Lucas/Homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DNS Server

Browse source
This commit is contained in:
Lucas Thelen 2025-09-26 04:19:40 +00:00
parent ac3f55966b
commit 4b1d75b0e0
7 changed files with 91 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -12,6 +12,7 @@
./packages.nix ./packages.nix
./users.nix ./users.nix
./networking/ssh.nix ./networking/ssh.nix
./networking/adblock.nix
]; ];
}; };
}; };

21
hardware-configuration.nix
View file

@ -4,29 +4,27 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/887383a8-555c-4156-9b62-337ae007ce51"; device = "/dev/disk/by-uuid/887383a8-555c-4156-9b62-337ae007ce51";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/6979-163D"; device = "/dev/disk/by-uuid/6979-163D";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/3fc91af7-13f4-4088-bb9a-7d6c8adf6d73"; } [{ device = "/dev/disk/by-uuid/3fc91af7-13f4-4088-bb9a-7d6c8adf6d73"; }];
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
@ -47,5 +45,6 @@
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

71
networking/adblock.nix Normal file
View file

@ -0,0 +1,71 @@
{ config, lib, pkgs, ... }:
let
adblockLocalZones = pkgs.stdenv.mkDerivation {
name = "unbound-zones-adblock";
src = (pkgs.fetchFromGitHub {
owner = "StevenBlack";
repo = "hosts";
rev = "3.16.20";
sha256 = "sha256-z3VWoF5/evd0n97AmrWgSskaNqVaad0Ex2pn53JHkSk=";
} + "/hosts");
phases = [ "installPhase" ];
installPhase = ''
${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out
'';
};
in {
services.resolved.enable = false;
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
services.unbound = {
enable = true;
settings = {
server = {
port = 53;
interface = [ "0.0.0.0" "127.0.0.1" ];
access-control = [
"127.0.0.0/8 allow"
"10.0.0.0/8 allow"
"172.16.0.0/12 allow"
"192.168.0.0/16 allow"
];
include = [ "${adblockLocalZones}" ];
num-threads = 2;
so-reuseport = "yes";
hide-identity = "yes";
hide-version = "yes";
qname-minimisation = "yes";
harden-dnssec-stripped = "yes";
prefetch = "yes";
serve-expired = "yes";
rrset-roundrobin = "yes";
do-ip6 = "no";
do-udp = "yes";
do-tcp = "yes";
};
forward-zone = [{
name = ".";
forward-tls-upstream = "yes";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
"8.8.8.8@853#dns.google"
"8.8.4.4@853#dns.google"
];
}];
};
};
networking.resolvconf.enable = false;
environment.etc."resolv.conf".text = ''
nameserver 127.0.0.1
options edns0
'';
}

3
networking/host.nix
View file

@ -10,9 +10,6 @@
}; };
}; };
# DNS server
services.resolved.enable = true;
networking = { networking = {
nameservers = [ "205.171.3.25" "8.8.8.8" ]; nameservers = [ "205.171.3.25" "8.8.8.8" ];

2
packages.nix
View file

@ -4,5 +4,7 @@
vimPlugins.LazyVim vimPlugins.LazyVim
git git
wget wget
nixfmt-classic
btop
]; ];
} }

1
system.nix
View file

@ -2,4 +2,5 @@
# System boots # System boots
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
nix.settings.experimental.features = [ "nix-commmand" "flakes" ];
} }

2
users.nix
View file

@ -7,7 +7,7 @@
shell = pkgs.fish; shell = pkgs.fish;
packages = with pkgs; [eza]; packages = with pkgs; [ eza ];
hashedPassword = hashedPassword =
"$6$X.mw03yY/VFjDThj$t1I68HZz6NBihZGhiJ6Ct8ZuOufX6ZX9pydnK4puTjT1XKfMO1FY5VL1DwywJHrXOEJtohV99TmrABfjdBQY21"; "$6$X.mw03yY/VFjDThj$t1I68HZz6NBihZGhiJ6Ct8ZuOufX6ZX9pydnK4puTjT1XKfMO1FY5VL1DwywJHrXOEJtohV99TmrABfjdBQY21";