diff --git a/hosts/srv-core/configuration.nix b/hosts/srv-core/configuration.nix index e912bac..5bdf6fe 100644 --- a/hosts/srv-core/configuration.nix +++ b/hosts/srv-core/configuration.nix @@ -17,11 +17,10 @@ }; services = { - blocking-nameserver = { + recursive-nameserver = { enable = true; - gui.domain = "adguard.${config.custom.networking.overlay.fqdn}"; + blockAds = true; }; - recursive-nameserver.enable = true; private-nameserver.enable = true; syncthing = { diff --git a/hosts/vps-ns/configuration.nix b/hosts/vps-ns/configuration.nix index d19b173..98d0660 100644 --- a/hosts/vps-ns/configuration.nix +++ b/hosts/vps-ns/configuration.nix @@ -1,4 +1,4 @@ -{ config, self, ... }: +{ self, ... }: { imports = [ self.nixosModules.server-profile ]; @@ -21,11 +21,10 @@ }; services = { - blocking-nameserver = { + recursive-nameserver = { enable = true; - gui.domain = "adguard.${config.custom.networking.overlay.fqdn}"; + blockAds = true; }; - recursive-nameserver.enable = true; private-nameserver.enable = true; public-nameserver = { enable = true; diff --git a/modules/nixos/networking/overlay.nix b/modules/nixos/networking/overlay.nix index d2166a6..007e012 100644 --- a/modules/nixos/networking/overlay.nix +++ b/modules/nixos/networking/overlay.nix @@ -6,24 +6,6 @@ }: let cfg = config.custom.networking.overlay; - - blocking-nameservers = - allHosts - |> lib.attrValues - |> lib.filter (host: host.config.custom.services.blocking-nameserver.enable) - |> lib.map ( - host: - "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.blocking-nameserver.port}" - ); - - recursive-nameservers = - allHosts - |> lib.attrValues - |> lib.filter (host: host.config.custom.services.recursive-nameserver.enable) - |> lib.map ( - host: - "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}" - ); in { options.custom.networking.overlay = { @@ -78,7 +60,14 @@ in dnsServers = lib.mkOption { type = lib.types.listOf lib.types.nonEmptyStr; - default = if (blocking-nameservers != [ ]) then blocking-nameservers else recursive-nameservers; + default = + allHosts + |> lib.attrValues + |> lib.filter (host: host.config.custom.services.recursive-nameserver.enable) + |> lib.map ( + host: + "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}" + ); }; implementation = lib.mkOption { diff --git a/modules/nixos/services/nameservers/blocking.nix b/modules/nixos/services/nameservers/blocking.nix deleted file mode 100644 index 2686bdc..0000000 --- a/modules/nixos/services/nameservers/blocking.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - config, - lib, - allHosts, - ... -}: -let - cfg = config.custom.services.blocking-nameserver; - netCfg = config.custom.networking; - - recursiveNameservers = - allHosts - |> lib.attrValues - |> lib.filter (host: host.config.custom.services.recursive-nameserver.enable) - |> lib.map ( - host: - "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}" - ); -in -{ - options.custom.services.blocking-nameserver = { - enable = lib.mkEnableOption ""; - port = lib.mkOption { - type = lib.types.port; - default = 53; - }; - gui = { - domain = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; - port = lib.mkOption { - type = lib.types.port; - default = 58479; - }; - }; - }; - - config = lib.mkIf cfg.enable { - services = { - adguardhome = { - enable = true; - mutableSettings = false; - - host = "127.0.0.1"; - inherit (cfg.gui) port; - - settings = { - dns = { - bind_hosts = [ netCfg.overlay.address ]; - inherit (cfg) port; - - upstream_dns = - if (recursiveNameservers != [ ]) then recursiveNameservers else [ "9.9.9.9#dns.quad9.net" ]; - upstream_mode = "parallel"; - bootstrap_dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - - filtering = { - protection_enabled = true; - filtering_enabled = true; - }; - filters = lib.singleton { - enabled = true; - url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; - }; - }; - }; - - nebula.networks.mesh.firewall.inbound = lib.singleton { - inherit (cfg) port; - proto = "any"; - host = "any"; - }; - }; - - systemd.services.adguardhome = { - enableStrictShellChecks = false; - requires = [ netCfg.overlay.systemdUnit ]; - after = [ netCfg.overlay.systemdUnit ]; - }; - - custom = { - services.caddy.virtualHosts.${cfg.gui.domain}.port = lib.mkIf (cfg.gui.domain != null) cfg.gui.port; - - meta.sites.