AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

change dns services on vps

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-11-11 03:15:32 +03:00
parent d24716ff1a
commit b7ccdc3951
1 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
machines/NixOS-VPS/services/dns.nix
View File

@ -16,11 +16,11 @@ in {
networking.firewall = { networking.firewall = {
interfaces.${wgIfname} = { interfaces.${wgIfname} = {
allowedTCPPorts = [ allowedTCPPorts = [
config.services.blocky.settings.port config.services.blocky.settings.ports.dns
config.services.grafana.settings.server.http_port config.services.grafana.settings.server.http_port
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
config.services.blocky.settings.port config.services.blocky.settings.ports.dns
]; ];
}; };
}; };
@ -121,12 +121,23 @@ in {
settings = { settings = {
upstream.default = [ "127.0.0.1:553" "[::1]:553" ]; upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
upstreamTimeout = "10s"; upstreamTimeout = "10s";
bootstrapDns = [{ upstream = "9.9.9.9"; }]; bootstrapDns = [{
upstream = "https://dns.quad9.net/dns-query";
ips = [ "9.9.9.9" "149.112.112.112" ];
}];
blocking = { blocking = {
blackLists.ads = [ blackLists = {
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ads = [
]; "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
clientGroupsBlock.default = [ "ads" ]; "https://github.com/RPiList/specials/raw/master/Blocklisten/malware"
];
telemetry = [
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry"
"https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry"
];
};
clientGroupsBlock.default = [ "ads" "telemetry" ];
}; };
# disable caching (use unbound) # disable caching (use unbound)
caching = { caching = {
@ -135,8 +146,10 @@ in {
cacheTimeNegative = -1; cacheTimeNegative = -1;
prefetching = false; prefetching = false;
}; };
port = 53; ports = {
httpPort = "127.0.0.1:4000"; dns = 53;
http = "127.0.0.1:4000";
};
prometheus.enable = true; prometheus.enable = true;
queryLog = { queryLog = {
type = "console"; type = "console";
@ -151,7 +164,7 @@ in {
scrapeConfigs = [{ scrapeConfigs = [{
job_name = "blocky"; job_name = "blocky";
static_configs = [{ static_configs = [{
targets = [ config.services.blocky.settings.httpPort ]; targets = [ config.services.blocky.settings.ports.http ];
}]; }];
}]; }];
}; };
@ -160,9 +173,12 @@ in {
settings = { settings = {
analytics.reporting_enabled = false; analytics.reporting_enabled = false;
server = { server = {
domain = "${wg.IPv4.address}"; # domain = "${wg.IPv4.address}";
http_addr = "${wg.IPv4.address}"; # http_addr = "${wg.IPv4.address}";
enable_gzip = true; enable_gzip = true;
domain = "localhost";
http_addr = "127.0.0.1";
http_port = 3000;
}; };
# Grafana can be accessed only through wireguard, so it's secure enough # Grafana can be accessed only through wireguard, so it's secure enough
security = { security = {