enable = lib.mkForce false;
fonts.enableDefaultFonts = lib.mkForce false;
fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
fonts.fonts =
[ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
security.polkit.enable = true;
# security.pam.enableSSHAgentAuth = true;
@ -112,8 +114,8 @@ in {
# hardened
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = lib.mkDefault [];
networking.firewall.allowedUDPPorts = lib.mkDefault [];
networking.firewall.allowedTCPPorts = lib.mkDefault [ ];
networking.firewall.allowedUDPPorts = lib.mkDefault [ ];
systemd.coredump.enable = false;
programs.firejail.enable = true;
@ -162,8 +164,15 @@ in {
uri_default = "qemu:///system"
'';
home.packages = with pkgs; [
bat podman-compose micro bottom nix-index-update
pwgen comma kitty smartmontools
bat
bottom
comma
kitty
micro
nix-index-update
podman-compose
pwgen
smartmontools
];
xdg.mime.enable = false;
home.stateVersion = "22.11";

65
machines/Home-Hypervisor/dns-mapping.nix Normal file
View File

@ -0,0 +1,65 @@
{
dns-mapping = {
customDNS = {
mapping = {
"coturn.pve" = "192.168.0.20";
"matrix.pve" = "192.168.0.11";
"monero.pve" = "192.168.0.13";
"nginx.pve" = "192.168.0.10";
"pihole.pve" = "192.168.0.5";
"proxmox.pve" = "192.168.0.10";
"sd.ataraxiadev.com" = "192.168.0.100";
"static.powernet.com.ru" = "10.200.201.167";
"tinyproxy.pve" = "192.168.0.9";
"wg.ataraxiadev.com" = "193.219.97.142";
};
};
conditional = {
mapping = { "pve" = "127.0.0.1"; };
rewrite = {
"api.ataraxiadev.com" = "ataraxiadev.com";
"ataraxiadev.com" = "nginx.pve";
"auth.ataraxiadev.com" = "ataraxiadev.com";
"bathist.ataraxiadev.com" = "bathist.ataraxiadev.com";
"browser.ataraxiadev.com" = "ataraxiadev.com";
"cache.ataraxiadev.com" = "ataraxiadev.com";
"cinny.ataraxiadev.com" = "matrix.ataraxiadev.com";
"cocalc.ataraxiadev.com" = "ataraxiadev.com";
"code.ataraxiadev.com" = "ataraxiadev.com";
"dimension.ataraxiadev.com" = "matrix.ataraxiadev.com";
"element.ataraxiadev.com" = "matrix.ataraxiadev.com";
"fb.ataraxiadev.com" = "ataraxiadev.com";
"file.ataraxiadev.com" = "ataraxiadev.com";
"fsync.ataraxiadev.com" = "ataraxiadev.com";
"goneb.ataraxiadev.com" = "matrix.ataraxiadev.com";
"home.ataraxiadev.com" = "ataraxiadev.com";
"jackett.ataraxiadev.com" = "ataraxiadev.com";
"jellyfin.ataraxiadev.com" = "ataraxiadev.com";
"jitsi.ataraxiadev.com" = "matrix.ataraxiadev.com";
"joplin.ataraxiadev.com" = "ataraxiadev.com";
"kavita.ataraxiadev.com" = "ataraxiadev.com";
"ldap.ataraxiadev.com" = "ataraxiadev.com";
"mail.ataraxiadev.com" = "ataraxiadev.com";
"matrix.ataraxiadev.com" = "nginx.pve";
"medusa.ataraxiadev.com" = "ataraxiadev.com";
"microbin.ataraxiadev.com" = "ataraxiadev.com";
"nzbhydra.ataraxiadev.com" = "ataraxiadev.com";
"openbooks.ataraxiadev.com" = "ataraxiadev.com";
"organizr.ataraxiadev.com" = "ataraxiadev.com";
"prowlarr.ataraxiadev.com" = "ataraxiadev.com";
"qbit.ataraxiadev.com" = "ataraxiadev.com";
"radarr.ataraxiadev.com" = "ataraxiadev.com";
"shoko.ataraxiadev.com" = "ataraxiadev.com";
"sonarr.ataraxiadev.com" = "ataraxiadev.com";
"sonarrtv.ataraxiadev.com" = "ataraxiadev.com";
"startpage.ataraxiadev.com" = "ataraxiadev.com";
"stats.ataraxiadev.com" = "matrix.ataraxiadev.com";
"tools.ataraxiadev.com" = "ataraxiadev.com";
"turn.ataraxiadev.com" = "coturn.pve";
"vw.ataraxiadev.com" = "ataraxiadev.com";
"webmail.ataraxiadev.com" = "ataraxiadev.com";
"www.ataraxiadev.com" = "ataraxiadev.com";
};
};
};
}

