2024-04-05 22:04:41 -04:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
{
|
|
|
|
imports =
|
|
|
|
[ # Include the results of the hardware scan.
|
|
|
|
./hardware-configuration.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
boot.loader.grub.enable = false;
|
|
|
|
boot.loader.generic-extlinux-compatible.enable = true;
|
|
|
|
boot.loader.timeout = 1;
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
hostName = "orangepihole"; # Define your hostname.
|
|
|
|
useNetworkd = true;
|
|
|
|
};
|
|
|
|
systemd.network.enable = true;
|
|
|
|
systemd.network.networks."40-end0" = {
|
|
|
|
matchConfig.Name = "end0";
|
|
|
|
address = [ "10.42.69.2/24" "fd72:3dd5:21ae:3c97::2/64" ];
|
|
|
|
dns = [ "10.42.69.2" "fd72:3dd5:21ae:3c97::2" ];
|
|
|
|
domains = [ "icanttype.org" ];
|
|
|
|
gateway = [ "10.42.69.1" ];
|
|
|
|
networkConfig.DHCPServer = true;
|
|
|
|
dhcpServerConfig = {
|
|
|
|
PoolOffset = 150;
|
|
|
|
EmitDNS = true;
|
|
|
|
DNS = "10.42.69.2";
|
|
|
|
EmitRouter = true;
|
|
|
|
Router = "10.42.69.1";
|
|
|
|
};
|
|
|
|
networkConfig.IPv6SendRA = true;
|
|
|
|
ipv6SendRAConfig.RouterLifetimeSec = 0;
|
|
|
|
ipv6SendRAConfig.EmitDNS = false;
|
|
|
|
ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
|
|
|
|
};
|
|
|
|
time.timeZone = "America/New_York";
|
|
|
|
|
|
|
|
zramSwap.enable = true;
|
|
|
|
swapDevices = [ {device="/swapfile"; size=1024;}];
|
|
|
|
services.resolved.enable = true;
|
|
|
|
services.unbound = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
server = {
|
|
|
|
qname-minimisation = "yes";
|
|
|
|
interface = [ "end0" ];
|
|
|
|
access-control = [ "10.0.0.0/8 allow" "fc::/7 allow" ];
|
|
|
|
};
|
|
|
|
include = [ "/etc/unbound/ads.conf" "/etc/unbound/local.conf" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd = {
|
|
|
|
services.adblock = {
|
|
|
|
startAt = "daily";
|
|
|
|
postStop = "systemctl reload unbound";
|
|
|
|
path = with pkgs; [ gawk wget ];
|
2024-04-06 10:54:03 -04:00
|
|
|
#wget -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/doh-vpn-proxy-bypass.blacklist.conf >> /etc/unbound/new.conf
|
2024-04-05 22:04:41 -04:00
|
|
|
script = ''
|
2024-04-12 21:03:16 -04:00
|
|
|
wget -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf > /etc/unbound/new.conf
|
2024-04-05 22:04:41 -04:00
|
|
|
wget -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf >> /etc/unbound/new.conf
|
|
|
|
echo 'local-zone: "iogames.space." always_nxdomain' >> /etc/unbound/new.conf
|
|
|
|
echo 'local-zone: "taming.io." always_nxdomain' >> /etc/unbound/new.conf
|
|
|
|
awk '!seen[$0]++' /etc/unbound/new.conf > /etc/unbound/ads.conf
|
|
|
|
rm /etc/unbound/new.conf
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
|
|
|
wget
|
|
|
|
];
|
|
|
|
|
|
|
|
services.openssh.enable = true;
|
|
|
|
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
|
|
|
|
system.stateVersion = "23.11"; # Did you read the comment?
|
|
|
|
system.autoUpgrade.enable = true;
|
|
|
|
system.autoUpgrade.allowReboot = false;
|
|
|
|
|
|
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
|
|
nix.gc.automatic = true;
|
|
|
|
nix.gc.options = "--delete-older-than 7d";
|
|
|
|
nix.optimise.automatic = true;
|
|
|
|
|
|
|
|
}
|
|
|
|
|