diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix
index 0b15518..78c3417 100644
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@@ -1,6 +1,5 @@
{ modulesPath, inputs, lib, pkgs, config, options, ... }:
-let
- persistRoot = config.autoinstall.persist.persistRoot or "/persist";
+let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
in {
imports = with inputs.self; [
./boot.nix
@@ -13,7 +12,6 @@ in {
nixosProfiles.acme
nixosProfiles.authentik
nixosProfiles.battery-historian
- nixosProfiles.blocky
nixosProfiles.duplicacy
nixosProfiles.fail2ban
# nixosProfiles.firefox-syncserver
@@ -41,6 +39,11 @@ in {
nixosProfiles.matrix
nixosProfiles.atticd
nixosProfiles.attic
+
+ (import nixosProfiles.blocky {
+ inherit config;
+ inherit (import ./dns-mapping.nix) dns-mapping;
+ })
];
deviceSpecific.devInfo = {
@@ -54,9 +57,7 @@ in {
speed = 500;
size = 500;
};
- gpu = {
- vendor = "other";
- };
+ gpu = { vendor = "other"; };
bigScreen = false;
ram = 12;
fileSystem = "zfs";
@@ -98,7 +99,8 @@ in {
services.udisks2.enable = lib.mkForce false;
fonts.enableDefaultFonts = lib.mkForce false;
- fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
+ fonts.fonts =
+ [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
security.polkit.enable = true;
# security.pam.enableSSHAgentAuth = true;
@@ -112,8 +114,8 @@ in {
# hardened
networking.firewall.enable = true;
- networking.firewall.allowedTCPPorts = lib.mkDefault [];
- networking.firewall.allowedUDPPorts = lib.mkDefault [];
+ networking.firewall.allowedTCPPorts = lib.mkDefault [ ];
+ networking.firewall.allowedUDPPorts = lib.mkDefault [ ];
systemd.coredump.enable = false;
programs.firejail.enable = true;
@@ -162,8 +164,15 @@ in {
uri_default = "qemu:///system"
'';
home.packages = with pkgs; [
- bat podman-compose micro bottom nix-index-update
- pwgen comma kitty smartmontools
+ bat
+ bottom
+ comma
+ kitty
+ micro
+ nix-index-update
+ podman-compose
+ pwgen
+ smartmontools
];
xdg.mime.enable = false;
home.stateVersion = "22.11";
diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix
new file mode 100644
index 0000000..4249b2a
--- /dev/null
+++ b/machines/Home-Hypervisor/dns-mapping.nix
@@ -0,0 +1,65 @@
+{
+ dns-mapping = {
+ customDNS = {
+ mapping = {
+ "coturn.pve" = "192.168.0.20";
+ "matrix.pve" = "192.168.0.11";
+ "monero.pve" = "192.168.0.13";
+ "nginx.pve" = "192.168.0.10";
+ "pihole.pve" = "192.168.0.5";
+ "proxmox.pve" = "192.168.0.10";
+ "sd.ataraxiadev.com" = "192.168.0.100";
+ "static.powernet.com.ru" = "10.200.201.167";
+ "tinyproxy.pve" = "192.168.0.9";
+ "wg.ataraxiadev.com" = "193.219.97.142";
+ };
+ };
+ conditional = {
+ mapping = { "pve" = "127.0.0.1"; };
+ rewrite = {
+ "api.ataraxiadev.com" = "ataraxiadev.com";
+ "ataraxiadev.com" = "nginx.pve";
+ "auth.ataraxiadev.com" = "ataraxiadev.com";
+ "bathist.ataraxiadev.com" = "bathist.ataraxiadev.com";
+ "browser.ataraxiadev.com" = "ataraxiadev.com";
+ "cache.ataraxiadev.com" = "ataraxiadev.com";
+ "cinny.ataraxiadev.com" = "matrix.ataraxiadev.com";
+ "cocalc.ataraxiadev.com" = "ataraxiadev.com";
+ "code.ataraxiadev.com" = "ataraxiadev.com";