2
machines/NixOS-VPS/services/dns.nix
View File

@ -180,7 +180,7 @@ in {
};
environment.etc = {
"grafana-dashboards/blocky_rev3.json" = {
source = ./grafana_blocky_rev3.json;
source = ../../../misc/grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};

0
machines/NixOS-VPS/services/grafana_blocky_rev3.json → misc/grafana_blocky_rev3.json
View File

178
profiles/servers/blocky.nix
View File

@ -1,138 +1,118 @@
{ config, pkgs, lib, ... }: {
{ config, dns-mapping ? {}, ... }:
let
nodeAddress = "192.168.0.5";
wgAddress = "10.100.0.1";
wgConf = config.secrets.wg-hypervisor-dns.decrypted;
in {
boot.kernelModules = [ "wireguard" ];
secrets.wg-hypervisor-dns.services = [ "container@blocky.service" ];
containers.blocky = {
# extraFlags = [ "-U" ];
autoStart = true;
ephemeral = true;
privateNetwork = true;
hostBridge = "br0";
localAddress = "192.168.0.5/24";
localAddress = "${nodeAddress}/24";
tmpfs = [ "/" ];
config = { config, pkgs, ... }: {
bindMounts."/var/secrets/${wgConf}" = {
hostPath = wgConf;
isReadOnly = true;
};
config = { config, pkgs, ... }:
let
grafanaPort = config.services.grafana.settings.server.http_port;
blockyPort = config.services.blocky.settings.port;
in {
networking = {
defaultGateway = "192.168.0.1";
hostName = "blocky-node";
nameservers = [ "127.0.0.1" ];
nameservers = [];
enableIPv6 = false;
useHostResolvConf = false;
firewall = {
enable = true;
allowedTCPPorts = [
953
# config.services.prometheus.port
config.services.blocky.settings.port
# config.services.blocky.settings.httpPort
# config.services.grafana.settings.server.http_port
];
allowedUDPPorts = [ 53 ];
rejectPackets = false;
allowedTCPPorts = [ blockyPort grafanaPort ];
allowedUDPPorts = [ blockyPort ];
};
wg-quick.interfaces.wg0.configFile = "/var/secrets/${wgConf}";
};
services.blocky = {
enable = true;
settings = {
upstream.default = [ "127.0.0.1:953" ];
upstreamTimeout = "10s";
blocking = {
blackLists.ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
clientGroupsBlock.default = [ "ads" ];
upstream.default = [ wgAddress ];
upstreamTimeout = "15s";
caching = {
minTime = "0m"; # TTL
maxTime = "12h";
cacheTimeNegative = "1m";
prefetching = true;
};
port = 53;
httpPort = 4000;
# httpPort = 8080;
# httpsPort = 8443;
# customDNS = {
# # customTTL = "1h";
# # filterUnmappedTypes = "true";
# mapping = {
# "code.ataraxiadev.com" = "192.168.0.10";
# };
# };
queryLog = {
type = "console";
};
httpPort = "127.0.0.1:4000";
prometheus.enable = true;
};
queryLog.type = "console";
} // dns-mapping;
};
services.prometheus = {
# enable = true;
port = 9090;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "15s";
evaluation_interval = "15s";
};
enable = true;
listenAddress = "127.0.0.1";
globalConfig.scrape_interval = "15s";
globalConfig.evaluation_interval = "15s";
scrapeConfigs = [{
job_name = "blocky";
static_configs = [{
targets = [ "127.0.0.1:${toString config.services.blocky.settings.httpPort}" ];
targets = [ config.services.blocky.settings.httpPort ];
}];
}];
};
services.grafana = {
# enable = true;
settings = {
analytics.reporting_enabled = false;
server = {
http_port = 3000;
http_addr = "0.0.0.0";
enable_gzip = true;
};
security = {
admin_user = "admin";
admin_password = "admin";
# admin_password = "$__file(/var/secrets/grafana)";
};
};
provision.enable = true;
provision.datasources.settings = {
apiVersion = 1;
datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
orgId = 1;
url = "127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData = {
graphiteVersion = "1.1";
tlsAuth = false;
tlsAuthWithCACert = false;
};
version = 1;
editable = true;
}];
deleteDatasources = [{
name = "Prometheus";
orgId = 1;
}];
};
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
listen_addresses = [ "0.0.0.0:953" ];
ipv6_servers = false;
doh_servers = false;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
block_ipv6 = true;
bootstrap_resolvers = [ "9.9.9.9:53" "9.9.9.11:53" ];
sources = {
public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
analytics.reporting_enabled = false;
server = rec {
domain = "${nodeAddress}:${toString grafanaPort}";
http_addr = nodeAddress;
enable_gzip = true;
};
panels.disable_sanitize_html = true;
};
provision = {
enable = true;
datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
orgId = 1;
uid = "Y4SSG429DWCGDQ3R";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData = {
graphiteVersion = "1.1";
tlsAuth = false;
tlsAuthWithCACert = false;
};
version = 1;
editable = true;
}];
};
dashboards = {
settings = {
providers = [{
name = "My Dashboards";
options.path = "/etc/grafana-dashboards";
}];
};
};
};
};
environment.etc = {
"grafana-dashboards/blocky_rev3.json" = {
source = ../../misc/grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};
};
system.stateVersion = "23.05";
};
};

