AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

unbound+blocky+grafana on vps

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-06-26 22:41:44 +03:00
parent d0259fed76
commit dcb0386f8e
6 changed files with 2067 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
machines/NixOS-VPS/default.nix
View File

@ -5,10 +5,10 @@
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
./hardware ./hardware
./dns.nix
./network.nix ./network.nix
./nix.nix ./nix.nix
./wireguard.nix ./services/dns.nix
./services/wireguard.nix
customModules.devices customModules.devices
customModules.users customModules.users

4
machines/NixOS-VPS/hardware/networks.nix
View File

@ -24,11 +24,11 @@ rec {
dns = [ "${privateIPv6Prefix}::0:53" ]; dns = [ "${privateIPv6Prefix}::0:53" ];
IPv4 = { IPv4 = {
address = "10.100.0.1"; address = "10.100.0.1";
# gateway = "10.100.0.1"; subnet = "10.100.0.0/16";
}; };
IPv6 = { IPv6 = {
address = "${privateIPv6Prefix}::1"; address = "${privateIPv6Prefix}::1";
# gateway = "${privateIPv6Prefix}::1"; subnet = "${privateIPv6Prefix}::0/64";
}; };
}; };
}; };

10
machines/NixOS-VPS/network.nix
View File

@ -19,13 +19,13 @@ in {
"10-wan" = { "10-wan" = {
matchConfig.Name = ifname; matchConfig.Name = ifname;
linkConfig.RequiredForOnline = "enslaved"; linkConfig.RequiredForOnline = "enslaved";
networkConfig.Bridge = brIfname; networkConfig.Bridge = bridgeName;
networkConfig.DHCP = "no"; networkConfig.DHCP = "no";
networkConfig.LinkLocalAddressing = "no"; networkConfig.LinkLocalAddressing = "no";
networkConfig.IPv6AcceptRA = false; networkConfig.IPv6AcceptRA = false;
}; };
"20-${brIfname}" = { "20-${bridgeName}" = {
matchConfig.Name = brIfname; matchConfig.Name = bridgeName;
address = [ address = [
IPv4.address IPv6.address IPv4.address IPv6.address
"192.168.0.1/24" "fc00::1/64" "192.168.0.1/24" "fc00::1/64"
@ -54,10 +54,10 @@ in {
}; };
}; };
netdevs = { netdevs = {
"20-${brIfname}" = { "20-${bridgeName}" = {
netdevConfig = { netdevConfig = {
Kind = "bridge"; Kind = "bridge";
Name = brIfname; Name = bridgeName;
MACAddress = "e6:95:b5:a6:28:c0"; MACAddress = "e6:95:b5:a6:28:c0";
}; };
}; };

