nix/container/Dns.nix

{
  container,
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.container.module.dns;
in
{
  options = {
    container.module.dns = {
      enable = lib.mkEnableOption "the DNS server.";
      address = lib.mkOption {
        default = "10.1.0.6";
        type = lib.types.str;
      };
      port = lib.mkOption {
        default = 53;
        type = lib.types.int;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    containers.dns = container.mkContainer cfg {
      config =
        { ... }:
        container.mkContainerConfig cfg {
          environment.systemPackages = [ pkgs.cloudflared ];

          # systemd.services.cloudflared = {
          #   description = "Cloudflare DoH server.";
          #   enable = true;
          #   wantedBy = [ "multi-user.target" ];
          #   serviceConfig = {
          #     Type = "simple";
          #     ExecStart = "${lib.getExe pkgs.cloudflared} proxy-dns --port 5054";
          #   };
          # };

          services.blocky = {
            enable = true;
            # SRC: https://0xerr0r.github.io/blocky/main/configuration/
            settings = {
              bootstrapDns = "tcp+udp:1.1.1.1";
              connectIPVersion = "v4";
              upstreams.groups = {
                default = [ "https://dns.quad9.net/dns-query" ];
              };
              caching = {
                maxItemsCount = 100000;
                maxTime = "30m";
                minTime = "5m";
                prefetchExpires = "2h";
                prefetchMaxItemsCount = 100000;
                prefetchThreshold = 5;
                prefetching = true;
              };
              blocking = {
                blockTTL = "1m";
                blockType = "zeroIP";
                loading = {
                  refreshPeriod = "1h";
                  strategy = "blocking";
                  downloads = {
                    timeout = "5m";
                    attempts = 3;
                    cooldown = "10s";
                  };
                };
                # SRC: https://oisd.nl
                # SRC: https://v.firebog.net
                denylists = {
                  suspicious = [
                    "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
                    "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts
                    "https://v.firebog.net/hosts/static/w3kbl.txt"
                  ];
                  ads = [
                    "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
                    "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
                    "https://v.firebog.net/hosts/AdguardDNS.txt"
                    "https://v.firebog.net/hosts/Admiral.txt"
                    "https://v.firebog.net/hosts/Easylist.txt"
                  ];
                  tracking = [
                    "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
                    "https://v.firebog.net/hosts/Easyprivacy.txt"
                    "https://v.firebog.net/hosts/Prigent-Ads.txt"
                  ];
                  malicious = [
                    "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
                    "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
                    "https://phishing.army/download/phishing_army_blocklist_extended.txt"
                    "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
                    "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
                    "https://urlhaus.abuse.ch/downloads/hostfile/"
                    "https://v.firebog.net/hosts/Prigent-Crypto.txt"
                    "https://v.firebog.net/hosts/Prigent-Malware.txt"
                  ];
                  other = [
                    "https://big.oisd.nl/domainswild"
                    "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
                  ];
                };
                # allowlists = {
                #   other = [
                #     "/.*.vk.com/"
                #   ];
                # };
                clientGroupsBlock = {
                  default = [
                    "suspicious"
                    "ads"
                    "tracking"
                    "malicious"
                    "other"
                  ];
                };
              };
              customDNS = {
                mapping =
                  let
                    block = host: { ${host} = "0.0.0.0"; };
                  in
                  {
                    # All subdomains to current host.
                    # ${config.container.domain} = config.container.host;
                    "voronind.com" = "10.0.0.1";
                  }
                  // block "gosuslugi.ru"
                  // block "rutube.ru"
                  // block "vk.com";
              };
              ports.dns = cfg.port;
              # httpPort = "80";
            };
          };
        };
    };
  };
}
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`{`
			`container,`
			`pkgs,`
			`lib,`
			`config,`
			`...`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`}:`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`let`
