diff options
author | Azat Bahawi <azat@bahawi.net> | 2023-11-25 18:09:05 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2023-11-25 18:09:05 +0300 |
commit | e2cc46b37e33643cf3dd017adb8a009bf143e246 (patch) | |
tree | 86f24ea544e9ed75bf8736c951a09dfdb2219f5d /modules/nixos/unbound.nix | |
parent | 2023-11-23 (diff) |
2023-11-25
Diffstat (limited to 'modules/nixos/unbound.nix')
-rw-r--r-- | modules/nixos/unbound.nix | 54 |
1 files changed, 32 insertions, 22 deletions
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix index 2fab1e0..c7338e5 100644 --- a/modules/nixos/unbound.nix +++ b/modules/nixos/unbound.nix @@ -30,12 +30,20 @@ in { promtail.filters = [ { match = { - # Should be fixed[1] in the next release. - # - # [1]: https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e - selector = ''{syslog_identifier="unbound"} |~ ".*could not SSL_read crypto.*"''; + selector = ''{syslog_identifier="unbound"} |~ " start | stopped |.*in-addr.arpa."''; action = "drop"; - drop_counter_reason = "noise"; + }; + } + { + match = { + selector = ''{syslog_identifier="unbound"} |= "reply:"''; + stages = [{static_labels.dns = "reply";}]; + }; + } + { + match = { + selector = ''{syslog_identifier="unbound"} |~ "redirect |always_null|always_nxdomain"''; + stages = [{static_labels.dns = "block";}]; }; } ]; @@ -125,6 +133,12 @@ in { extended-statistics = true; + log-replies = true; + log-tag-queryreply = true; + log-local-actions = true; + + verbosity = 0; + include = ''"${adblock-conf}"''; }; @@ -169,23 +183,19 @@ in { Type = "oneshot"; User = user; Group = group; - ExecStart = let - pkg = with pkgs; - writeShellApplication { - name = "unbound-adblock-update"; - runtimeInputs = [curl package]; - text = '' - curl -s \ - "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" \ - >${adblock-conf} - - if [[ -f "${localControlSocketPath}" ]]; then - unbound-control reload - fi - ''; - }; - in - getExe pkg; + ExecStart = getExe (pkgs.writeShellApplication { + name = "unbound-adblock-update"; + runtimeInputs = [pkgs.curl package]; + text = '' + curl -s \ + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" \ + >${adblock-conf} + + if [[ -f "${localControlSocketPath}" ]]; then + unbound-control reload + fi + ''; + }); }; }; }; |