about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2024-07-29 00:37:54 +0300
committerAzat Bahawi <azat@bahawi.net>2024-07-29 00:37:54 +0300
commitf746ce6790615c38dc6873f884ec009701cb22b1 (patch)
tree1f87faafd025712088f3a2c6a8cde212ef051f9f /modules
parent2024-07-21 (diff)
2024-07-29
Diffstat (limited to 'modules')
-rw-r--r--modules/common/nix.nix31
-rw-r--r--modules/profiles/dev/default.nix6
-rw-r--r--modules/profiles/headful.nix6
-rw-r--r--modules/unbound.nix350
-rw-r--r--modules/vim.nix2
5 files changed, 176 insertions, 219 deletions
diff --git a/modules/common/nix.nix b/modules/common/nix.nix
index 233edda..01b3f01 100644
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@@ -61,14 +61,15 @@ in
           notSelfInputs = filterAttrs (n: _: n != "self") inputs;
         in
         {
-          daemonCPUSchedPolicy = "idle";
-          daemonIOSchedClass = "idle";
-          daemonIOSchedPriority = 7;
+          nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [
+            "nixfiles=${config.my.home}/src/nixfiles"
+          ];
 
-          settings = {
-            keep-derivations = if this.isHeadful then "true" else "false";
-            keep-outputs = if this.isHeadful then "true" else "false";
+          registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // {
+            nixfiles.flake = inputs.self;
+          };
 
+          settings = {
             warn-dirty = false;
 
             keep-going = true;
@@ -86,28 +87,12 @@ in
               my.username
             ];
           };
-
-          nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [
-            "nixfiles=${config.my.home}/src/nixfiles"
-          ];
-
-          registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // {
-            nixfiles.flake = inputs.self;
-          };
         };
 
       nixpkgs = {
         config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages;
 
-        overlays = with inputs; [
-          self.overlays.default
-          # (_: _prev: with packages; {
-          #   # Global PR package overrides go here. Example:
-          #   # ```
-          #   # inherit (package.formPR 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go;
-          #   # ```
-          # })
-        ];
+        overlays = [ inputs.self.overlays.default ];
       };
 
       environment = {
diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix
index 3ee2ff5..61de848 100644
--- a/modules/profiles/dev/default.nix
+++ b/modules/profiles/dev/default.nix
@@ -62,6 +62,7 @@ in
           htmlq
           httpie
           hydra-check
+          iaito
           jq
           logcli
           nix-update
@@ -89,6 +90,11 @@ in
       package = pkgs.wireshark;
     };
 
+    nix.settings = {
+      keep-derivations = true;
+      keep-outputs = true;
+    };
+
     my.extraGroups = [
       "kvm"
       "wireshark"
diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix
index 7d6d00f..39f4e98 100644
--- a/modules/profiles/headful.nix
+++ b/modules/profiles/headful.nix
@@ -98,6 +98,12 @@ in
 
     hardware.graphics.enable = true;
 
+    nix = {
+      daemonCPUSchedPolicy = "idle";
+      daemonIOSchedClass = "idle";
+      daemonIOSchedPriority = 7;
+    };
+
     programs = {
       dconf.enable = true;
       iftop.enable = true;
diff --git a/modules/unbound.nix b/modules/unbound.nix
index d10096d..dae47f8 100644
--- a/modules/unbound.nix
+++ b/modules/unbound.nix
@@ -21,216 +21,174 @@ in
     };
   };
 
-  config =
-    let
-      adblock-conf = "${config.services.unbound.stateDir}/adblock.conf";
-    in
-    mkIf cfg.enable {
-      ark.directories = [ config.services.unbound.stateDir ];
-
-      nixfiles.modules.redis.enable = true;
-
-      services = {
-        unbound = {
-          enable = true;
-
-          package = pkgs.unbound-with-systemd.override {
-            withRedis = true;
-            withTFO = true;
-          };
+  config = mkIf cfg.enable {
+    ark.directories = [ config.services.unbound.stateDir ];
+
+    nixfiles.modules.redis.enable = true;
 
