diff --git a/hosts/rico1/services/apps/blocky.nix b/hosts/rico1/services/apps/blocky.nix new file mode 100644 index 0000000..b46bf2a --- /dev/null +++ b/hosts/rico1/services/apps/blocky.nix @@ -0,0 +1,141 @@ +{ pkgs, ... }: +let + inherit (import ../../../shared/caddy-helpers.nix) logFormat; + domainName = "blocky.labs.adtya.xyz"; +in +{ + networking = { + firewall = { + allowedTCPPorts = [ + 53 #DNS + ]; + allowedUDPPorts = [ + 53 #DNS + ]; + }; + }; + systemd.services.blocky.unitConfig.After = [ "network-online.target" "wireguard-wg0.service" ]; + services = { + caddy = { + virtualHosts."${domainName}" = { + logFormat = logFormat domainName; + extraConfig = '' + reverse_proxy 127.0.0.1:8080 + ''; + }; + }; + blocky = { + enable = true; + settings = { + bootstrapDns = [ "tcp+udp:1.1.1.1" ]; + upstreams = { + init.strategy = "blocking"; + groups = { + default = [ + # Cloudflare + "tcp+udp:1.1.1.1" + + # Google + "tcp+udp:8.8.8.8" + "tcp+udp:8.8.4.4" + + # Quad9 + "tcp+udp:9.9.9.9" + "tcp+udp:149.112.112.112" + "tcp-tls:dns.quad9.net:853" + "https://dns.quad9.net/dns-query" + ]; + }; + strategy = "parallel_best"; + timeout = "2s"; + userAgent = "Praise the DNS overlords!"; + }; + connectIPVersion = "v4"; + customDNS = { + customTTL = "1h"; + filterUnmappedTypes = true; + mapping = { + # Local (Home Network) + "gateway.local.adtya.xyz" = "192.168.0.1"; + "ap1.local.adtya.xyz" = "192.168.1.1"; + "ap2.local.adtya.xyz" = "192.168.1.2"; + "switch.local.adtya.xyz" = "192.168.1.3"; + "jellyfin.local.adtya.xyz" = "192.168.1.14"; + + # Labs (Homelab) + "gateway.labs.adtya.xyz" = "10.10.10.10"; + "ap1.labs.adtya.xyz" = "10.10.10.10"; + "ap2.labs.adtya.xyz" = "10.10.10.10"; + "switch.labs.adtya.xyz" = "10.10.10.10"; + "proxy.labs.adtya.xyz" = "10.10.10.1"; + "skipper.labs.adtya.xyz" = "10.10.10.2"; + "rico0.labs.adtya.xyz" = "10.10.10.10"; + "rico1.labs.adtya.xyz" = "10.10.10.11"; + "rico2.labs.adtya.xyz" = "10.10.10.12"; + "wynne.labs.adtya.xyz" = "10.10.10.13"; + "layne.labs.adtya.xyz" = "10.10.10.14"; + "alertmanager.labs.adtya.xyz" = "10.10.10.10"; + "blocky.labs.adtya.xyz" = "10.10.10.11"; + "frp.labs.adtya.xyz" = "10.10.10.10"; + "grafana.labs.adtya.xyz" = "10.10.10.10"; + "loki.labs.adtya.xyz" = "10.10.10.11"; + "prometheus.labs.adtya.xyz" = "10.10.10.10"; + "transmission.labs.adtya.xyz" = "10.10.10.14"; + "jellyfin.labs.adtya.xyz" = "10.10.10.14"; + "radarr.labs.adtya.xyz" = "10.10.10.14"; + "sonarr.labs.adtya.xyz" = "10.10.10.14"; + "readarr.labs.adtya.xyz" = "10.10.10.14"; + "jackett.labs.adtya.xyz" = "10.10.10.14"; + }; + }; + conditional = { + fallbackUpstream = false; + mapping = { + "local.adtya.xyz" = "192.168.1.1"; + "1.168.192.in-addr.arpa" = "192.168.1.1"; + }; + }; + blocking = { + denylists = { + ads = [ + "https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt" + ]; + pihole = [ + "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" + ]; + }; + allowlists = { + pihole = [ + (pkgs.writeText "allowlist.txt" '' + s.youtube.com + '') + ]; + + }; + clientGroupsBlock = { + default = [ "ads" "pihole" ]; + }; + }; + clientLookup = { + upstream = "192.168.1.1"; + singleNameOrder = [ 2 1 ]; + }; + prometheus = { + enable = true; + path = "/metrics"; + }; + ports = { + dns = "192.168.1.11:53,10.10.10.11:53"; + tls = "192.168.1.11:853,10.10.10.11:853"; + http = "127.0.0.1:8080"; + }; + log = { + level = "warn"; + format = "json"; + timestamp = true; + privacy = true; + }; + }; + }; + }; +} diff --git a/hosts/rico1/services/apps/default.nix b/hosts/rico1/services/apps/default.nix index fcab3d5..b01f012 100644 --- a/hosts/rico1/services/apps/default.nix +++ b/hosts/rico1/services/apps/default.nix @@ -3,6 +3,7 @@ _: { ./adtya.xyz.nix ./proofs.nix ./wiki.nix + ./blocky.nix ../../../shared/prometheus-exporters.nix ../../../shared/promtail.nix ];