Enable blocky and unbound DNS on dalinar

This commit is contained in:
Johannes Rothe 2025-03-17 20:18:09 +01:00
parent 37bd8a68c5
commit 5d0ed56702

View File

@ -27,7 +27,17 @@
};
networking.hostName = "dalinar";
networking.firewall = {
enable = true;
allowedUDPPorts = [ 53 ];
};
networking.useNetworkd = true;
services.resolved = {
enable = true;
extraConfig = ''
DNSStubListener=no
'';
};
time.timeZone = "Europe/Berlin";
@ -54,6 +64,62 @@
services.tailscale.enable = true;
services.unbound = {
enable = true;
settings = {
server = {
interface = [ "127.0.0.1" ];
port = 5335;
access-control = [ "127.0.0.1 allow" ];
harden-glue = true;
num-threads = 4;
harden-dnssec-stripped = true;
use-caps-for-id = false;
prefetch = true;
edns-buffer-size = 1232;
hide-identity = true;
hide-version = true;
private-address = [
"172.16.0.0/12"
];
};
forward-zone = [
{
name = ".";
forward-addr = [
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
];
forward-tls-upstream = true;
}
];
};
};
services.blocky = {
enable = true;
settings = {
upstreams.groups.default = [
"127.0.0.1:${builtins.toString config.services.unbound.settings.server.port}"
];
blocking = {
denylists.ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
clientGroupsBlock.default = [ "ads" ];
};
ports = {
dns = 53;
http = 4000; # port for prometheus metrics
};
prometheus = {
enable = true;
path = "/metrics";
};
queryLog.type = "none";
};
};
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#