+ "dimension.ataraxiadev.com" = "matrix.ataraxiadev.com";
+ "element.ataraxiadev.com" = "matrix.ataraxiadev.com";
+ "fb.ataraxiadev.com" = "ataraxiadev.com";
+ "file.ataraxiadev.com" = "ataraxiadev.com";
+ "fsync.ataraxiadev.com" = "ataraxiadev.com";
+ "goneb.ataraxiadev.com" = "matrix.ataraxiadev.com";
+ "home.ataraxiadev.com" = "ataraxiadev.com";
+ "jackett.ataraxiadev.com" = "ataraxiadev.com";
+ "jellyfin.ataraxiadev.com" = "ataraxiadev.com";
+ "jitsi.ataraxiadev.com" = "matrix.ataraxiadev.com";
+ "joplin.ataraxiadev.com" = "ataraxiadev.com";
+ "kavita.ataraxiadev.com" = "ataraxiadev.com";
+ "ldap.ataraxiadev.com" = "ataraxiadev.com";
+ "mail.ataraxiadev.com" = "ataraxiadev.com";
+ "matrix.ataraxiadev.com" = "nginx.pve";
+ "medusa.ataraxiadev.com" = "ataraxiadev.com";
+ "microbin.ataraxiadev.com" = "ataraxiadev.com";
+ "nzbhydra.ataraxiadev.com" = "ataraxiadev.com";
+ "openbooks.ataraxiadev.com" = "ataraxiadev.com";
+ "organizr.ataraxiadev.com" = "ataraxiadev.com";
+ "prowlarr.ataraxiadev.com" = "ataraxiadev.com";
+ "qbit.ataraxiadev.com" = "ataraxiadev.com";
+ "radarr.ataraxiadev.com" = "ataraxiadev.com";
+ "shoko.ataraxiadev.com" = "ataraxiadev.com";
+ "sonarr.ataraxiadev.com" = "ataraxiadev.com";
+ "sonarrtv.ataraxiadev.com" = "ataraxiadev.com";
+ "startpage.ataraxiadev.com" = "ataraxiadev.com";
+ "stats.ataraxiadev.com" = "matrix.ataraxiadev.com";
+ "tools.ataraxiadev.com" = "ataraxiadev.com";
+ "turn.ataraxiadev.com" = "coturn.pve";
+ "vw.ataraxiadev.com" = "ataraxiadev.com";
+ "webmail.ataraxiadev.com" = "ataraxiadev.com";
+ "www.ataraxiadev.com" = "ataraxiadev.com";
+ };
+ };
+ };
+}
diff --git a/machines/NixOS-VPS/services/dns.nix b/machines/NixOS-VPS/services/dns.nix
index 14d1a09..a53a3c1 100644
--- a/machines/NixOS-VPS/services/dns.nix
+++ b/machines/NixOS-VPS/services/dns.nix
@@ -180,7 +180,7 @@ in {
};
environment.etc = {
"grafana-dashboards/blocky_rev3.json" = {
- source = ./grafana_blocky_rev3.json;
+ source = ../../../misc/grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};
diff --git a/machines/NixOS-VPS/services/grafana_blocky_rev3.json b/misc/grafana_blocky_rev3.json
similarity index 100%
rename from machines/NixOS-VPS/services/grafana_blocky_rev3.json
rename to misc/grafana_blocky_rev3.json
diff --git a/profiles/servers/blocky.nix b/profiles/servers/blocky.nix
index 0d8a3c7..d587988 100644
--- a/profiles/servers/blocky.nix
+++ b/profiles/servers/blocky.nix
@@ -1,138 +1,118 @@
-{ config, pkgs, lib, ... }: {
-
+{ config, dns-mapping ? {}, ... }:
+let
+ nodeAddress = "192.168.0.5";
+ wgAddress = "10.100.0.1";
+ wgConf = config.secrets.wg-hypervisor-dns.decrypted;
+in {
+ boot.kernelModules = [ "wireguard" ];
+ secrets.wg-hypervisor-dns.services = [ "container@blocky.service" ];
containers.blocky = {
- # extraFlags = [ "-U" ];
autoStart = true;
ephemeral = true;
privateNetwork = true;
hostBridge = "br0";
- localAddress = "192.168.0.5/24";
+ localAddress = "${nodeAddress}/24";
tmpfs = [ "/" ];
- config = { config, pkgs, ... }: {
+ bindMounts."/var/secrets/${wgConf}" = {
+ hostPath = wgConf;
+ isReadOnly = true;
