Compare commits

...

4 commits

3 changed files with 88 additions and 57 deletions

View file

@ -3,100 +3,109 @@
pkgs, pkgs,
lib, lib,
config, config,
util,
... ...
}@args: }:
with lib;
let let
cfg = config.container.module.dns; cfg = config.container.module.dns;
in in
{ {
options = { options = {
container.module.dns = { container.module.dns = {
enable = mkEnableOption "Dns server."; enable = lib.mkEnableOption "the DNS server.";
address = mkOption { address = lib.mkOption {
default = "10.1.0.6"; default = "10.1.0.6";
type = types.str; type = lib.types.str;
}; };
port = mkOption { port = lib.mkOption {
default = 53; default = 53;
type = types.int; type = lib.types.int;
}; };
}; };
}; };
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
containers.dns = container.mkContainer cfg { containers.dns = container.mkContainer cfg {
config = config =
{ ... }: { ... }:
container.mkContainerConfig cfg { container.mkContainerConfig cfg {
environment.systemPackages = [ pkgs.cloudflared ]; environment.systemPackages = [ pkgs.cloudflared ];
systemd.services.cloudflared = { # systemd.services.cloudflared = {
description = "Cloudflare DoH server."; # description = "Cloudflare DoH server.";
enable = true; # enable = true;
wantedBy = [ "multi-user.target" ]; # wantedBy = [ "multi-user.target" ];
serviceConfig = { # serviceConfig = {
Type = "simple"; # Type = "simple";
ExecStart = "${getExe pkgs.cloudflared} proxy-dns --port 5054"; # ExecStart = "${lib.getExe pkgs.cloudflared} proxy-dns --port 5054";
}; # };
}; # };
services.blocky = { services.blocky = {
enable = true; enable = true;
# SRC: https://0xerr0r.github.io/blocky/main/configuration/
settings = { settings = {
upstream = { bootstrapDns = "tcp+udp:1.1.1.1";
default = [ connectIPVersion = "v4";
"0.0.0.0:5054" upstreams.groups = {
"0.0.0.0:5054" default = [ "https://dns.quad9.net/dns-query" ];
]; };
caching = {
maxItemsCount = 100000;
maxTime = "30m";
minTime = "5m";
prefetchExpires = "2h";
prefetchMaxItemsCount = 100000;
prefetchThreshold = 5;
prefetching = true;
}; };
blocking = { blocking = {
blackLists = { blockTTL = "1m";
blockType = "zeroIP";
loading = {
refreshPeriod = "1h";
strategy = "blocking";
downloads = {
timeout = "5m";
attempts = 3;
cooldown = "10s";
};
};
# SRC: https://oisd.nl
# SRC: https://v.firebog.net
denylists = {
suspicious = [ suspicious = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts
"https://v.firebog.net/hosts/static/w3kbl.txt" "https://v.firebog.net/hosts/static/w3kbl.txt"
]; ];
ads = [ ads = [
"https://easylist-downloads.adblockplus.org/bitblock.txt" "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
"https://adaway.org/hosts.txt" "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
"https://v.firebog.net/hosts/AdguardDNS.txt" "https://v.firebog.net/hosts/AdguardDNS.txt"
"https://v.firebog.net/hosts/Admiral.txt" "https://v.firebog.net/hosts/Admiral.txt"
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
"https://v.firebog.net/hosts/Easylist.txt" "https://v.firebog.net/hosts/Easylist.txt"
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
"https://github.com/easylist/ruadlist/blob/master/advblock/adservers.txt"
]; ];
tracking = [ tracking = [
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
"https://v.firebog.net/hosts/Easyprivacy.txt" "https://v.firebog.net/hosts/Easyprivacy.txt"
"https://v.firebog.net/hosts/Prigent-Ads.txt" "https://v.firebog.net/hosts/Prigent-Ads.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
]; ];
malicious = [ malicious = [
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
"https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
"https://phishing.army/download/phishing_army_blocklist_extended.txt"
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
"https://v.firebog.net/hosts/RPiList-Malware.txt" "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
"https://v.firebog.net/hosts/RPiList-Phishing.txt" "https://phishing.army/download/phishing_army_blocklist_extended.txt"
"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
"https://urlhaus.abuse.ch/downloads/hostfile/" "https://urlhaus.abuse.ch/downloads/hostfile/"
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
"https://v.firebog.net/hosts/Prigent-Malware.txt"
];
other = [
"https://big.oisd.nl/domainswild"
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
]; ];
other = [ "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" ];
}; };
# whiteLists = { # allowlists = {
# other = [ # other = [
# "/.*.vk.com/" # "/.*.vk.com/"
# ]; # ];
@ -114,20 +123,18 @@ in
customDNS = { customDNS = {
mapping = mapping =
let let
block = "0.0.0.0"; block = host: { ${host} = "0.0.0.0"; };
in in
{ {
# All subdomains to current host. # All subdomains to current host.
# ${config.container.domain} = config.container.host; # ${config.container.domain} = config.container.host;
"voronind.com" = "10.0.0.1"; "voronind.com" = "10.0.0.1";
}
# Blocklist. // block "gosuslugi.ru"
"gosuslugi.ru" = block; // block "rutube.ru"
"rutube.ru" = block; // block "vk.com";
"vk.com" = block;
}; };
}; ports.dns = cfg.port;
port = cfg.port;
# httpPort = "80"; # httpPort = "80";
}; };
}; };

View file

@ -73,5 +73,24 @@
_iterate_targets process ''${targets[@]} _iterate_targets process ''${targets[@]}
} }
# Find user keys using keyservers.
# Usage: gpg_find <EMAIL>
function gpg_find() {
local email="''${1}"
if [[ "''${email}" = "" ]]; then
help gpg_find
return 2
fi
gpg --locate-keys "''${email}" \
|| gpg --locate-keys --auto-key-locate hkps://keys.openpgp.org "''${email}"
}
# Update keys.
function gpg_refresh() {
gpg --refresh-keys
}
''; '';
} }

View file

@ -8,6 +8,11 @@ in
gpg = { gpg = {
enable = true; enable = true;
inherit (secret.crypto) publicKeys; inherit (secret.crypto) publicKeys;
mutableKeys = true;
mutableTrust = true;
settings = {
keyserver = "hkps://keys.openpgp.org";
};
}; };
firefox = import ./firefox args; firefox = import ./firefox args;