blob: 327670ef305bb327c7ca11518a89b3ec109ac6b9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
{ config, lib, ... }:
with lib;
let
cfg = config.modules.services.blocky;
in
{
options.modules.services.blocky = {
enable = mkEnableOption "";
};
config = mkIf cfg.enable {
services.blocky = {
enable = true;
settings = {
ports = {
# Safety: NixOS firewall should block public access to 53.
# Only machines connected to the tailscale is able to reach the service.
dns = 53;
http = "127.0.0.1:4000";
};
upstream.default = [
"https://dns.quad9.net/dns-query"
"https://one.one.one.one/dns-query"
];
upstreamTimeout = "10s";
# For initially solving DoH/DoT Requests when no system Resolver is available
bootstrapDns = {
upstream = "https://dns.quad9.net/dns-query";
ips = [ "9.9.9.9" "149.112.112.112" ];
};
caching = {
minTime = "0m";
maxTime = "12h";
cacheTimeNegative = "1m";
prefetching = true;
};
prometheus.enable = true;
queryLog.type = "console";
conditional = {
fallbackUpstream = true;
};
# use Tailscale MagicDNS to resolve client names
clientLookup.upstream = "100.100.100.100";
blocking = {
blackLists = {
ads = [
"https://raw.githubusercontent.com/blocklistproject/Lists/master/ads.txt"
"https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt"
"https://raw.githubusercontent.com/blocklistproject/Lists/master/tracking.txt"
];
};
clientGroupsBlock = {
default = [ "ads" ];
};
};
};
};
services.prometheus = {
enable = true;
globalConfig.scrape_interval = "15s";
globalConfig.evaluation_interval = "15s";
scrapeConfigs = [{
job_name = "blocky";
static_configs = [{ targets = [ "127.0.0.1:4000" ]; }];
}];
};
services.grafana = {
settings = {
# Required for blocky panel
panels.disable_sanitize_html = true;
};
provision = {
enable = true;
datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
orgId = 1;
uid = "5Z0Y8D3GXAMDODSF";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData = {
graphiteVersion = "1.1";
tlsAuth = false;
tlsAuthWithCACert = false;
};
version = 1;
editable = true;
}];
};
dashboards.settings = {
providers = [{ name = "My Dashboards"; options.path = "/etc/grafana-dashboards"; }];
};
};
};
environment.etc."grafana-dashboards/blocky_rev3.json" = {
source = ./grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};
};
}
|