+ };
+ config = { config, pkgs, ... }:
+ let
+ grafanaPort = config.services.grafana.settings.server.http_port;
+ blockyPort = config.services.blocky.settings.port;
+ in {
networking = {
defaultGateway = "192.168.0.1";
hostName = "blocky-node";
- nameservers = [ "127.0.0.1" ];
+ nameservers = [];
enableIPv6 = false;
useHostResolvConf = false;
firewall = {
enable = true;
- allowedTCPPorts = [
- 953
- # config.services.prometheus.port
- config.services.blocky.settings.port
- # config.services.blocky.settings.httpPort
- # config.services.grafana.settings.server.http_port
- ];
- allowedUDPPorts = [ 53 ];
- rejectPackets = false;
+ allowedTCPPorts = [ blockyPort grafanaPort ];
+ allowedUDPPorts = [ blockyPort ];
};
+
+ wg-quick.interfaces.wg0.configFile = "/var/secrets/${wgConf}";
};
services.blocky = {
enable = true;
settings = {
- upstream.default = [ "127.0.0.1:953" ];
- upstreamTimeout = "10s";
- blocking = {
- blackLists.ads = [
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
- ];
- clientGroupsBlock.default = [ "ads" ];
+ upstream.default = [ wgAddress ];
+ upstreamTimeout = "15s";
+ caching = {
+ minTime = "0m"; # TTL
+ maxTime = "12h";
+ cacheTimeNegative = "1m";
+ prefetching = true;
};
port = 53;
- httpPort = 4000;
- # httpPort = 8080;
- # httpsPort = 8443;
- # customDNS = {
- # # customTTL = "1h";
- # # filterUnmappedTypes = "true";
- # mapping = {
- # "code.ataraxiadev.com" = "192.168.0.10";
- # };
- # };
- queryLog = {
- type = "console";
- };
+ httpPort = "127.0.0.1:4000";
prometheus.enable = true;
- };
+ queryLog.type = "console";
+ } // dns-mapping;
};
services.prometheus = {
- # enable = true;
- port = 9090;
- listenAddress = "0.0.0.0";
- globalConfig = {
- scrape_interval = "15s";
- evaluation_interval = "15s";
- };
+ enable = true;
+ listenAddress = "127.0.0.1";
+ globalConfig.scrape_interval = "15s";
+ globalConfig.evaluation_interval = "15s";
scrapeConfigs = [{
job_name = "blocky";
static_configs = [{
- targets = [ "127.0.0.1:${toString config.services.blocky.settings.httpPort}" ];
+ targets = [ config.services.blocky.settings.httpPort ];
}];
}];
};
services.grafana = {
- # enable = true;
- settings = {
- analytics.reporting_enabled = false;
- server = {
- http_port = 3000;
- http_addr = "0.0.0.0";
- enable_gzip = true;
- };
- security = {
- admin_user = "admin";
- admin_password = "admin";
- # admin_password = "$__file(/var/secrets/grafana)";
- };
- };
- provision.enable = true;
- provision.datasources.settings = {
- apiVersion = 1;
- datasources = [{
- name = "Prometheus";
- type = "prometheus";
- access = "proxy";
- orgId = 1;
- url = "127.0.0.1:${toString config.services.prometheus.port}";
- isDefault = true;
- jsonData = {
- graphiteVersion = "1.1";
- tlsAuth = false;
- tlsAuthWithCACert = false;
- };
- version = 1;
- editable = true;
- }];
- deleteDatasources = [{
- name = "Prometheus";
- orgId = 1;
- }];
- };
- };
- services.dnscrypt-proxy2 = {
enable = true;
settings = {
- listen_addresses = [ "0.0.0.0:953" ];
- ipv6_servers = false;
- doh_servers = false;
- require_dnssec = true;
- require_nolog = true;
