feat(tyr): setup local dns with blocky+unbound.

2025-09-27 11:00:32 +02:00 · 2025-09-27 11:00:32 +02:00 · 555a489f7d
commit 555a489f7d
parent 4ef08da3e8
3 changed files with 52 additions and 5 deletions
--- a/hosts/tyr/configuration.nix
+++ b/hosts/tyr/configuration.nix
@ -26,13 +26,10 @@
    }
  ];
  networking.defaultGateway = "192.168.0.1";
-  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+  networking.nameservers = ["127.0.0.1"];
  services.resolved = {
    enable = true;
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+    fallbackDns = ["127.0.0.1"];
    dnssec = "true";
    dnsovertls = "true";
    domains = ["~."];
  };
  # Enable flakes
--- a/modules/servers/tyr/default.nix
+++ b/modules/servers/tyr/default.nix
@ -6,5 +6,6 @@
    ./wireguard.nix
    ./secrets.nix
    ./nfs-server.nix
    ./dns.nix
  ];
 }
--- a/modules/servers/tyr/dns.nix
+++ b/modules/servers/tyr/dns.nix
@ -0,0 +1,49 @@
 {
  services.resolved.extraConfig = ''
    DNSStubListener=no
  '';
  # Setup blocky for adblocking
  services.blocky = {
    enable = true;
    settings = {
      ports.dns = 53;
      connectIPVersion = "v4";
      upstreams.groups.default = [
        "127.0.0.1:553"
      ];
      blocking = {
        denylists = {
          "pro" = ["https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/wildcard/pro.txt"];
          "tif" = ["https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/wildcard/tif.txt"];
        };
        clientGroupsBlock.default = ["pro" "tif"];
      };
      caching = {
        prefetching = true;
        minTime = "1m";
      };
    };
  };
  # Setup unbound for recursive dns
  services.unbound = {
    enable = true;
    settings = {
      server = {
        interface = ["127.0.0.1"];
        port = 553;
        do-ip4 = true;
        do-ip6 = false;
        prefetch = true;
        cache-max-ttl = 60;
        cache-max-negative-ttl = 60;
        serve-original-ttl = true;
      };
    };
  };
 }