unbound+blocky+grafana on vps

2023-06-26 22:41:44 +03:00 · 2023-06-26 22:41:44 +03:00 · dcb0386f8e
commit dcb0386f8e
parent d0259fed76
6 changed files with 2067 additions and 43 deletions
--- a/machines/NixOS-VPS/default.nix
+++ b/machines/NixOS-VPS/default.nix
@ -5,10 +5,10 @@
    inputs.disko.nixosModules.disko

    ./hardware
-    ./dns.nix
    ./network.nix
    ./nix.nix
-    ./wireguard.nix
+    ./services/dns.nix
+    ./services/wireguard.nix

    customModules.devices
    customModules.users
--- a/machines/NixOS-VPS/hardware/networks.nix
+++ b/machines/NixOS-VPS/hardware/networks.nix
@ -24,11 +24,11 @@ rec {
        dns = [ "${privateIPv6Prefix}::0:53" ];
        IPv4 = {
          address = "10.100.0.1";
-          # gateway = "10.100.0.1";
+          subnet = "10.100.0.0/16";
        };
        IPv6 = {
          address = "${privateIPv6Prefix}::1";
-          # gateway = "${privateIPv6Prefix}::1";
+          subnet = "${privateIPv6Prefix}::0/64";
        };
      };
    };
--- a/machines/NixOS-VPS/network.nix
+++ b/machines/NixOS-VPS/network.nix
@ -19,13 +19,13 @@ in {
      "10-wan" = {
        matchConfig.Name = ifname;
        linkConfig.RequiredForOnline = "enslaved";
-        networkConfig.Bridge = brIfname;
+        networkConfig.Bridge = bridgeName;
        networkConfig.DHCP = "no";
        networkConfig.LinkLocalAddressing = "no";
        networkConfig.IPv6AcceptRA = false;
      };
-      "20-${brIfname}" = {
-        matchConfig.Name = brIfname;
+      "20-${bridgeName}" = {
+        matchConfig.Name = bridgeName;
        address = [
          IPv4.address IPv6.address
          "192.168.0.1/24" "fc00::1/64"
@ -54,10 +54,10 @@ in {
      };
    };
    netdevs = {
-      "20-${brIfname}" = {
+      "20-${bridgeName}" = {
        netdevConfig = {
          Kind = "bridge";
-          Name = brIfname;
+          Name = bridgeName;
          MACAddress = "e6:95:b5:a6:28:c0";
        };
      };
--- a/machines/NixOS-VPS/services/dns.nix
+++ b/machines/NixOS-VPS/services/dns.nix
@ -1,9 +1,12 @@
 { config, lib, pkgs, ... }:
 let
-  inherit (import ./hardware/networks.nix) interfaces;
-  wgIfname = interfaces.wireguard0.ifname;
+  inherit (import ../hardware/networks.nix) interfaces;
+  wg = interfaces.wireguard0;
+  wgIfname = wg.ifname;
  brIfname = interfaces.main'.bridgeName;
 in {
+  # For debugging purposes
+  environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
  services.resolved.extraConfig = ''
    DNSStubListener=off
  '';
@ -11,29 +14,17 @@ in {
  systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";

