From 8bdfac6b8ccbd1f490407dc466f0018e3a6f8bee Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Tue, 27 Jun 2023 01:25:28 +0300 Subject: [PATCH] change blocky config on hypervisor --- machines/Home-Hypervisor/default.nix | 31 +-- machines/Home-Hypervisor/dns-mapping.nix | 65 +++++++ machines/NixOS-VPS/services/dns.nix | 2 +- .../grafana_blocky_rev3.json | 0 profiles/servers/blocky.nix | 178 ++++++++---------- scripts/routeros-dns-mapping.py | 53 ++++++ 6 files changed, 218 insertions(+), 111 deletions(-) create mode 100644 machines/Home-Hypervisor/dns-mapping.nix rename {machines/NixOS-VPS/services => misc}/grafana_blocky_rev3.json (100%) create mode 100755 scripts/routeros-dns-mapping.py diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 0b15518..78c3417 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -1,6 +1,5 @@ { modulesPath, inputs, lib, pkgs, config, options, ... }: -let - persistRoot = config.autoinstall.persist.persistRoot or "/persist"; +let persistRoot = config.autoinstall.persist.persistRoot or "/persist"; in { imports = with inputs.self; [ ./boot.nix @@ -13,7 +12,6 @@ in { nixosProfiles.acme nixosProfiles.authentik nixosProfiles.battery-historian - nixosProfiles.blocky nixosProfiles.duplicacy nixosProfiles.fail2ban # nixosProfiles.firefox-syncserver @@ -41,6 +39,11 @@ in { nixosProfiles.matrix nixosProfiles.atticd nixosProfiles.attic + + (import nixosProfiles.blocky { + inherit config; + inherit (import ./dns-mapping.nix) dns-mapping; + }) ]; deviceSpecific.devInfo = { @@ -54,9 +57,7 @@ in { speed = 500; size = 500; }; - gpu = { - vendor = "other"; - }; + gpu = { vendor = "other"; }; bigScreen = false; ram = 12; fileSystem = "zfs"; @@ -98,7 +99,8 @@ in { services.udisks2.enable = lib.mkForce false; fonts.enableDefaultFonts = lib.mkForce false; - fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ]; + fonts.fonts = + [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ]; security.polkit.enable = true; # security.pam.enableSSHAgentAuth = true; @@ -112,8 +114,8 @@ in { # hardened networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = lib.mkDefault []; - networking.firewall.allowedUDPPorts = lib.mkDefault []; + networking.firewall.allowedTCPPorts = lib.mkDefault [ ]; + networking.firewall.allowedUDPPorts = lib.mkDefault [ ]; systemd.coredump.enable = false; programs.firejail.enable = true; @@ -162,8 +164,15 @@ in { uri_default = "qemu:///system" ''; home.packages = with pkgs; [ - bat podman-compose micro bottom nix-index-update - pwgen comma kitty smartmontools + bat + bottom + comma + kitty + micro + nix-index-update + podman-compose + pwgen + smartmontools ]; xdg.mime.enable = false; home.stateVersion = "22.11"; diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix new file mode 100644 index 0000000..4249b2a --- /dev/null +++ b/machines/Home-Hypervisor/dns-mapping.nix @@ -0,0 +1,65 @@ +{ + dns-mapping = { + customDNS = { + mapping = { + "coturn.pve" = "192.168.0.20"; + "matrix.pve" = "192.168.0.11"; + "monero.pve" = "192.168.0.13"; + "nginx.pve" = "192.168.0.10"; + "pihole.pve" = "192.168.0.5"; + "proxmox.pve" = "192.168.0.10"; + "sd.ataraxiadev.com" = "192.168.0.100"; + "static.powernet.com.ru" = "10.200.201.167"; + "tinyproxy.pve" = "192.168.0.9"; + "wg.ataraxiadev.com" = "193.219.97.142"; + }; + }; + conditional = { + mapping = { "pve" = "127.0.0.1"; }; + rewrite = { + "api.ataraxiadev.com" = "ataraxiadev.com"; + "ataraxiadev.com" = "nginx.pve"; + "auth.ataraxiadev.com" = "ataraxiadev.com"; + "bathist.ataraxiadev.com" = "bathist.ataraxiadev.com"; + "browser.ataraxiadev.com" = "ataraxiadev.com"; + "cache.ataraxiadev.com" = "ataraxiadev.com"; + "cinny.ataraxiadev.com" = "matrix.ataraxiadev.com"; + "cocalc.ataraxiadev.com" = "ataraxiadev.com"; + "code.ataraxiadev.com" = "ataraxiadev.com"; + "dimension.ataraxiadev.com" = "matrix.ataraxiadev.com"; + "element.ataraxiadev.com" = "matrix.ataraxiadev.com"; + "fb.ataraxiadev.com" = "ataraxiadev.com"; + "file.ataraxiadev.com" = "ataraxiadev.com"; + "fsync.ataraxiadev.com" = "ataraxiadev.com"; + "goneb.ataraxiadev.com" = "matrix.ataraxiadev.com"; + "home.ataraxiadev.com" = "ataraxiadev.com"; + "jackett.ataraxiadev.com" = "ataraxiadev.com"; + "jellyfin.ataraxiadev.com" = "ataraxiadev.com"; + "jitsi.ataraxiadev.com" = "matrix.ataraxiadev.com"; + "joplin.ataraxiadev.com" = "ataraxiadev.com"; + "kavita.ataraxiadev.com" = "ataraxiadev.com"; + "ldap.ataraxiadev.com" = "ataraxiadev.com"; + "mail.ataraxiadev.com" = "ataraxiadev.com"; + "matrix.ataraxiadev.com" = "nginx.pve"; + "medusa.ataraxiadev.com" = "ataraxiadev.com"; + "microbin.ataraxiadev.com" = "ataraxiadev.com"; + "nzbhydra.ataraxiadev.com" = "ataraxiadev.com"; + "openbooks.ataraxiadev.com" = "ataraxiadev.com"; + "organizr.ataraxiadev.com" = "ataraxiadev.com"; + "prowlarr.ataraxiadev.com" = "ataraxiadev.com"; + "qbit.ataraxiadev.com" = "ataraxiadev.com"; + "radarr.ataraxiadev.com" = "ataraxiadev.com"; + "shoko.ataraxiadev.com" = "ataraxiadev.com"; + "sonarr.ataraxiadev.com" = "ataraxiadev.com"; + "sonarrtv.ataraxiadev.com" = "ataraxiadev.com"; + "startpage.ataraxiadev.com" = "ataraxiadev.com"; + "stats.ataraxiadev.com" = "matrix.ataraxiadev.com"; + "tools.ataraxiadev.com" = "ataraxiadev.com"; + "turn.ataraxiadev.com" = "coturn.pve"; + "vw.ataraxiadev.com" = "ataraxiadev.com"; + "webmail.ataraxiadev.com" = "ataraxiadev.com"; + "www.ataraxiadev.com" = "ataraxiadev.com"; + }; + }; + }; +} diff --git a/machines/NixOS-VPS/services/dns.nix b/machines/NixOS-VPS/services/dns.nix index 14d1a09..a53a3c1 100644 --- a/machines/NixOS-VPS/services/dns.nix +++ b/machines/NixOS-VPS/services/dns.nix @@ -180,7 +180,7 @@ in { }; environment.etc = { "grafana-dashboards/blocky_rev3.json" = { - source = ./grafana_blocky_rev3.json; + source = ../../../misc/grafana_blocky_rev3.json; group = "grafana"; user = "grafana"; }; diff --git a/machines/NixOS-VPS/services/grafana_blocky_rev3.json b/misc/grafana_blocky_rev3.json similarity index 100% rename from machines/NixOS-VPS/services/grafana_blocky_rev3.json rename to misc/grafana_blocky_rev3.json diff --git a/profiles/servers/blocky.nix b/profiles/servers/blocky.nix index 0d8a3c7..d587988 100644 --- a/profiles/servers/blocky.nix +++ b/profiles/servers/blocky.nix @@ -1,138 +1,118 @@ -{ config, pkgs, lib, ... }: { - +{ config, dns-mapping ? {}, ... }: +let + nodeAddress = "192.168.0.5"; + wgAddress = "10.100.0.1"; + wgConf = config.secrets.wg-hypervisor-dns.decrypted; +in { + boot.kernelModules = [ "wireguard" ]; + secrets.wg-hypervisor-dns.services = [ "container@blocky.service" ]; containers.blocky = { - # extraFlags = [ "-U" ]; autoStart = true; ephemeral = true; privateNetwork = true; hostBridge = "br0"; - localAddress = "192.168.0.5/24"; + localAddress = "${nodeAddress}/24"; tmpfs = [ "/" ]; - config = { config, pkgs, ... }: { + bindMounts."