SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 21:19:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:c25c4341b3f1edd1e9c4f9bcdd324dd68ecb0211
Branches Tags
SebastianStork:main
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:testing-srv-core
..
compare: SebastianStork:cd95e0dce32b48a6e8a38497c4d3f5bccfb840bc
Branches Tags
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:main
SebastianStork:testing-srv-core

No commits in common. "c25c4341b3f1edd1e9c4f9bcdd324dd68ecb0211" and "cd95e0dce32b48a6e8a38497c4d3f5bccfb840bc" have entirely different histories.
c25c4341b3 ... cd95e0dce3

7 changed files with 68 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/srv-core/configuration.nix
View file

@ -17,11 +17,10 @@
}; };
services = { services = {
blocking-nameserver = { recursive-nameserver = {
enable = true; enable = true;
gui.domain = "adguard.${config.custom.networking.overlay.fqdn}"; blockAds = true;
}; };
recursive-nameserver.enable = true;
private-nameserver.enable = true; private-nameserver.enable = true;
syncthing = { syncthing = {

7
hosts/vps-ns/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, self, ... }: { self, ... }:
{ {
imports = [ self.nixosModules.server-profile ]; imports = [ self.nixosModules.server-profile ];
@ -21,11 +21,10 @@
}; };
services = { services = {
blocking-nameserver = { recursive-nameserver = {
enable = true; enable = true;
gui.domain = "adguard.${config.custom.networking.overlay.fqdn}"; blockAds = true;
}; };
recursive-nameserver.enable = true;
private-nameserver.enable = true; private-nameserver.enable = true;
public-nameserver = { public-nameserver = {
enable = true; enable = true;

27
modules/nixos/networking/overlay.nix
View file

@ -6,24 +6,6 @@
}: }:
let let
cfg = config.custom.networking.overlay; cfg = config.custom.networking.overlay;
blocking-nameservers =
allHosts
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.blocking-nameserver.enable)
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.blocking-nameserver.port}"
);
recursive-nameservers =
allHosts
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.recursive-nameserver.enable)
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}"
);
in in
{ {
options.custom.networking.overlay = { options.custom.networking.overlay = {
@ -78,7 +60,14 @@ in
dnsServers = lib.mkOption { dnsServers = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr; type = lib.types.listOf lib.types.nonEmptyStr;
default = if (blocking-nameservers != [ ]) then blocking-nameservers else recursive-nameservers; default =
allHosts
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.recursive-nameserver.enable)
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}"
);
}; };
implementation = lib.mkOption { implementation = lib.mkOption {

95
modules/nixos/services/nameservers/blocking.nix
View file

@ -1,95 +0,0 @@
{
config,
lib,
allHosts,
...
}:
let
cfg = config.custom.services.blocking-nameserver;
netCfg = config.custom.networking;
recursiveNameservers =
allHosts
|> lib.attrValues
|> lib.filter (host: host.config.custom.services.recursive-nameserver.enable)
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}"
);
in
{
options.custom.services.blocking-nameserver = {
enable = lib.mkEnableOption "";
port = lib.mkOption {
type = lib.types.port;
default = 53;
};
gui = {
domain = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
};
port = lib.mkOption {
type = lib.types.port;
default = 58479;
};
};
};
config = lib.mkIf cfg.enable {
services = {
adguardhome = {
enable = true;
mutableSettings = false;
host = "127.0.0.1";
inherit (cfg.gui) port;
settings = {
dns = {
bind_hosts = [ netCfg.overlay.address ];
inherit (cfg) port;
upstream_dns =
if (recursiveNameservers != [ ]) then recursiveNameservers else [ "9.9.9.9#dns.quad9.net" ];
upstream_mode = "parallel";
bootstrap_dns = [
"1.1.1.1"
"8.8.8.8"
];
};
filtering = {
protection_enabled = true;
filtering_enabled = true;
};
filters = lib.singleton {
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
};
};
};
nebula.networks.mesh.firewall.inbound = lib.singleton {
inherit (cfg) port;
proto = "any";
host = "any";
};
};
systemd.services.adguardhome = {
enableStrictShellChecks = false;
requires = [ netCfg.overlay.systemdUnit ];
after = [ netCfg.overlay.systemdUnit ];
};
custom = {
services.caddy.virtualHosts.${cfg.gui.domain}.port = lib.mkIf (cfg.gui.domain != null) cfg.gui.port;
meta.sites.${cfg.gui.domain} = lib.mkIf (cfg.gui.domain != null) {
title = "Adguard Home";
icon = "sh:adguard-home";
};
};
};
}