  networking.firewall = {
-    allowedTCPPorts = [ 53 ];
-    allowedUDPPorts = [ 53 ];
-  };
-
-  environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
-  services.blocky = {
-    enable = true;
-    settings = {
-      upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
-      upstreamTimeout = "10s";
-      bootstrapDns = [{ upstream = "9.9.9.9"; }];
-      blocking = {
-        blackLists.ads = [
-          "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
-        ];
-        clientGroupsBlock.default = [ "ads" ];
-      };
-      port = 53;
-      queryLog = {
-        type = "console";
-      };
+    interfaces.${wgIfname} = {
+      allowedTCPPorts = [
+        config.services.blocky.settings.port
+        config.services.grafana.settings.server.http_port
+      ];
+      allowedUDPPorts = [
+        config.services.blocky.settings.port
+      ];
    };
  };
+
  # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
  services.unbound = {
    enable = true;
@ -42,22 +33,22 @@ in {
        root-hints = "${config.services.unbound.stateDir}/root.hints";
        port = "553";
        interface = [
-          "127.0.0.1" "10.100.0.1"
-          "::1" "fd3a:900e:8e74:ffff::1"
+          "127.0.0.1" wg.IPv4.address
+          "::1" wg.IPv6.address
        ];
        access-control = [
          "0.0.0.0/0 refuse"
          "127.0.0.0/8 allow"
-          "10.100.0.0/16 allow"
+          "${wg.IPv4.subnet} allow"
          "::0/0 refuse"
          "::1 allow"
-          "fd3a:900e:8e74:ffff::0/64 allow"
+          "${wg.IPv4.subnet} allow"
        ];
        private-address = [
          "127.0.0.0/8"
-          "10.100.0.0/16"
+          "${wg.IPv4.subnet}"
          "::1"
-          "fd3a:900e:8e74:ffff::0/64"
+          "${wg.IPv4.subnet}"
        ];
 	      hide-version = "yes";
        aggressive-nsec = "yes";
@ -100,4 +91,98 @@ in {
    serviceConfig.Type = "oneshot";
    startAt = "1 0 1 */1 *";
  };
+  # Blocky + prometheus + grafana
+  services.blocky = {
+    enable = true;
+    settings = {
+      upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
+      upstreamTimeout = "10s";
+      bootstrapDns = [{ upstream = "9.9.9.9"; }];
+      blocking = {
+        blackLists.ads = [
+          "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+        ];
+        clientGroupsBlock.default = [ "ads" ];
+      };
+      # disable caching (use unbound)
+      caching = {
+        minTime = -1;
+        maxTime = -1;
+        cacheTimeNegative = -1;
+        prefetching = false;
+      };
+      port = 53;
+      httpPort = "127.0.0.1:4000";
+      prometheus.enable = true;
+      queryLog = {
+        type = "console";
+      };
+    };
+  };
+  services.prometheus = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    globalConfig.scrape_interval = "15s";
+    globalConfig.evaluation_interval = "15s";
+    scrapeConfigs = [{
+      job_name = "blocky";
+      static_configs = [{
+        targets = [ config.services.blocky.settings.httpPort ];
+      }];
+    }];
+  };
+  services.grafana = {
+    enable = true;
+    settings = {
+      analytics.reporting_enabled = false;
+      server = {
+        domain = "${wg.IPv4.address}";
+        http_addr = "${wg.IPv4.address}";
+        enable_gzip = true;
+      };
+      # Grafana can be accessed only through wireguard, so it's secure enough
+      security = {
+        admin_user = "admin";
+        admin_password = "admin";
+        # admin_password = "$__file(/var/secrets/grafana)";
+      };
+      panels.disable_sanitize_html = true;
+    };
+    provision = {
+      enable = true;
+      datasources.settings = {
+        datasources = [{
+          name = "Prometheus";
+          type = "prometheus";
+          access = "proxy";
+          orgId = 1;
+          uid = "Y4SSG429DWCGDQ3R";
+          url = "http://127.0.0.1:${toString config.services.prometheus.port}";
+          isDefault = true;
+          jsonData = {
+            graphiteVersion = "1.1";
+            tlsAuth = false;
+            tlsAuthWithCACert = false;
+          };
+          version = 1;
+          editable = true;
+        }];
+      };
+      dashboards = {
+        settings = {
+          providers = [{
+            name = "My Dashboards";
+            options.path = "/etc/grafana-dashboards";
+          }];
+        };
+      };
+    };
+  };
+  environment.etc = {
+    "grafana-dashboards/blocky_rev3.json" = {
+      source = ./grafana_blocky_rev3.json;
+      group = "grafana";
+      user = "grafana";
+    };
+  };
 }
--- a/machines/NixOS-VPS/services/grafana_blocky_rev3.json
+++ b/machines/NixOS-VPS/services/grafana_blocky_rev3.json
--- a/machines/NixOS-VPS/services/wireguard.nix
+++ b/machines/NixOS-VPS/services/wireguard.nix
@ -1,8 +1,7 @@
 { config, lib, pkgs, ... }:
 let
-  inherit (import ./hardware/networks.nix) interfaces wireguardPort wireguardPeers;
+  inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
  wireguardIFName = interfaces.wireguard0.ifname;
-  ataraxiaPeerAddresses = with wireguardPeers.ataraxia; [ "${IPv4}/32" "${IPv6}/128" ];
 in {
  environment.systemPackages = [ pkgs.wireguard-tools ];

@ -21,9 +20,6 @@ in {
        "${IPv4.address}/16"
        "${IPv6.address}/64"
      ];
-      linkConfig = {
-        MTUBytes = "1360";
-      };
      DHCP = "no";
      networkConfig = {
        IPForward = true;