feat: add dns container with AGH + unbound

2025-10-23 22:13:43 +02:00
parent 0d343b12a3
commit 16b9271caf
6 changed files with 210 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -15,5 +15,5 @@ config.tf.json
 nixos-template

 # Possibly sensitive for public repo
-infra/ips.nix
-infra/constants.nix
+lib/ips.nix
+lib/constants.nix
--- a/lib/container_build.nix
+++ b/lib/container_build.nix
--- a/lxc/dns.nix
+++ b/lxc/dns.nix
@@ -0,0 +1,41 @@
+{
+  pkgs,
+  name,
+  containersMapping,
+  ...
+}:
+let
+  hostname = pkgs.lib.removeSuffix ".nix" name;
+  infra = import ../lib/constants.nix;
+  container_id = containersMapping.${hostname};
+  ip = infra.build_ip container_id;
+  domainname = "${hostname}${infra.domains.internal}";
+in
+{
+  cores = 2;
+  memory = "2G";
+  disk = "4G";
+  swap = 512;
+  ports = [
+    80
+    53
+    12345
+  ];
+  exposed = false;
+  services = {
+    adguardhome = import ./dns/adguardhome-config.nix { inherit infra ip domainname; };
+    unbound = {
+      enable = true;
+    };
+  };
+  logging.enable = true;
+  logging.metrics.enable = true;
+  etc."alloy/logs-adguard.alloy".text =
+    (import ./dns/logs-adguard.alloy.nix {
+      inherit ip domainname;
+    }).out;
+  etc."alloy/logs-unbound.alloy".text =
+    (import ./dns/logs-unbound.alloy.nix {
+      inherit ip domainname;
+    }).out;
+}
--- a/lxc/dns/adguardhome-config.nix
+++ b/lxc/dns/adguardhome-config.nix
@@ -0,0 +1,74 @@
+{
+  infra,
+  ip,
+  domainname,
+  ...
+}:
+{
+  enable = true;
+  host = "0.0.0.0";
+  port = 80;
+  openFirewall = true;
+  mutableSettings = true;
+  settings = {
+    http = {
+      address = "${ip}:80";
+      session_ttl = "720h";
+    };
+    users = [
+      {
+        name = infra.master_login;
+        password = infra.master_htpasswd;
+      }
+    ];
+    filters = [
+      {
+        enabled = true;
+        url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
+        name = "AdGuard DNS filter";
+        id = 1;
+      }
+      {
+        enabled = true;
+        url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
+        name = "AdAway Default Blocklist";
+        id = 2;
+      }
+    ];
+
+    auth_attempts = 5;
+    block_auth_min = 15;
+    language = "fr";
+    dns = {
+      bind_hosts = [ ip ];
+      port = 53;
+      upstream_dns = [
+        "127.0.0.1:5335"
+        "https://dns10.quad9.net/dns-query"
+      ];
+    };
+    filtering = {
+      safe_search = {
+        enabled = true;
+        bing = true;
+        duckduckgo = true;
+        ecosia = true;
+        google = true;
+        pixabay = true;
+        yandex = true;
+        youtube = true;
+      };
+      rewrites = [
+        {
+          domain = "*${infra.domains.exposed}";
+          answer = infra.reverse_proxy_addr;
+        }
+        {
+          domain = domainname;
+          answer = ip;
+        }
+        # add internal domains for all containers?
+      ];
+    };
+  };
+}
--- a/lxc/dns/logs-adguard.alloy.nix
+++ b/lxc/dns/logs-adguard.alloy.nix
@@ -0,0 +1,49 @@
+{ ip, domainname, ... }:
+{
+  out = ''
+    loki.relabel "agh_journal" {
+      forward_to = []
+      rule {
+        source_labels = ["__journal__priority_keyword"]
+        target_label = "level"
+      }
+      rule {
+        source_labels = ["__journal__SYSLOG_IDENTIFIER"]
+        target_label = "app"
+      }
+    }
+    loki.source.journal "agh_journal_scrape" {
+      forward_to = [loki.process.agh_router.receiver]
+      matches = "_SYSTEMD_UNIT=adguardhome.service"
+      relabel_rules = loki.relabel.agh_journal.rules
+      labels = {
+        service = "adguardhome",
+        host = "${domainname}",
+        host_ip = "${ip}",
+      }
+    }
+
+    loki.process "agh_router" {
+      stage.regex {
+        expression = "^(?P<timestamp>\\S+ \\S+) \\[(?P<level>\\w+)\\] (?P<message>.*)$"
+      }
+
+      stage.timestamp {
+        source = "timestamp"
+        format = "2006-01-02 15:04:05"
+      }
+
+      stage.labels {
+        values = {
+          level = "level",
+        }
+      }
+
+      stage.output {
+        source = "message"
+      }
+
+      forward_to = [loki.write.grafana_loki.receiver]
+    }
+  '';
+}
--- a/lxc/dns/logs-unbound.alloy.nix
+++ b/lxc/dns/logs-unbound.alloy.nix
@@ -0,0 +1,44 @@
+{ ip, domainname, ... }:
+{
+  out = ''
+        loki.relabel "unbd_journal" {
+          forward_to = []
+          rule {
+            source_labels = ["__journal__priority_keyword"]
+            target_label = "level"
+          }
+          rule {
+            source_labels = ["__journal__SYSLOG_IDENTIFIER"]
+            target_label = "app"
+          }
+        }
+        loki.source.journal "unbd_journal_scrape" {
+          forward_to = [loki.process.unbd_router.receiver]
+          matches = "_SYSTEMD_UNIT=unbound.service"
+          relabel_rules = loki.relabel.unbd_journal.rules
+          labels = {
+            service = "unbound",
+            host = "${domainname}",
+            host_ip = "${ip}",
+          }
+        }
+
+    loki.process "unbound_router" {
+      stage.pattern {
+        pattern = "[<_>] <level>: <message>"
+      }
+
+      stage.labels {
+        values = {
+          level = "level",
+        }
+      }
+      
+      stage.output {
+        source = "message"
+      }
+
+      forward_to = [loki.write.grafana_loki.receiver]
+    }
+  '';
+}