diff --git a/machines/valkyrie/adguard/default.nix b/machines/valkyrie/adguard/default.nix new file mode 100644 index 0000000..5942d1c --- /dev/null +++ b/machines/valkyrie/adguard/default.nix @@ -0,0 +1,40 @@ +{ config +, lib +, ... +}: +with lib; let + cfg = config.eboskma.adguard; +in +{ + options.eboskma.adguard = { + upstreams = mkOption { + description = "Upstream DNS servers"; + type = types.listOf types.str; + example = [ + "http://1.1.1.1" + "tls://1.1.1.1" + "1.1.1.1" + ]; + }; + }; + + config = { + services.adguardhome = { + enable = true; + openFirewall = true; + + settings = { + dns = { + upstream_dns = cfg.upstreams; + }; + }; + }; + + # This is necessary to bind a raw socket for DHCP + systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ]; + + networking.firewall = { + allowedUDPPorts = [ 53 67 ]; + }; + }; +} diff --git a/machines/valkyrie/configuration.nix b/machines/valkyrie/configuration.nix index 3586550..7239717 100644 --- a/machines/valkyrie/configuration.nix +++ b/machines/valkyrie/configuration.nix @@ -5,6 +5,9 @@ ../../users/root ../../users/erwin + + ./adguard + ./unbound ]; eboskma = { @@ -13,7 +16,6 @@ server = true; }; adguard = { - enable = true; upstreams = [ "127.0.0.1:5335" ]; @@ -22,7 +24,6 @@ enable = true; remote-builders = true; }; - unbound.enable = true; tailscale.enable = true; }; @@ -48,6 +49,8 @@ systemd.network = { enable = true; + wait-online.anyInterface = true; + networks = { "40-eth0" = { matchConfig = { diff --git a/machines/valkyrie/unbound/default.nix b/machines/valkyrie/unbound/default.nix new file mode 100644 index 0000000..5a87e04 --- /dev/null +++ b/machines/valkyrie/unbound/default.nix @@ -0,0 +1,69 @@ +{ + services.unbound = { + enable = true; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + # Setting logfile to an empty string outputs to stderr + log-queries = false; + verbosity = 1; + + port = 5335; + do-ip4 = true; + do-ip6 = true; + do-udp = true; + do-tcp = true; + prefer-ip6 = true; + + hide-identity = true; + hide-version = true; + + # Trust glue only if it is within the server's authority + harden-glue = true; + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped = true; + + harden-referral-path = true; + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id = false; + + # Reduce EDNS reassembly buffer size. + # Suggested by the unbound man page to reduce fragmentation reassembly problems + edns-buffer-size = 1472; + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch = true; + prefetch-key = true; + + # This attempts to reduce latency by serving the outdated record before + # updating it instead of the other way around. Alternative is to increase + # cache-min-ttl to e.g. 3600. + cache-min-ttl = 0; + serve-expired = true; + + rrset-cache-size = "256m"; + msg-cache-size = "128m"; + msg-cache-slabs = 4; + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads = 2; + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf = "1m"; + + # Ensure privacy of local IP ranges + private-address = [ + "192.168.0.0/16" + "169.254.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + "fd00::/8" + "fe80::/10" + ]; + }; + }; + }; +} diff --git a/modules/adguard/default.nix b/modules/adguard/default.nix deleted file mode 100644 index 762483f..0000000 --- a/modules/adguard/default.nix +++ /dev/null @@ -1,364 +0,0 @@ -{ config -, lib -, ... -}: -with lib; let - cfg = config.eboskma.adguard; -in -{ - options.eboskma.adguard = { - enable = mkEnableOption "adguard"; - upstreams = mkOption { - description = "Upstream DNS servers"; - type = types.listOf types.str; - example = [ - "http://1.1.1.1" - "tls://1.1.1.1" - "1.1.1.1" - ]; - }; - }; - - config = mkIf cfg.enable { - services.adguardhome = { - enable = true; - openFirewall = true; - - settings = { }; - - # settings = { - # auth_attempts = 5; - # block_auth_min = 15; - # clients = { - # persistent = [ - # { - # name = "xiaomi-fan"; - # ids = [ "5a:b6:23:35:1c:76" ]; - # blocked_services = [ - # "9gag" - # "amazon" - # "cloudflare" - # "dailymotion" - # "discord" - # "disneyplus" - # "ebay" - # "epic_games" - # "facebook" - # "hulu" - # "imgur" - # "instagram" - # "mail_ru" - # "netflix" - # "ok" - # "origin" - # "pinterest" - # "qq" - # "reddit" - # "skype" - # "snapchat" - # "spotify" - # "steam" - # "telegram" - # "tiktok" - # "tinder" - # "twitch" - # "twitter" - # "viber" - # "vimeo" - # "vk" - # "wechat" - # "weibo" - # "whatsapp" - # "youtube" - # ]; - # filtering_enabled = true; - # ignore_querylog = false; - # ignore_statistics = false; - # parental_enabled = true; - # safe_search = { - # bing = false; - # duckduckgo = false; - # enabled = false; - # google = false; - # pixabay = false; - # yandex = false; - # youtube = false; - # }; - # safebrowsing_enabled = true; - # tags = [ "device_other" ]; - # upstreams = [ ]; - # use_global_blocked_services = false; - # use_global_settings = true; - # } - # ]; - # runtime_sources = { - # arp = true; - # dhcp = true; - # hosts = true; - # rdns = true; - # whois = true; - # }; - # }; - # debug_pprof = false; - # dhcp = { - # dhcpv4 = { - # gateway_ip = "10.0.0.1"; - # icmp_timeout_msec = 1000; - # lease_duration = 86400; - # options = [ ]; - # range_end = "10.0.0.200"; - # range_start = "10.0.0.150"; - # subnet_mask = "255.255.255.0"; - # }; - # dhcpv6 = { - # lease_duration = 86400; - # ra_allow_slaac = false; - # ra_slaac_only = false; - # range_start = ""; - # }; - # interface_name = "eth0"; - # enabled = true; - # local_domain_name = "lan"; - # }; - # dns = { - # aaaa_disabled = false; - # all_servers = true; - # allowed_clients = [ ]; - # anonymize_client_ip = false; - # bind_hosts = [ "0.0.0.0" ]; - # blocked_hosts = [ "version.bind" "id.server" "hostname.bind" ]; - # blocked_response_ttl = 10; - # blocked_services = [ "vk" "mail_ru" "pinterest" "tinder" "wechat" "ok" "qq" "snapchat" "weibo" "9gag" ]; - # blocking_ipv4 = ""; - # blocking_ipv6 = ""; - # blocking_mode = "default"; - # bogus_nxdomain = [ ]; - # bootstrap_dns = [ ]; - # bootstrap_prefer_ipv6 = false; - # cache_optimistic = false; - # cache_size = null; - # cache_time = 30; - # cache_ttl_max = 0; - # cache_ttl_min = 0; - # disallowed_clients = [ ]; - # dns64_prefixes = [ ]; - # edns_client_subnet = { - # custom_ip = ""; - # enabled = true; - # use_custom = false; - # }; - # enable_dnssec = true; - # fastest_addr = false; - # fastest_timeout = "1s"; - # filtering_enabled = true; - # filters_update_interval = 24; - # handle_ddr = true; - # ipset = [ ]; - # ipset_file = ""; - # local_ptr_upstreams = [ ]; - # max_goroutines = 0; - # parental_block_host = "family-block.dns.adguard.com"; - # parental_cache_size = 1048576; - # parental_enabled = false; - # port = 53; - # private_networks = [ ]; - # protection_disabled_until = null; - # protection_enabled = true; - # ratelimit = 20; - # ratelimit_whitelist = [ ]; - # refuse_any = true; - # rewrites = [ - # { - # answer = "10.0.0.254"; - # domain = "track.datarift.nl"; - # } - # { - # answer = "10.0.0.2"; - # domain = "ca.datarift.nl"; - # } - # { - # answer = "10.0.0.252"; - # domain = "pve.datarift.nl"; - # } - # { - # answer = "10.0.0.251"; - # domain = "git.datarift.nl"; - # } - # { - # answer = "10.0.0.251"; - # domain = "minio.datarift.nl"; - # } - # { - # answer = "10.0.0.251"; - # domain = "home.datarift.nl"; - # } - # { - # answer = "10.0.0.251"; - # domain = "drone.datarift.nl"; - # } - # { - # answer = "10.0.0.100"; - # domain = "vidz.datarift.nl"; - # } - # { - # answer = "10.0.0.4"; - # domain = "loki.datarift.nl"; - # } - # { - # answer = "10.0.0.251"; - # domain = "minio-admin.datarift.nl"; - # } - # { - # answer = "192.168.4.32"; - # domain = "vaultserver.horus.nu"; - # } - # { - # answer = "10.0.0.254"; - # domain = "mqtt.datarift.nl"; - # } - # { - # answer = "10.0.0.251"; - # domain = "frigate.datarift.nl"; - # } - # { - # answer = "192.168.4.130"; - # domain = "containers.internal.horus.nu"; - # } - # { - # answer = "192.168.4.121"; - # domain = "repohost.bedum.horus.nu"; - # } - # { - # answer = "192.168.4.150"; - # domain = "teamcity.horus.nu"; - # } - # { - # answer = "2a02:a441:c959:1:52ef:4c5d:ffac:25bc"; - # domain = "frigate.datarift.nl"; - # } - # ]; - # safe_search = { - # bing = true; - # duckduckgo = true; - # enabled = false; - # google = true; - # pixabay = true; - # yandex = true; - # youtube = true; - # }; - # safebrowsing_block_host = "standard-block.dns.adguard.com"; - # safebrowsing_cache_size = 1048576; - # safebrowsing_enabled = false; - # safesearch_cache_size = 1048576; - # serve_http3 = false; - # trusted_proxies = [ "127.0.0.0/8" "::1/128" ]; - # upstream_dns = cfg.upstreams; - # upstream_dns_file = ""; - # upstream_timeout = "10s"; - # use_dns64 = false; - # use_http3_upstreams = false; - # use_private_ptr_resolvers = true; - # }; - # filters = [ - # { - # enabled = true; - # id = 1; - # name = "AdGuard DNS