From 3f444a392d39de1894ce1382a7d1474d00d043da Mon Sep 17 00:00:00 2001 From: coolneng Date: Wed, 14 Apr 2021 14:09:17 +0200 Subject: [PATCH] Deploy DNS server with ad-block and NAT loopback --- modules/networking.nix | 23 +++++++++++++++++++++++ modules/periodic.nix | 31 +++++++++++++++++++++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/modules/networking.nix b/modules/networking.nix index e788ae4..3824f9e 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -51,11 +51,13 @@ in { 5000 # Sybase 80 # HTTP 443 # HTTPS + 53 # DNS ]; allowedUDPPorts = [ 137 # Samba 138 # Samba 1194 # Wireguard + 53 # DNS ]; allowPing = true; }; @@ -130,4 +132,25 @@ in { ''; }; + # DNS server with adblock + services.dnsmasq = { + enable = true; + servers = [ "1.1.1.1" "8.8.8.8" ]; + extraConfig = '' + domain-needed + bogus-priv + no-resolv + + listen-address=127.0.0.1,10.0.1.3,10.9.0.1 + bind-interfaces + + cache-size=10000 + local-ttl=300 + + conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt + + address=/coace.duckdns.org/10.0.1.3 + ''; + }; + } diff --git a/modules/periodic.nix b/modules/periodic.nix index 6b683f4..58bc27e 100644 --- a/modules/periodic.nix +++ b/modules/periodic.nix @@ -1,6 +1,10 @@ { config, lib, pkgs, ... }: -{ +let + stateDir = "/var/lib/dnsmasq"; + blocklist = "${stateDir}/dnsmasq.blacklist.txt"; + +in { # Pull changes from git repos systemd.user.services.git-pull = { description = "Pull git repositories"; @@ -14,7 +18,7 @@ serviceConfig = { Type = "oneshot"; }; }; - systemd.user.timers.doom-upgrade = { + systemd.user.timers.git-pull = { description = "Daily code update"; wantedBy = [ "default.target" ]; timerConfig = { @@ -30,4 +34,27 @@ location = "/vault/backups/databases/nextcloud"; startAt = "*-*-* 05:15:00"; }; + + # Fetch hosts-blocklists daily + systemd.services.download-dns-blocklist = { + description = "Download hosts-blocklists"; + wantedBy = [ "default.target" ]; + path = with pkgs; [ curl ]; + script = + "curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}"; + serviceConfig.Type = "oneshot"; + postStop = '' + chown -R dnsmasq ${stateDir} + systemctl restart dnsmasq + ''; + }; + + systemd.timers.download-dns-blocklist = { + description = "Daily download of hosts-blocklists"; + wantedBy = [ "default.target" ]; + timerConfig = { + OnCalendar = "02:00:00"; + Unit = "download-dns-blocklist.service"; + }; + }; }