machines: name: Remove obsolete machine/configuration
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
dc9e47b523
commit
0079f6a4c1
|
@ -15,7 +15,6 @@ let
|
|||
|
||||
machines = {
|
||||
fort = { deployment.tags = [ "external" "vm" ]; };
|
||||
name = { deployment.tags = [ "homelab" "lxc" ]; };
|
||||
serv = { deployment.tags = [ "homelab" "lxc" ]; };
|
||||
trek = { deployment.tags = [ "desktop" ]; };
|
||||
zero = { deployment.tags = [ "desktop" ]; };
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
{ lib, my, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../services/blocky.nix ../services/unbound.nix ../system/lxc.nix ];
|
||||
|
||||
system = {
|
||||
nssModules = lib.mkForce [ ];
|
||||
stateVersion = "23.05";
|
||||
};
|
||||
|
||||
networking = my.homelab.networking // {
|
||||
interfaces.eth0 = my.machines.name.eth0;
|
||||
firewall = {
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
};
|
||||
|
||||
# Disable all system DNS services
|
||||
services.nscd.enable = false;
|
||||
services.resolved.enable = false;
|
||||
|
||||
services.unbound.settings.server.port = 5353;
|
||||
services.blocky.settings = {
|
||||
bootstrapDns = "127.0.0.1:5353";
|
||||
customDNS.mapping = my.homelab.dns.mapping;
|
||||
upstreams.groups.default = [ "127.0.0.1:5353" ];
|
||||
};
|
||||
|
||||
systemd.services.blocky = {
|
||||
requires = [ "unbound.service" ];
|
||||
after = [ "unbound.service" ];
|
||||
preStart = "${pkgs.coreutils-full}/bin/sleep 10";
|
||||
};
|
||||
}
|
BIN
secrets/my.nix
BIN
secrets/my.nix
Binary file not shown.
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
services.blocky = {
|
||||
enable = true;
|
||||
settings = {
|
||||
blocking = {
|
||||
blackLists.default = [
|
||||
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
||||
"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/light.txt"
|
||||
];
|
||||
clientGroupsBlock.default = [ "default" ];
|
||||
};
|
||||
customDNS.filterUnmappedTypes = true;
|
||||
queryLog.type = "none";
|
||||
upstreams.timeout = "1s";
|
||||
startVerifyUpstream = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
localControlSocketPath = "/run/unbound/unbound.socket";
|
||||
settings.server = {
|
||||
so-rcvbuf = "1m";
|
||||
prefetch = true;
|
||||
access-control = "10.0.0.0/8 allow";
|
||||
interface = [ "127.0.0.1" ];
|
||||
private-address = [
|
||||
"192.168.0.0/16"
|
||||
"169.254.0.0/16"
|
||||
"172.16.0.0/16"
|
||||
"10.0.0.0/8"
|
||||
"fd00::/8"
|
||||
"fe80::/10"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.exporters.unbound = {
|
||||
inherit (config.services.unbound) group;
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
port = 9090;
|
||||
controlInterface = config.services.unbound.localControlSocketPath;
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue