nixos-config/profiles/servers/blocky.nix

{ config, pkgs, lib, ... }: {

  containers.blocky = {
    # extraFlags = [ "-U" ];
    autoStart = true;
    ephemeral = true;
    privateNetwork = true;
    hostBridge = "br0";
    localAddress = "192.168.0.5/24";
    tmpfs = [ "/" ];
    config = { config, pkgs, ... }: {
      networking = {
        defaultGateway = "192.168.0.1";
        hostName = "blocky-node";
        nameservers = [ "127.0.0.1" ];
        enableIPv6 = false;
        useHostResolvConf = false;
        firewall = {
          enable = true;
          allowedTCPPorts = [
            953
            # config.services.prometheus.port
            config.services.blocky.settings.port
            # config.services.blocky.settings.httpPort
            # config.services.grafana.settings.server.http_port
          ];
          allowedUDPPorts = [ 53 ];
          rejectPackets = false;
        };
      };
      services.blocky = {
        enable = true;
        settings = {
          upstream.default = [ "127.0.0.1:953" ];
          upstreamTimeout = "10s";
          blocking = {
            blackLists.ads = [
              "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
            ];
            clientGroupsBlock.default = [ "ads" ];
          };
          port = 53;
          httpPort = 4000;
          # httpPort = 8080;
          # httpsPort = 8443;
          # customDNS = {
          #   # customTTL = "1h";
          #   # filterUnmappedTypes = "true";
          #   mapping = {
          #     "code.ataraxiadev.com" = "192.168.0.10";
          #   };
          # };
          queryLog = {
            type = "console";
          };
          prometheus.enable = true;
        };
      };
      services.prometheus = {
        # enable = true;
        port = 9090;
        listenAddress = "0.0.0.0";
        globalConfig = {
          scrape_interval = "15s";
          evaluation_interval = "15s";
        };
        scrapeConfigs = [{
          job_name = "blocky";
          static_configs = [{
            targets = [ "127.0.0.1:${toString config.services.blocky.settings.httpPort}" ];
          }];
        }];
      };
      services.grafana = {
        # enable = true;
        settings = {
          analytics.reporting_enabled = false;
          server = {
            http_port = 3000;
            http_addr = "0.0.0.0";
            enable_gzip = true;
          };
          security = {
            admin_user = "admin";
            admin_password = "admin";
            # admin_password = "$__file(/var/secrets/grafana)";
          };
        };
        provision.enable = true;
        provision.datasources.settings = {
          apiVersion = 1;
          datasources = [{
            name = "Prometheus";
            type = "prometheus";
            access = "proxy";
            orgId = 1;
            url = "127.0.0.1:${toString config.services.prometheus.port}";
            isDefault = true;
            jsonData = {
              graphiteVersion = "1.1";
              tlsAuth = false;
              tlsAuthWithCACert = false;
            };
            version = 1;
            editable = true;
          }];
          deleteDatasources = [{
            name = "Prometheus";
            orgId = 1;
          }];
        };
      };
      services.dnscrypt-proxy2 = {
        enable = true;
        settings = {
          listen_addresses = [ "0.0.0.0:953" ];
          ipv6_servers = false;
          doh_servers = false;
          require_dnssec = true;
          require_nolog = true;
          require_nofilter = true;
          block_ipv6 = true;
          bootstrap_resolvers = [ "9.9.9.9:53" "9.9.9.11:53" ];
          sources = {
            public-resolvers = {
              urls = [
                "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
                "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
              ];
              cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
              minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
            };
          };
        };
      };
      system.stateVersion = "23.05";
    };
  };
}