-          checkconf = false;
-          settings = {
-            server = {
-              interface = with this.wireguard; [
-                "127.0.0.1"
-                "::1"
-                ipv4.address
-                ipv6.address
-              ];
-
-              local-zone = concatLists (
-                mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations
-              );
-              local-data = concatLists (
-                mapAttrsToList (
-                  hostname:
-                  let
-                    domain = "${hostname}.${cfg.domain}";
-                  in
-                  attr:
-                  (optionals (hasAttr "wireguard" attr) (
-                    with attr.wireguard;
-                    [
-                      "\"${domain} 604800 IN A ${ipv4.address}\""
-                      "\"${domain} 604800 IN AAAA ${ipv6.address}\""
-                      "\"${domain}. A ${ipv4.address}\""
-                      "\"${domain}. AAAA ${ipv6.address}\""
-                    ]
-                    ++ concatMap (domain: [
-                      "\"${domain}. A ${ipv4.address}\""
-                      "\"${domain}. AAAA ${ipv6.address}\""
-                    ]) attr.domains
-                  ))
-                ) my.configurations
-              );
-              local-data-ptr = concatLists (
-                mapAttrsToList (
-                  hostname:
-                  let
-                    domain = "${hostname}.${cfg.domain}";
-                  in
-                  attr:
-                  (optionals (hasAttr "wireguard" attr) (
-                    with attr.wireguard;
-                    [
-                      "\"${ipv4.address} ${domain}\""
-                      "\"${ipv6.address} ${domain}\""
-                    ]
-                    ++ concatMap (domain: [
-                      "\"${ipv4.address} ${domain}\""
-                      "\"${ipv6.address} ${domain}\""
-                    ]) attr.domains
-                  ))
-                ) my.configurations
-              );
-
-              private-domain = map (domain: "${domain}.") [
-                cfg.domain
-                "local"
-              ];
-              private-address = with config.nixfiles.modules.wireguard; [
-                ipv4.subnet
-                ipv6.subnet
-              ];
-
-              access-control = with config.nixfiles.modules.wireguard; [
-                "0.0.0.0/0 refuse"
-                "::/0 refuse"
-                "127.0.0.0/8 allow"
-                "::1/128 allow"
-                "${ipv4.subnet} allow"
-                "${ipv6.subnet} allow"
-              ];
-
-              cache-min-ttl = 0;
-
-              serve-expired = true;
-              serve-expired-reply-ttl = 0;
-
-              prefetch = true;
-              prefetch-key = true;
-
-              hide-identity = true;
-              hide-version = true;
-
-              extended-statistics = true;
-
-              log-replies = false;
-              log-tag-queryreply = false;
-              log-local-actions = false;
-
-              verbosity = 0;
-
-              include = ''"${adblock-conf}"'';
-            };
-
-            forward-zone = [
-              {
-                name = ".";
-                forward-tls-upstream = true;
-                forward-addr =
-                  let
-                    mkDnsOverTls =
-                      ips: auth:
-                      map (
-                        ip:
-                        concatStrings [
-                          ip
-                          "@"
-                          auth
-                        ]
-                      ) ips;
-                  in
-                  mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net";
-              }
+    services = {
+      unbound = {
+        enable = true;
+
+        package = pkgs.unbound-with-systemd.override {
+          withRedis = true;
+          withTFO = true;
+        };
+
+        checkconf = true;
+        settings = {
+          server = {
+            module-config = ''"respip validator iterator"'';
+
+            interface = with this.wireguard; [
+              "127.0.0.1"
+              "::1"
+              ipv4.address
+              ipv6.address
             ];
 
-            cachedb = with config.services.redis.servers.default; {
-              backend = "redis";
-              redis-server-host = bind;
-              redis-server-port = port;
-            };
-          };
+            local-zone = concatLists (
+              mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations
+            );
+            local-data = concatLists (
+              mapAttrsToList (
+                hostname:
+                let
+                  domain = "${hostname}.${cfg.domain}";
+                in
+                attr:
+                (optionals (hasAttr "wireguard" attr) (
+                  with attr.wireguard;
+                  [
+                    "\"${domain} 604800 IN A ${ipv4.address}\""
+                    "\"${domain} 604800 IN AAAA ${ipv6.address}\""
+                    "\"${domain}. A ${ipv4.address}\""
+                    "\"${domain}. AAAA ${ipv6.address}\""
+                  ]
+                  ++ concatMap (domain: [
+                    "\"${domain}. A ${ipv4.address}\""
+                    "\"${domain}. AAAA ${ipv6.address}\""
+                  ]) attr.domains
+                ))
+              ) my.configurations
+            );
+            local-data-ptr = concatLists (
+              mapAttrsToList (
+                hostname:
+                let
+                  domain = "${hostname}.${cfg.domain}";
+                in
+                attr:
+                (optionals (hasAttr "wireguard" attr) (
+                  with attr.wireguard;
+                  [
+                    "\"${ipv4.address} ${domain}\""
+                    "\"${ipv6.address} ${domain}\""
+                  ]
+                  ++ concatMap (domain: [
+                    "\"${ipv4.address} ${domain}\""
+                    "\"${ipv6.address} ${domain}\""
+                  ]) attr.domains
+                ))
+              ) my.configurations
+            );
+
+            private-domain = map (domain: "${domain}.") [
+              cfg.domain
+              "local"
+            ];
+            private-address = with config.nixfiles.modules.wireguard; [
+              ipv4.subnet
+              ipv6.subnet
+            ];
 