143
machines/NixOS-VPS/dns.nix → machines/NixOS-VPS/services/dns.nix
View File

@ -1,9 +1,12 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import ./hardware/networks.nix) interfaces; inherit (import ../hardware/networks.nix) interfaces;
wgIfname = interfaces.wireguard0.ifname; wg = interfaces.wireguard0;
wgIfname = wg.ifname;
brIfname = interfaces.main'.bridgeName; brIfname = interfaces.main'.bridgeName;
in { in {
# For debugging purposes
environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
services.resolved.extraConfig = '' services.resolved.extraConfig = ''
DNSStubListener=off DNSStubListener=off
''; '';
@ -11,29 +14,17 @@ in {
systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 53 ]; interfaces.${wgIfname} = {
allowedUDPPorts = [ 53 ]; allowedTCPPorts = [
}; config.services.blocky.settings.port
config.services.grafana.settings.server.http_port
environment.systemPackages = with pkgs; [ tcpdump dnsutils ]; ];
services.blocky = { allowedUDPPorts = [
enable = true; config.services.blocky.settings.port
settings = { ];
upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
upstreamTimeout = "10s";
bootstrapDns = [{ upstream = "9.9.9.9"; }];
blocking = {
blackLists.ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
clientGroupsBlock.default = [ "ads" ];
};
port = 53;
queryLog = {
type = "console";
};
}; };
}; };
# TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html) # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
services.unbound = { services.unbound = {
enable = true; enable = true;
@ -42,22 +33,22 @@ in {
root-hints = "${config.services.unbound.stateDir}/root.hints"; root-hints = "${config.services.unbound.stateDir}/root.hints";
port = "553"; port = "553";
interface = [ interface = [
"127.0.0.1" "10.100.0.1" "127.0.0.1" wg.IPv4.address
"::1" "fd3a:900e:8e74:ffff::1" "::1" wg.IPv6.address
]; ];
access-control = [ access-control = [
"0.0.0.0/0 refuse" "0.0.0.0/0 refuse"
"127.0.0.0/8 allow" "127.0.0.0/8 allow"
"10.100.0.0/16 allow" "${wg.IPv4.subnet} allow"
"::0/0 refuse" "::0/0 refuse"
"::1 allow" "::1 allow"
"fd3a:900e:8e74:ffff::0/64 allow" "${wg.IPv4.subnet} allow"
]; ];
private-address = [ private-address = [
"127.0.0.0/8" "127.0.0.0/8"
"10.100.0.0/16" "${wg.IPv4.subnet}"
"::1" "::1"
"fd3a:900e:8e74:ffff::0/64" "${wg.IPv4.subnet}"
]; ];
hide-version = "yes"; hide-version = "yes";
aggressive-nsec = "yes"; aggressive-nsec = "yes";
@ -100,4 +91,98 @@ in {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
startAt = "1 0 1 */1 *"; startAt = "1 0 1 */1 *";
}; };
# Blocky + prometheus + grafana
services.blocky = {
enable = true;
settings = {
upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
upstreamTimeout = "10s";
bootstrapDns = [{ upstream = "9.9.9.9"; }];
blocking = {
blackLists.ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
clientGroupsBlock.default = [ "ads" ];
};
# disable caching (use unbound)
caching = {
minTime = -1;
maxTime = -1;
cacheTimeNegative = -1;
prefetching = false;
};
port = 53;
httpPort = "127.0.0.1:4000";
prometheus.enable = true;
queryLog = {
type = "console";
};
};
};
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
globalConfig.scrape_interval = "15s";
globalConfig.evaluation_interval = "15s";
scrapeConfigs = [{
job_name = "blocky";
static_configs = [{
targets = [ config.services.blocky.settings.httpPort ];
}];
}];
};
services.grafana = {
enable = true;
settings = {
analytics.reporting_enabled = false;
server = {
domain = "${wg.IPv4.address}";
http_addr = "${wg.IPv4.address}";
enable_gzip = true;
};
# Grafana can be accessed only through wireguard, so it's secure enough
security = {
admin_user = "admin";
admin_password = "admin";
# admin_password = "$__file(/var/secrets/grafana)";
};
panels.disable_sanitize_html = true;
};
provision = {
enable = true;
datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
orgId = 1;
uid = "Y4SSG429DWCGDQ3R";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData = {
graphiteVersion = "1.1";
tlsAuth = false;
tlsAuthWithCACert = false;
};
version = 1;
editable = true;
}];
};
dashboards = {
settings = {
providers = [{
name = "My Dashboards";
options.path = "/etc/grafana-dashboards";
}];
};
};
};
};
environment.etc = {
"grafana-dashboards/blocky_rev3.json" = {
source = ./grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};
};
} }

1943
machines/NixOS-VPS/services/grafana_blocky_rev3.json Normal file
View File

File diff suppressed because it is too large Load Diff

6
machines/NixOS-VPS/wireguard.nix → machines/NixOS-VPS/services/wireguard.nix
View File

@ -1,8 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import ./hardware/networks.nix) interfaces wireguardPort wireguardPeers; inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = interfaces.wireguard0.ifname; wireguardIFName = interfaces.wireguard0.ifname;
ataraxiaPeerAddresses = with wireguardPeers.ataraxia; [ "${IPv4}/32" "${IPv6}/128" ];
in { in {
environment.systemPackages = [ pkgs.wireguard-tools ]; environment.systemPackages = [ pkgs.wireguard-tools ];
@ -21,9 +20,6 @@ in {
"${IPv4.address}/16" "${IPv4.address}/16"
"${IPv6.address}/64" "${IPv6.address}/64"
]; ];
linkConfig = {
MTUBytes = "1360";
};
DHCP = "no"; DHCP = "no";
networkConfig = { networkConfig = {
IPForward = true; IPForward = true;