			`cfg = config.container.module.dns;`
			`in`
			`{`
			`options = {`
			`container.module.dns = {`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`enable = lib.mkEnableOption "the DNS server.";`
			`address = lib.mkOption {`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`default = "10.1.0.6";`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`type = lib.types.str;`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`};`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`port = lib.mkOption {`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`default = 53;`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`type = lib.types.int;`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`};`
			`};`
			`};`
Huge containers update 2024-06-09 23:35:53 +03:00
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`config = lib.mkIf cfg.enable {`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`containers.dns = container.mkContainer cfg {`
			`config =`
			`{ ... }:`
			`container.mkContainerConfig cfg {`
Nixfmt: Enable strict formatting. 2024-10-14 04:51:19 +03:00			`environment.systemPackages = [ pkgs.cloudflared ];`
Huge containers update 2024-06-09 23:35:53 +03:00
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`# systemd.services.cloudflared = {`
			`# description = "Cloudflare DoH server.";`
			`# enable = true;`
			`# wantedBy = [ "multi-user.target" ];`
			`# serviceConfig = {`
			`# Type = "simple";`
			`# ExecStart = "${lib.getExe pkgs.cloudflared} proxy-dns --port 5054";`
			`# };`
			`# };`
Rewrite modules to options. 2024-06-25 04:04:39 +03:00
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`services.blocky = {`
			`enable = true;`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`# SRC: https://0xerr0r.github.io/blocky/main/configuration/`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`settings = {`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`bootstrapDns = "tcp+udp:1.1.1.1";`
Dns: Disable ipv6 for downloads. 2024-10-21 20:42:38 +03:00			`connectIPVersion = "v4";`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`upstreams.groups = {`
			`default = [ "https://dns.quad9.net/dns-query" ];`
			`};`
			`caching = {`
			`maxItemsCount = 100000;`
			`maxTime = "30m";`
			`minTime = "5m";`
			`prefetchExpires = "2h";`
			`prefetchMaxItemsCount = 100000;`
			`prefetchThreshold = 5;`
			`prefetching = true;`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`};`
			`blocking = {`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`blockTTL = "1m";`
			`blockType = "zeroIP";`
			`loading = {`
			`refreshPeriod = "1h";`
			`strategy = "blocking";`
			`downloads = {`
			`timeout = "5m";`
			`attempts = 3;`
			`cooldown = "10s";`
			`};`
			`};`
			`# SRC: https://oisd.nl`
			`# SRC: https://v.firebog.net`
			`denylists = {`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`suspicious = [`
			`"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`"https://v.firebog.net/hosts/static/w3kbl.txt"`
			`];`
			`ads = [`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"`
			`"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`"https://v.firebog.net/hosts/AdguardDNS.txt"`
			`"https://v.firebog.net/hosts/Admiral.txt"`
			`"https://v.firebog.net/hosts/Easylist.txt"`
			`];`
			`tracking = [`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`"https://v.firebog.net/hosts/Easyprivacy.txt"`
			`"https://v.firebog.net/hosts/Prigent-Ads.txt"`
			`];`
			`malicious = [`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"`
			`"https://phishing.army/download/phishing_army_blocklist_extended.txt"`
			`"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`"https://urlhaus.abuse.ch/downloads/hostfile/"`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`"https://v.firebog.net/hosts/Prigent-Crypto.txt"`
			`"https://v.firebog.net/hosts/Prigent-Malware.txt"`
			`];`
			`other = [`
			`"https://big.oisd.nl/domainswild"`
			`"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`];`
			`};`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`# allowlists = {`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`# other = [`
			`# "/.*.vk.com/"`
			`# ];`
			`# };`
			`clientGroupsBlock = {`
			`default = [`
			`"suspicious"`
			`"ads"`
			`"tracking"`
			`"malicious"`
			`"other"`
			`];`
			`};`
			`};`
			`customDNS = {`
			`mapping =`
			`let`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`block = host: { ${host} = "0.0.0.0"; };`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`in`
			`{`
			`# All subdomains to current host.`
			`# ${config.container.domain} = config.container.host;`
			`"voronind.com" = "10.0.0.1";`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`}`
			`// block "gosuslugi.ru"`
			`// block "rutube.ru"`
			`// block "vk.com";`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`};`
Dns: Update config & lists. 2024-10-21 20:34:09 +03:00			`ports.dns = cfg.port;`
Switch to using nixfmt & indent with spaces cause no tab support... 2024-10-11 23:27:07 +03:00			`# httpPort = "80";`
			`};`
			`};`
			`};`
			`};`
			`};`
Huge containers update 2024-06-09 23:35:53 +03:00			`}`