- require_nofilter = true;
- block_ipv6 = true;
- bootstrap_resolvers = [ "9.9.9.9:53" "9.9.9.11:53" ];
- sources = {
- public-resolvers = {
- urls = [
- "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
- "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
- ];
- cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
- minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+ analytics.reporting_enabled = false;
+ server = rec {
+ domain = "${nodeAddress}:${toString grafanaPort}";
+ http_addr = nodeAddress;
+ enable_gzip = true;
+ };
+ panels.disable_sanitize_html = true;
+ };
+ provision = {
+ enable = true;
+ datasources.settings = {
+ datasources = [{
+ name = "Prometheus";
+ type = "prometheus";
+ access = "proxy";
+ orgId = 1;
+ uid = "Y4SSG429DWCGDQ3R";
+ url = "http://127.0.0.1:${toString config.services.prometheus.port}";
+ isDefault = true;
+ jsonData = {
+ graphiteVersion = "1.1";
+ tlsAuth = false;
+ tlsAuthWithCACert = false;
+ };
+ version = 1;
+ editable = true;
+ }];
+ };
+ dashboards = {
+ settings = {
+ providers = [{
+ name = "My Dashboards";
+ options.path = "/etc/grafana-dashboards";
+ }];
};
};
};
};
+ environment.etc = {
+ "grafana-dashboards/blocky_rev3.json" = {
+ source = ../../misc/grafana_blocky_rev3.json;
+ group = "grafana";
+ user = "grafana";
+ };
+ };
system.stateVersion = "23.05";
};
};
diff --git a/scripts/routeros-dns-mapping.py b/scripts/routeros-dns-mapping.py
new file mode 100755
index 0000000..d432f1b
--- /dev/null
+++ b/scripts/routeros-dns-mapping.py
@@ -0,0 +1,53 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python3 -p python3
+
+import sys
+
+def main():
+ if len(sys.argv) < 2:
+ sys.exit(1)
+ tableFilename = sys.argv[1]
+ outFilename = sys.argv[2]
+ aRecordsList = []
+ cnameRecordsList = []
+ with open(outFilename, 'w') as outFile:
+
+ with open(tableFilename, 'r') as file:
+ while line := file.readline().rstrip():
+ dns = line.split(' ')
+ if 'disabled=yes' not in dns and 'name=router.lan' not in dns:
+ if 'type=CNAME' in dns:
+ name = [i for i in dns if i.startswith('name=')][0].split('=')[-1]
+ cname = [i for i in dns if i.startswith('cname=')][0].split('=')[-1]
+ cnameRecordsList.append(f' "{name}" = "{cname}";')
+ else:
+ name = [i for i in dns if i.startswith('name=')][0].split('=')[-1]
+ address = [i for i in dns if i.startswith('address=')][0].split('=')[-1]
+ aRecordsList.append(f' "{name}" = "{address}";')
+ aRecordsList.sort()
+ cnameRecordsList.sort()
+ print('{', file=outFile)
+ print(' dns-mapping = {', file=outFile)
+ print(' customDNS = {', file=outFile)
+ print(' mapping = {', file=outFile)
+
+ for dns in aRecordsList:
+ print(dns, file=outFile)
+
+ print(' };', file=outFile)
+ print(' };', file=outFile)
+ print(' conditional = {', file=outFile)
+ print(' mapping = { "pve" = "127.0.0.1"; };', file=outFile)
+ print(' rewrite = {', file=outFile)
+
+ for dns in cnameRecordsList:
+ print(dns, file=outFile)
+
+ print(' };', file=outFile)
+ print(' };', file=outFile)
+ print(' };', file=outFile)
+ print('}', file=outFile)
+
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file