filter"; - # url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; - # } - # { - # enabled = true; - # id = 2; - # name = "AdAway"; - # url = "https://adaway.org/hosts.txt"; - # } - # { - # enabled = true; - # id = 1586463155; - # name = "dbl.oisd.nl"; - # url = "https://dbl.oisd.nl/"; - # } - # ]; - # http_proxy = ""; - # language = ""; - # log_compress = false; - # log_file = ""; - # log_localtime = false; - # log_max_age = 3; - # log_max_backups = 0; - # log_max_size = 100; - # os = { - # group = ""; - # rlimit_nofile = 0; - # user = ""; - # }; - # querylog = { - # enabled = true; - # file_enabled = true; - # ignored = [ ]; - # interval = "168h"; - # size_memory = 1000; - # }; - # schema_version = 20; - # statistics = { - # enabled = true; - # ignored = [ ]; - # interval = "168h"; - # }; - # theme = "auto"; - # tls = { - # allow_unencrypted_doh = false; - # certificate_chain = ""; - # certificate_path = ""; - # dnscrypt_config_file = ""; - # enabled = false; - # force_https = false; - # port_dns_over_quic = 784; - # port_dns_over_tls = 853; - # port_dnscrypt = 0; - # port_https = 443; - # private_key = ""; - # private_key_path = ""; - # server_name = ""; - # strict_sni_check = false; - # }; - # user_rules = [ - # "@@||msmetrics.ws.sonos.com^$important" - # "@@||trafficdeposit.com^$important" - # "@@||omropfryslan.bbvms.com^$important" - # "@@||cdn.riverhit.com^$important" - # "@@||kpngroup.emsecure.net^$important" - # "@@||chtbl.com^$important" - # "@@||*^$client='TV'" - # "||mozilla.cloudflare-dns.com^$important" - # "||use-application-dns.net^$important" - # "@@||widget.fitanalytics.com^$important" - # "@@||cdn.bluebillywig.com^$important" - # "@@||bert.org^$important" - # "||prod-pre.fns.tunein.com^$important" - # "#||mi.com^$dnsrewrite=NOERROR;A;10.0.0.4" - # "#||xiaomi.com^$dnsrewrite=NOERROR;A;10.0.0.4" - # "@@||aa.tweakers.nl^$important" - # "@@||ab.tweakers.nl^$important" - # "||zip^" - # ]; - # users = [ - # { - # name = "erwin"; - # password = "$2b$12$bcE.EzNPhKmtDlgkej83xeAE/ADmAczt.iaElp6v4QT8DBlbVBgb."; - # } - # ]; - # verbose = false; - # web_session_ttl = 720; - # whitelist_filters = [ ]; - # }; - }; - - # This is necessary to bind a raw socket for DHCP - systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ]; - - networking.firewall = { - allowedUDPPorts = [ 53 67 ]; - }; - }; -} diff --git a/modules/unbound/default.nix b/modules/unbound/default.nix deleted file mode 100644 index c6ef692..0000000 --- a/modules/unbound/default.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ config, lib, ... }: -with lib; -let - cfg = config.eboskma.unbound; -in -{ - options.eboskma.unbound = { enable = mkEnableOption "unbound DNS"; }; - - config = mkIf cfg.enable { - services.unbound = { - enable = true; - localControlSocketPath = "/run/unbound/unbound.ctl"; - settings = { - server = { - # Setting logfile to an empty string outputs to stderr - log-queries = false; - verbosity = 1; - - port = 5335; - do-ip4 = true; - do-ip6 = true; - do-udp = true; - do-tcp = true; - prefer-ip6 = true; - - hide-identity = true; - hide-version = true; - - # Trust glue only if it is within the server's authority - harden-glue = true; - - # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS - harden-dnssec-stripped = true; - - harden-referral-path = true; - - # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes - # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details - use-caps-for-id = false; - - # Reduce EDNS reassembly buffer size. - # Suggested by the unbound man page to reduce fragmentation reassembly problems - edns-buffer-size = 1472; - - # Perform prefetching of close to expired message cache entries - # This only applies to domains that have been frequently queried - prefetch = true; - prefetch-key = true; - - # This attempts to reduce latency by serving the outdated record before - # updating it instead of the other way around. Alternative is to increase - # cache-min-ttl to e.g. 3600. - cache-min-ttl = 0; - serve-expired = true; - - rrset-cache-size = "256m"; - msg-cache-size = "128m"; - msg-cache-slabs = 4; - # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. - num-threads = 2; - - # Ensure kernel buffer is large enough to not lose messages in traffic spikes - so-rcvbuf = "1m"; - - # Ensure privacy of local IP ranges - private-address = [ - "192.168.0.0/16" - "169.254.0.0/16" - "172.16.0.0/12" - "10.0.0.0/8" - "fd00::/8" - "fe80::/10" - ]; - }; - }; - }; - }; -}