${cfg.gui.domain} = lib.mkIf (cfg.gui.domain != null) { - title = "Adguard Home"; - icon = "sh:adguard-home"; - }; - }; - }; -} diff --git a/modules/nixos/services/nameservers/recursive.nix b/modules/nixos/services/nameservers/recursive.nix index 5ce0e40..894c2e1 100644 --- a/modules/nixos/services/nameservers/recursive.nix +++ b/modules/nixos/services/nameservers/recursive.nix @@ -1,5 +1,7 @@ { config, + inputs, + pkgs, lib, allHosts, ... @@ -8,21 +10,27 @@ let cfg = config.custom.services.recursive-nameserver; netCfg = config.custom.networking; + blocklist = + pkgs.runCommand "blocklist.conf" { } '' + echo "server:" > $out + cat ${inputs.blocklist}/hosts \ + | grep '^0.0.0.0 ' \ + | awk '$2 != "0.0.0.0" {print " local-zone: \"" $2 "\" refuse"}' \ + >> $out + '' + |> toString; + privateNameservers = allHosts |> lib.attrValues - |> lib.filter (host: host.config.custom.services.private-nameserver.enable) - |> lib.map ( - host: - "${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}" - ); + |> lib.filter (host: host.config.custom.services.private-nameserver.enable); in { options.custom.services.recursive-nameserver = { enable = lib.mkEnableOption ""; port = lib.mkOption { type = lib.types.port; - default = 5336; + default = 53; }; blockAds = lib.mkEnableOption ""; }; @@ -33,10 +41,13 @@ in services = { unbound = { enable = true; - settings.server = { - interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ]; - access-control = [ "${toString netCfg.overlay.networkCidr} allow" ]; - prefetch = true; + settings = { + server = { + interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ]; + access-control = [ "${toString netCfg.overlay.networkCidr} allow" ]; + prefetch = true; + }; + include-toplevel = lib.mkIf cfg.blockAds blocklist; }; }; @@ -62,7 +73,12 @@ in stub-zone = lib.singleton { name = netCfg.overlay.domain; - stub-addr = privateNameservers; + stub-addr = + privateNameservers + |> lib.map ( + host: + "${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}" + ); }; }; }) diff --git a/modules/nixos/web-services/glance.nix b/modules/nixos/web-services/glance.nix index 0cd3a12..c184e05 100644 --- a/modules/nixos/web-services/glance.nix +++ b/modules/nixos/web-services/glance.nix @@ -8,33 +8,18 @@ let cfg = config.custom.web-services.glance; - perHostDomains = - perHostSitesWidget.widgets |> lib.concatMap (widget: widget.sites) |> lib.map (site: site.domain); + observabilityTitles = [ + "Alloy" + "Prometheus" + "Alertmanager" + ]; - perHostSitesWidget = - allHosts - |> lib.attrValues - |> lib.map (host: { - type = "monitor"; - cache = "1m"; - title = host.config.networking.hostName; - sites = - host.config.custom.meta.sites - |> lib.attrValues - |> lib.filter (site: site.domain |> lib.hasSuffix host.config.custom.networking.overlay.fqdn); - }) - |> lib.filter ({ sites, ... }: sites != [ ]) - |> (widgets: { - type = "split-column"; - max-columns = widgets |> lib.length; - inherit widgets; - }); + hosts = allHosts |> lib.attrValues; applicationSitesWidget = - allHosts - |> lib.attrValues + hosts |> lib.concatMap (host: host.config.custom.meta.sites |> lib.attrValues) - |> lib.filter (service: !lib.elem service.domain perHostDomains) + |> lib.filter (service: !lib.elem service.title observabilityTitles) |> lib.groupBy ( service: service.domain |> self.lib.isPrivateDomain |> (isPrivate: if isPrivate then "Private" else "Public") @@ -53,6 +38,24 @@ let inherit widgets; }); + observabilitySitesWidget = + hosts + |> lib.map (host: { + type = "monitor"; + cache = "1m"; + title = host.config.networking.hostName; + sites = + host.config.custom.meta.sites + |> lib.attrValues + |> lib.filter (service: lib.elem service.title observabilityTitles); + }) + |> lib.filter ({ sites, ... }: sites != [ ]) + |> (widgets: { + type = "split-column"; + max-columns = widgets |> lib.length; + inherit widgets; + }); + githubWorkflowFiles = "${self}/.github/workflows" |> builtins.readDir @@ -126,7 +129,7 @@ in autofocus = false; } applicationSitesWidget - perHostSitesWidget + observabilitySitesWidget ]; } { diff --git a/tests/overlay/default.nix b/tests/overlay/default.nix index a7ff7e3..5d91468 100644 --- a/tests/overlay/default.nix +++ b/tests/overlay/default.nix @@ -105,7 +105,7 @@ client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}") lighthouse.wait_for_unit("unbound.service") - lighthouse.wait_for_open_port(${toString nodes.lighthouse.custom.services.recursive-nameserver.port}, "${lighthouseNetCfg.overlay.address}") + lighthouse.wait_for_open_port(53, "${lighthouseNetCfg.overlay.address}") server.wait_for_unit("sshd.service") client2.wait_for_unit("sshd.service")