32
modules/nixos/services/nameservers/recursive.nix
View file

@ -1,5 +1,7 @@
{ {
config, config,
inputs,
pkgs,
lib, lib,
allHosts, allHosts,
... ...
@ -8,21 +10,27 @@ let
cfg = config.custom.services.recursive-nameserver; cfg = config.custom.services.recursive-nameserver;
netCfg = config.custom.networking; netCfg = config.custom.networking;
blocklist =
pkgs.runCommand "blocklist.conf" { } ''
echo "server:" > $out
cat ${inputs.blocklist}/hosts \
| grep '^0.0.0.0 ' \
| awk '$2 != "0.0.0.0" {print " local-zone: \"" $2 "\" refuse"}' \
>> $out
''
|> toString;
privateNameservers = privateNameservers =
allHosts allHosts
|> lib.attrValues |> lib.attrValues
|> lib.filter (host: host.config.custom.services.private-nameserver.enable) |> lib.filter (host: host.config.custom.services.private-nameserver.enable);
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}"
);
in in
{ {
options.custom.services.recursive-nameserver = { options.custom.services.recursive-nameserver = {
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
port = lib.mkOption { port = lib.mkOption {
type = lib.types.port; type = lib.types.port;
default = 5336; default = 53;
}; };
blockAds = lib.mkEnableOption ""; blockAds = lib.mkEnableOption "";
}; };
@ -33,11 +41,14 @@ in
services = { services = {
unbound = { unbound = {
enable = true; enable = true;
settings.server = { settings = {
server = {
interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ]; interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
access-control = [ "${toString netCfg.overlay.networkCidr} allow" ]; access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
prefetch = true; prefetch = true;
}; };
include-toplevel = lib.mkIf cfg.blockAds blocklist;
};
}; };
nebula.networks.mesh.firewall.inbound = lib.singleton { nebula.networks.mesh.firewall.inbound = lib.singleton {
@ -62,7 +73,12 @@ in
stub-zone = lib.singleton { stub-zone = lib.singleton {
name = netCfg.overlay.domain; name = netCfg.overlay.domain;
stub-addr = privateNameservers; stub-addr =
privateNameservers
|> lib.map (
host:
"${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}"
);
}; };
}; };
}) })

51
modules/nixos/web-services/glance.nix
View file

@ -8,33 +8,18 @@
let let
cfg = config.custom.web-services.glance; cfg = config.custom.web-services.glance;
perHostDomains = observabilityTitles = [
perHostSitesWidget.widgets |> lib.concatMap (widget: widget.sites) |> lib.map (site: site.domain); "Alloy"
"Prometheus"
"Alertmanager"
];
perHostSitesWidget = hosts = allHosts |> lib.attrValues;
allHosts
|> lib.attrValues
|> lib.map (host: {
type = "monitor";
cache = "1m";
title = host.config.networking.hostName;
sites =
host.config.custom.meta.sites
|> lib.attrValues
|> lib.filter (site: site.domain |> lib.hasSuffix host.config.custom.networking.overlay.fqdn);
})
|> lib.filter ({ sites, ... }: sites != [ ])
|> (widgets: {
type = "split-column";
max-columns = widgets |> lib.length;
inherit widgets;
});
applicationSitesWidget = applicationSitesWidget =
allHosts hosts
|> lib.attrValues
|> lib.concatMap (host: host.config.custom.meta.sites |> lib.attrValues) |> lib.concatMap (host: host.config.custom.meta.sites |> lib.attrValues)
|> lib.filter (service: !lib.elem service.domain perHostDomains) |> lib.filter (service: !lib.elem service.title observabilityTitles)
|> lib.groupBy ( |> lib.groupBy (
service: service:
service.domain |> self.lib.isPrivateDomain |> (isPrivate: if isPrivate then "Private" else "Public") service.domain |> self.lib.isPrivateDomain |> (isPrivate: if isPrivate then "Private" else "Public")
@ -53,6 +38,24 @@ let
inherit widgets; inherit widgets;
}); });
observabilitySitesWidget =
hosts
|> lib.map (host: {
type = "monitor";
cache = "1m";
title = host.config.networking.hostName;
sites =
host.config.custom.meta.sites
|> lib.attrValues
|> lib.filter (service: lib.elem service.title observabilityTitles);
})
|> lib.filter ({ sites, ... }: sites != [ ])
|> (widgets: {
type = "split-column";
max-columns = widgets |> lib.length;
inherit widgets;
});
githubWorkflowFiles = githubWorkflowFiles =
"${self}/.github/workflows" "${self}/.github/workflows"
|> builtins.readDir |> builtins.readDir
@ -126,7 +129,7 @@ in
autofocus = false; autofocus = false;
} }
applicationSitesWidget applicationSitesWidget
perHostSitesWidget observabilitySitesWidget
]; ];
} }
{ {

2
tests/overlay/default.nix
View file

@ -105,7 +105,7 @@
client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}") client2.wait_for_unit("${client2NetCfg.overlay.systemdUnit}")
lighthouse.wait_for_unit("unbound.service") lighthouse.wait_for_unit("unbound.service")
lighthouse.wait_for_open_port(${toString nodes.lighthouse.custom.services.recursive-nameserver.port}, "${lighthouseNetCfg.overlay.address}") lighthouse.wait_for_open_port(53, "${lighthouseNetCfg.overlay.address}")
server.wait_for_unit("sshd.service") server.wait_for_unit("sshd.service")
client2.wait_for_unit("sshd.service") client2.wait_for_unit("sshd.service")