-          enableRootTrustAnchor = true;
+            access-control = with config.nixfiles.modules.wireguard; [
+              "0.0.0.0/0 refuse"
+              "::/0 refuse"
+              "127.0.0.0/8 allow"
+              "::1/128 allow"
+              "${ipv4.subnet} allow"
+              "${ipv6.subnet} allow"
+            ];
 
-          localControlSocketPath = "/run/unbound/unbound.socket";
-        };
+            cache-min-ttl = 0;
 
-        prometheus.exporters.unbound = {
-          enable = true;
-          listenAddress = mkDefault this.wireguard.ipv4.address;
-          port = 9167;
-          inherit (config.services.unbound) group user;
-          unbound.host = "unix://${config.services.unbound.localControlSocketPath}";
-        };
-      };
+            serve-expired = true;
+            serve-expired-reply-ttl = 0;
+
+            prefetch = true;
+            prefetch-key = true;
 
-      systemd = {
-        services = {
-          unbound.after = [ "unbound-adblock-update.service" ];
-
-          unbound-adblock-update = {
-            serviceConfig = with config.services.unbound; {
-              Type = "oneshot";
-              User = user;
-              Group = group;
-              ExecStart = getExe (
-                pkgs.writeShellApplication {
-                  name = "unbound-adblock-update";
-                  runtimeInputs = [
-                    pkgs.curl
-                    package
-                  ];
-                  text = ''
-                    curl \
-                      -s \
-                      -o ${adblock-conf} \
-                      "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf"
-
-                    if [[ -f "${localControlSocketPath}" ]]; then
-                      unbound-control reload
-                    fi
-                  '';
-                }
-              );
-            };
+            hide-identity = true;
+            hide-version = true;
+
+            extended-statistics = true;
+
+            log-replies = false;
+            log-tag-queryreply = false;
+            log-local-actions = false;
+
+            verbosity = 0;
           };
-        };
 
-        timers.unbound-adblock-update = {
-          requires = [ "network-online.target" ];
-          after = [ "network-online.target" ];
-          timerConfig = {
-            OnCalendar = "daily";
-            Persistent = true;
-            Unit = "unbound-adblock-update.service";
+          forward-zone = [
+            {
+              name = ".";
+              forward-tls-upstream = true;
+              forward-addr =
+                let
+                  mkDnsOverTls =
+                    ips: auth:
+                    map (
+                      ip:
+                      concatStrings [
+                        ip
+                        "@"
+                        auth
+                      ]
+                    ) ips;
+                in
+                mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net";
+            }
+          ];
+
+          cachedb = with config.services.redis.servers.default; {
+            backend = "redis";
+            redis-server-host = bind;
+            redis-server-port = port;
+          };
+
+          rpz = {
+            name = "hagezi.pro";
+            zonefile = "hagezi.pro";
+            url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
           };
-          wantedBy = [ "timers.target" ];
         };
+
+        enableRootTrustAnchor = true;
+
+        localControlSocketPath = "/run/unbound/unbound.socket";
+      };
+
+      prometheus.exporters.unbound = {
+        enable = true;
+        listenAddress = mkDefault this.wireguard.ipv4.address;
+        port = 9167;
+        inherit (config.services.unbound) group user;
+        unbound.host = "unix://${config.services.unbound.localControlSocketPath}";
       };
+    };
 
-      boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3;
+    boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3;
 
-      topology = with cfg; {
-        nodes.${this.hostname}.services.unbound = {
-          name = "Unbound";
-          icon = "${inputs.homelab-svg-assets}/assets/unbound.svg";
-          details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") (
-            filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface
-          );
-        };
+    topology = with cfg; {
+      nodes.${this.hostname}.services.unbound = {
+        name = "Unbound";
+        icon = "${inputs.homelab-svg-assets}/assets/unbound.svg";
+        details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") (
+          filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface
+        );
       };
     };
+  };
 }
diff --git a/modules/vim.nix b/modules/vim.nix
index ecd1336..f1dba85 100644
--- a/modules/vim.nix
+++ b/modules/vim.nix
@@ -35,6 +35,8 @@ in
                 set clipboard^=unnamed
               endif
 
+              set viminfo=
+
               set diffopt+=iwhite
               set hidden
               set lazyredraw

Consider giving Nix/NixOS a try! <3