pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.blocky;
9
10 format = pkgs.formats.yaml { };
11 configFile = format.generate "config.yaml" cfg.settings;
12in
13{
14 options.services.blocky = {
15 enable = lib.mkEnableOption "blocky, a fast and lightweight DNS proxy as ad-blocker for local network with many features";
16
17 package = lib.mkPackageOption pkgs "blocky" { };
18
19 settings = lib.mkOption {
20 type = format.type;
21 default = { };
22 description = ''
23 Blocky configuration. Refer to
24 <https://0xerr0r.github.io/blocky/configuration/>
25 for details on supported values.
26 '';
27 };
28 };
29
30 config = lib.mkIf cfg.enable {
31 systemd.services.blocky = {
32 description = "A DNS proxy and ad-blocker for the local network";
33 wants = [
34 "network-online.target"
35 "nss-lookup.target"
36 ];
37 before = [
38 "nss-lookup.target"
39 ];
40 wantedBy = [
41 "multi-user.target"
42 ];
43 serviceConfig = {
44 AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
45 CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
46 DynamicUser = true;
47 ExecStart = "${lib.getExe cfg.package} --config ${configFile}";
48 LockPersonality = true;
49 LogsDirectory = "blocky";
50 MemoryDenyWriteExecute = true;
51 NoNewPrivileges = true;
52 NonBlocking = true;
53 PrivateDevices = true;
54 ProtectClock = true;
55 ProtectControlGroups = true;
56 ProtectHome = true;
57 ProtectHostname = true;
58 ProtectKernelLogs = true;
59 ProtectKernelModules = true;
60 ProtectKernelTunables = true;
61 ProtectSystem = "strict";
62 Restart = "on-failure";
63 RestrictAddressFamilies = [
64 "AF_INET"
65 "AF_INET6"
66 ];
67 RestrictNamespaces = true;
68 RestrictRealtime = true;
69 RuntimeDirectory = "blocky";
70 StateDirectory = "blocky";
71 SystemCallArchitectures = "native";
72 SystemCallFilter = [
73 "@system-service"
74 "@chown"
75 "~@aio"
76 "~@keyring"
77 "~@memlock"
78 "~@setuid"
79 "~@timer"
80 ];
81 };
82 };
83 };
84 meta.maintainers = with lib.maintainers; [ paepcke ];
85}