53
scripts/routeros-dns-mapping.py Executable file
View File

@ -0,0 +1,53 @@
#! /usr/bin/env nix-shell
#! nix-shell -i python3 -p python3
import sys
def main():
if len(sys.argv) < 2:
sys.exit(1)
tableFilename = sys.argv[1]
outFilename = sys.argv[2]
aRecordsList = []
cnameRecordsList = []
with open(outFilename, 'w') as outFile:
with open(tableFilename, 'r') as file:
while line := file.readline().rstrip():
dns = line.split(' ')
if 'disabled=yes' not in dns and 'name=router.lan' not in dns:
if 'type=CNAME' in dns:
name = [i for i in dns if i.startswith('name=')][0].split('=')[-1]
cname = [i for i in dns if i.startswith('cname=')][0].split('=')[-1]
cnameRecordsList.append(f' "{name}" = "{cname}";')
else:
name = [i for i in dns if i.startswith('name=')][0].split('=')[-1]
address = [i for i in dns if i.startswith('address=')][0].split('=')[-1]
aRecordsList.append(f' "{name}" = "{address}";')
aRecordsList.sort()
cnameRecordsList.sort()
print('{', file=outFile)
print(' dns-mapping = {', file=outFile)
print(' customDNS = {', file=outFile)
print(' mapping = {', file=outFile)
for dns in aRecordsList:
print(dns, file=outFile)
print(' };', file=outFile)
print(' };', file=outFile)
print(' conditional = {', file=outFile)
print(' mapping = { "pve" = "127.0.0.1"; };', file=outFile)
print(' rewrite = {', file=outFile)
for dns in cnameRecordsList:
print(dns, file=outFile)
print(' };', file=outFile)
print(' };', file=outFile)
print(' };', file=outFile)
print('}', file=outFile)
if __name__ == '__main__':
main()