SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 23:29:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

blocking-nameserver: Init

Browse source
This commit is contained in:
SebastianStork 2026-03-17 17:59:52 +01:00
parent cd95e0dce3
commit 2cdfec2086
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
2 changed files with 106 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

95
modules/nixos/services/nameservers/blocking.nix Normal file
View file

@ -0,0 +1,95 @@
{
config,
lib,
allHosts,
...
}:
let
cfg = config.custom.services.blocking-nameserver;
netCfg = config.custom.networking;
recursiveNameservers =
allHosts
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.recursive-nameserver.enable)
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}"
);
in
{
options.custom.services.blocking-nameserver = {
enable = lib.mkEnableOption "";
port = lib.mkOption {
type = lib.types.port;
default = 53;
};
gui = {
domain = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
port = lib.mkOption {
type = lib.types.port;
default = 58479;
};
};
};
config = lib.mkIf cfg.enable {
services = {
adguardhome = {
enable = true;
mutableSettings = false;
host = "127.0.0.1";
inherit (cfg.gui) port;
settings = {
dns = {
bind_hosts = [ netCfg.overlay.address ];
inherit (cfg) port;
upstream_dns =
if (recursiveNameservers != [ ]) then recursiveNameservers else [ "9.9.9.9#dns.quad9.net" ];
upstream_mode = "parallel";
bootstrap_dns = [
"1.1.1.1"
"8.8.8.8"
];
};
filtering = {
protection_enabled = true;
filtering_enabled = true;
};
filters = lib.singleton {
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
};
};
};
nebula.networks.mesh.firewall.inbound = lib.singleton {
inherit (cfg) port;
proto = "any";
host = "any";
};
};
systemd.services.adguardhome = {
enableStrictShellChecks = false;
requires = [ netCfg.overlay.systemdUnit ];
after = [ netCfg.overlay.systemdUnit ];
};
custom = {
services.caddy.virtualHosts.${cfg.gui.domain}.port = lib.mkIf (cfg.gui.domain != null) cfg.gui.port;
meta.sites.${cfg.gui.domain} = lib.mkIf (cfg.gui.domain != null) {
title = "Adguard Home";
icon = "sh:adguard-home";
};
};
};
}

32
modules/nixos/services/nameservers/recursive.nix
View file

@ -1,7 +1,5 @@
{ {
config, config,
inputs,
pkgs,
lib, lib,
allHosts, allHosts,
... ...
@ -10,27 +8,21 @@ let
cfg = config.custom.services.recursive-nameserver; cfg = config.custom.services.recursive-nameserver;
netCfg = config.custom.networking; netCfg = config.custom.networking;
blocklist =
pkgs.runCommand "blocklist.conf" { } ''
echo "server:" > $out
cat ${inputs.blocklist}/hosts \
| grep '^0.0.0.0 ' \
| awk '$2 != "0.0.0.0" {print " local-zone: \"" $2 "\" refuse"}' \
>> $out
''
|> toString;
privateNameservers = privateNameservers =
allHosts allHosts
|> lib.attrValues |> lib.attrValues
|> lib.filter (host: host.config.custom.services.private-nameserver.enable); |> lib.filter (host: host.config.custom.services.private-nameserver.enable)
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}"
);
in in
{ {
options.custom.services.recursive-nameserver = { options.custom.services.recursive-nameserver = {
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
port = lib.mkOption { port = lib.mkOption {
type = lib.types.port; type = lib.types.port;
default = 53; default = 5336;
}; };
blockAds = lib.mkEnableOption ""; blockAds = lib.mkEnableOption "";
}; };
@ -41,14 +33,11 @@ in
services = { services = {
unbound = { unbound = {
enable = true; enable = true;
settings = { settings.server = {
server = {
interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ]; interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
access-control = [ "${toString netCfg.overlay.networkCidr} allow" ]; access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
prefetch = true; prefetch = true;
}; };
include-toplevel = lib.mkIf cfg.blockAds blocklist;
};
}; };
nebula.networks.mesh.firewall.inbound = lib.singleton { nebula.networks.mesh.firewall.inbound = lib.singleton {
@ -73,12 +62,7 @@ in
stub-zone = lib.singleton { stub-zone = lib.singleton {
name = netCfg.overlay.domain; name = netCfg.overlay.domain;
stub-addr = stub-addr = privateNameservers;
privateNameservers
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}"
);
}; };
}; };
}) })