From f746ce6790615c38dc6873f884ec009701cb22b1 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 29 Jul 2024 00:37:54 +0300 Subject: 2024-07-29 --- modules/common/nix.nix | 31 +--- modules/profiles/dev/default.nix | 6 + modules/profiles/headful.nix | 6 + modules/unbound.nix | 350 +++++++++++++++++---------------------- modules/vim.nix | 2 + 5 files changed, 176 insertions(+), 219 deletions(-) (limited to 'modules') diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 233edda..01b3f01 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -61,14 +61,15 @@ in notSelfInputs = filterAttrs (n: _: n != "self") inputs; in { - daemonCPUSchedPolicy = "idle"; - daemonIOSchedClass = "idle"; - daemonIOSchedPriority = 7; + nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [ + "nixfiles=${config.my.home}/src/nixfiles" + ]; - settings = { - keep-derivations = if this.isHeadful then "true" else "false"; - keep-outputs = if this.isHeadful then "true" else "false"; + registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // { + nixfiles.flake = inputs.self; + }; + settings = { warn-dirty = false; keep-going = true; @@ -86,28 +87,12 @@ in my.username ]; }; - - nixPath = mapAttrsToList (n: v: "${n}=${v}") notSelfInputs ++ [ - "nixfiles=${config.my.home}/src/nixfiles" - ]; - - registry = mapAttrs (_: flake: { inherit flake; }) notSelfInputs // { - nixfiles.flake = inputs.self; - }; }; nixpkgs = { config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; - overlays = with inputs; [ - self.overlays.default - # (_: _prev: with packages; { - # # Global PR package overrides go here. Example: - # # ``` - # # inherit (package.formPR 309018 "sha256-x3ATxjrTVdaX5eo9P6pz+8/W6D2TNYzvjZpOBa3ZRI8=") endlessh-go; - # # ``` - # }) - ]; + overlays = [ inputs.self.overlays.default ]; }; environment = { diff --git a/modules/profiles/dev/default.nix b/modules/profiles/dev/default.nix index 3ee2ff5..61de848 100644 --- a/modules/profiles/dev/default.nix +++ b/modules/profiles/dev/default.nix @@ -62,6 +62,7 @@ in htmlq httpie hydra-check + iaito jq logcli nix-update @@ -89,6 +90,11 @@ in package = pkgs.wireshark; }; + nix.settings = { + keep-derivations = true; + keep-outputs = true; + }; + my.extraGroups = [ "kvm" "wireshark" diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix index 7d6d00f..39f4e98 100644 --- a/modules/profiles/headful.nix +++ b/modules/profiles/headful.nix @@ -98,6 +98,12 @@ in hardware.graphics.enable = true; + nix = { + daemonCPUSchedPolicy = "idle"; + daemonIOSchedClass = "idle"; + daemonIOSchedPriority = 7; + }; + programs = { dconf.enable = true; iftop.enable = true; diff --git a/modules/unbound.nix b/modules/unbound.nix index d10096d..dae47f8 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -21,216 +21,174 @@ in }; }; - config = - let - adblock-conf = "${config.services.unbound.stateDir}/adblock.conf"; - in - mkIf cfg.enable { - ark.directories = [ config.services.unbound.stateDir ]; - - nixfiles.modules.redis.enable = true; - - services = { - unbound = { - enable = true; - - package = pkgs.unbound-with-systemd.override { - withRedis = true; - withTFO = true; - }; + config = mkIf cfg.enable { + ark.directories = [ config.services.unbound.stateDir ]; + + nixfiles.modules.redis.enable = true; - checkconf = false; - settings = { - server = { - interface = with this.wireguard; [ - "127.0.0.1" - "::1" - ipv4.address - ipv6.address - ]; - - local-zone = concatLists ( - mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations - ); - local-data = concatLists ( - mapAttrsToList ( - hostname: - let - domain = "${hostname}.${cfg.domain}"; - in - attr: - (optionals (hasAttr "wireguard" attr) ( - with attr.wireguard; - [ - "\"${domain} 604800 IN A ${ipv4.address}\"" - "\"${domain} 604800 IN AAAA ${ipv6.address}\"" - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ] - ++ concatMap (domain: [ - "\"${domain}. A ${ipv4.address}\"" - "\"${domain}. AAAA ${ipv6.address}\"" - ]) attr.domains - )) - ) my.configurations - ); - local-data-ptr = concatLists ( - mapAttrsToList ( - hostname: - let - domain = "${hostname}.${cfg.domain}"; - in - attr: - (optionals (hasAttr "wireguard" attr) ( - with attr.wireguard; - [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ] - ++ concatMap (domain: [ - "\"${ipv4.address} ${domain}\"" - "\"${ipv6.address} ${domain}\"" - ]) attr.domains - )) - ) my.configurations - ); - - private-domain = map (domain: "${domain}.") [ - cfg.domain - "local" - ]; - private-address = with config.nixfiles.modules.wireguard; [ - ipv4.subnet - ipv6.subnet - ]; - - access-control = with config.nixfiles.modules.wireguard; [ - "0.0.0.0/0 refuse" - "::/0 refuse" - "127.0.0.0/8 allow" - "::1/128 allow" - "${ipv4.subnet} allow" - "${ipv6.subnet} allow" - ]; - - cache-min-ttl = 0; - - serve-expired = true; - serve-expired-reply-ttl = 0; - - prefetch = true; - prefetch-key = true; - - hide-identity = true; - hide-version = true; - - extended-statistics = true; - - log-replies = false; - log-tag-queryreply = false; - log-local-actions = false; - - verbosity = 0; - - include = ''"${adblock-conf}"''; - }; - - forward-zone = [ - { - name = "."; - forward-tls-upstream = true; - forward-addr = - let - mkDnsOverTls = - ips: auth: - map ( - ip: - concatStrings [ - ip - "@" - auth - ] - ) ips; - in - mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net"; - } + services = { + unbound = { + enable = true; + + package = pkgs.unbound-with-systemd.override { + withRedis = true; + withTFO = true; + }; + + checkconf = true; + settings = { + server = { + module-config = ''"respip validator iterator"''; + + interface = with this.wireguard; [ + "127.0.0.1" + "::1" + ipv4.address + ipv6.address ]; - cachedb = with config.services.redis.servers.default; { - backend = "redis"; - redis-server-host = bind; - redis-server-port = port; - }; - }; + local-zone = concatLists ( + mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations + ); + local-data = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard" attr) ( + with attr.wireguard; + [ + "\"${domain} 604800 IN A ${ipv4.address}\"" + "\"${domain} 604800 IN AAAA ${ipv6.address}\"" + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ] + ++ concatMap (domain: [ + "\"${domain}. A ${ipv4.address}\"" + "\"${domain}. AAAA ${ipv6.address}\"" + ]) attr.domains + )) + ) my.configurations + ); + local-data-ptr = concatLists ( + mapAttrsToList ( + hostname: + let + domain = "${hostname}.${cfg.domain}"; + in + attr: + (optionals (hasAttr "wireguard" attr) ( + with attr.wireguard; + [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ] + ++ concatMap (domain: [ + "\"${ipv4.address} ${domain}\"" + "\"${ipv6.address} ${domain}\"" + ]) attr.domains + )) + ) my.configurations + ); + + private-domain = map (domain: "${domain}.") [ + cfg.domain + "local" + ]; + private-address = with config.nixfiles.modules.wireguard; [ + ipv4.subnet + ipv6.subnet + ]; - enableRootTrustAnchor = true; + access-control = with config.nixfiles.modules.wireguard; [ + "0.0.0.0/0 refuse" + "::/0 refuse" + "127.0.0.0/8 allow" + "::1/128 allow" + "${ipv4.subnet} allow" + "${ipv6.subnet} allow" + ]; - localControlSocketPath = "/run/unbound/unbound.socket"; - }; + cache-min-ttl = 0; - prometheus.exporters.unbound = { - enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; - port = 9167; - inherit (config.services.unbound) group user; - unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; - }; - }; + serve-expired = true; + serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; - systemd = { - services = { - unbound.after = [ "unbound-adblock-update.service" ]; - - unbound-adblock-update = { - serviceConfig = with config.services.unbound; { - Type = "oneshot"; - User = user; - Group = group; - ExecStart = getExe ( - pkgs.writeShellApplication { - name = "unbound-adblock-update"; - runtimeInputs = [ - pkgs.curl - package - ]; - text = '' - curl \ - -s \ - -o ${adblock-conf} \ - "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf" - - if [[ -f "${localControlSocketPath}" ]]; then - unbound-control reload - fi - ''; - } - ); - }; + hide-identity = true; + hide-version = true; + + extended-statistics = true; + + log-replies = false; + log-tag-queryreply = false; + log-local-actions = false; + + verbosity = 0; }; - }; - timers.unbound-adblock-update = { - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - Unit = "unbound-adblock-update.service"; + forward-zone = [ + { + name = "."; + forward-tls-upstream = true; + forward-addr = + let + mkDnsOverTls = + ips: auth: + map ( + ip: + concatStrings [ + ip + "@" + auth + ] + ) ips; + in + mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net"; + } + ]; + + cachedb = with config.services.redis.servers.default; { + backend = "redis"; + redis-server-host = bind; + redis-server-port = port; + }; + + rpz = { + name = "hagezi.pro"; + zonefile = "hagezi.pro"; + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; }; - wantedBy = [ "timers.target" ]; }; + + enableRootTrustAnchor = true; + + localControlSocketPath = "/run/unbound/unbound.socket"; + }; + + prometheus.exporters.unbound = { + enable = true; + listenAddress = mkDefault this.wireguard.ipv4.address; + port = 9167; + inherit (config.services.unbound) group user; + unbound.host = "unix://${config.services.unbound.localControlSocketPath}"; }; + }; - boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; - topology = with cfg; { - nodes.${this.hostname}.services.unbound = { - name = "Unbound"; - icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; - details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( - filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface - ); - }; + topology = with cfg; { + nodes.${this.hostname}.services.unbound = { + name = "Unbound"; + icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; + details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( + filter (i: i != "127.0.0.1" && i != "::1") config.services.unbound.settings.server.interface + ); }; }; + }; } diff --git a/modules/vim.nix b/modules/vim.nix index ecd1336..f1dba85 100644 --- a/modules/vim.nix +++ b/modules/vim.nix @@ -35,6 +35,8 @@ in set clipboard^=unnamed endif + set viminfo= + set diffopt+=iwhite set hidden set lazyredraw -- cgit v1.2.3