/var/secrets/${wgConf}" = { + hostPath = wgConf; + isReadOnly = true; + }; + config = { config, pkgs, ... }: + let + grafanaPort = config.services.grafana.settings.server.http_port; + blockyPort = config.services.blocky.settings.port; + in { networking = { defaultGateway = "192.168.0.1"; hostName = "blocky-node"; - nameservers = [ "127.0.0.1" ]; + nameservers = []; enableIPv6 = false; useHostResolvConf = false; firewall = { enable = true; - allowedTCPPorts = [ - 953 - # config.services.prometheus.port - config.services.blocky.settings.port - # config.services.blocky.settings.httpPort - # config.services.grafana.settings.server.http_port - ]; - allowedUDPPorts = [ 53 ]; - rejectPackets = false; + allowedTCPPorts = [ blockyPort grafanaPort ]; + allowedUDPPorts = [ blockyPort ]; }; + + wg-quick.interfaces.wg0.configFile = "/var/secrets/${wgConf}"; }; services.blocky = { enable = true; settings = { - upstream.default = [ "127.0.0.1:953" ]; - upstreamTimeout = "10s"; - blocking = { - blackLists.ads = [ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - ]; - clientGroupsBlock.default = [ "ads" ]; + upstream.default = [ wgAddress ]; + upstreamTimeout = "15s"; + caching = { + minTime = "0m"; # TTL + maxTime = "12h"; + cacheTimeNegative = "1m"; + prefetching = true; }; port = 53; - httpPort = 4000; - # httpPort = 8080; - # httpsPort = 8443; - # customDNS = { - # # customTTL = "1h"; - # # filterUnmappedTypes = "true"; - # mapping = { - # "code.ataraxiadev.com" = "192.168.0.10"; - # }; - # }; - queryLog = { - type = "console"; - }; + httpPort = "127.0.0.1:4000"; prometheus.enable = true; - }; + queryLog.type = "console"; + } // dns-mapping; }; services.prometheus = { - # enable = true; - port = 9090; - listenAddress = "0.0.0.0"; - globalConfig = { - scrape_interval = "15s"; - evaluation_interval = "15s"; - }; + enable = true; + listenAddress = "127.0.0.1"; + globalConfig.scrape_interval = "15s"; + globalConfig.evaluation_interval = "15s"; scrapeConfigs = [{ job_name = "blocky"; static_configs = [{ - targets = [ "127.0.0.1:${toString config.services.blocky.settings.httpPort}" ]; + targets = [ config.services.blocky.settings.httpPort ]; }]; }]; }; services.grafana = { - # enable = true; - settings = { - analytics.reporting_enabled = false; - server = { - http_port = 3000; - http_addr = "0.0.0.0"; - enable_gzip = true; - }; - security = { - admin_user = "admin"; - admin_password = "admin"; - # admin_password = "$__file(/var/secrets/grafana)"; - }; - }; - provision.enable = true; - provision.datasources.settings = { - apiVersion = 1; - datasources = [{ - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - orgId = 1; - url = "127.0.0.1:${toString config.services.prometheus.port}"; - isDefault = true; - jsonData = { - graphiteVersion = "1.1"; - tlsAuth = false; - tlsAuthWithCACert = false; - }; - version = 1; - editable = true; - }]; - deleteDatasources = [{ - name = "Prometheus"; - orgId = 1; - }]; - }; - }; - services.dnscrypt-proxy2 = { enable = true; settings = { - listen_addresses = [ "0.0.0.0:953" ]; - ipv6_servers = false; - doh_servers = false; - require_dnssec = true; - require_nolog = true; - require_nofilter = true; - block_ipv6 = true; - bootstrap_resolvers = [ "9.9.9.9:53" "9.9.9.11:53" ]; - sources = { - public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + analytics.reporting_enabled = false; + server = rec { + domain = "${nodeAddress}:${toString grafanaPort}"; + http_addr = nodeAddress; + enable_gzip = true; + }; + panels.disable_sanitize_html = true; + }; + provision = { + enable = true; + datasources.settings = { + datasources = [{ + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + orgId = 1; + uid = "Y4SSG429DWCGDQ3R"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + isDefault = true; + jsonData = { + graphiteVersion = "1.1"; + tlsAuth = false; + tlsAuthWithCACert = false; + }; + version = 1; + editable = true; + }]; + }; + dashboards = { + settings = { + providers = [{ + name = "My Dashboards"; + options.path = "/etc/grafana-dashboards"; + }]; }; }; }; }; + environment.etc = { + "grafana-dashboards/blocky_rev3.json" = { + source = ../../misc/grafana_blocky_rev3.json; + group = "grafana"; + user = "grafana"; + }; + }; system.stateVersion = "23.05"; }; }; diff --git a/scripts/routeros-dns-mapping.py b/scripts/routeros-dns-mapping.py new file mode 100755 index 0000000..d432f1b --- /dev/null +++ b/scripts/routeros-dns-mapping.py @@ -0,0 +1,53 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i python3 -p python3 + +import sys + +def main(): + if len(sys.argv) < 2: + sys.exit(1) + tableFilename = sys.argv[1] + outFilename = sys.argv[2] + aRecordsList = [] + cnameRecordsList = [] + with open(outFilename, 'w') as outFile: + + with open(tableFilename, 'r') as file: + while line := file.readline().rstrip(): + dns = line.split(' ') + if 'disabled=yes' not in dns and 'name=router.lan' not in dns: + if 'type=CNAME' in dns: + name = [i for i in dns if i.startswith('name=')][0].split('=')[-1] + cname = [i for i in dns if i.startswith('cname=')][0].split('=')[-1] + cnameRecordsList.append(f' "{name}" = "{cname}";') + else: + name = [i for i in dns if i.startswith('name=')][0].split('=')[-1] + address = [i for i in dns if i.startswith('address=')][0].split('=')[-1] + aRecordsList.append(f' "{name}" = "{address}";') + aRecordsList.sort() + cnameRecordsList.sort() + print('{', file=outFile) + print(' dns-mapping = {', file=outFile) + print(' customDNS = {', file=outFile) + print(' mapping = {', file=outFile) + + for dns in aRecordsList: + print(dns, file=outFile) + + print(' };', file=outFile) + print(' };', file=outFile) + print(' conditional = {', file=outFile) + print(' mapping = { "pve" = "127.0.0.1"; };', file=outFile) + print(' rewrite = {', file=outFile) + + for dns in cnameRecordsList: + print(dns, file=outFile) + + print(' };', file=outFile) + print(' };', file=outFile) + print(' };', file=outFile) + print('}', file=outFile) + + +if __name__ == '__main__': + main() \ No newline at end of file