commit ad12b2652627a01e21024e3275550c2f55204a7e · pyrox.dev/nixpkgs

maintainers/maintainer-list.nix

···

       15886
       15886
        
           github = "niklaskorz";

     

       15887
       15887
        
           githubId = 590517;

     

       15888
       15888
        
         };

     

       15889
       15889
       +
         NiklasVousten = {

     

       15890
       15890
       +
           name = "Niklas Vousten";

     

       15891
       15891
       +
           email = "nixpkgs@vousten.dev";

     

       15892
       15892
       +
           github = "NiklasVousten";

     

       15893
       15893
       +
           githubId = 24965952;

     

       15894
       15894
       +
         };

     

       15889
       15895
        
         nikstur = {

     

       15890
       15896
        
           email = "nikstur@outlook.com";

     

       15891
       15897
        
           name = "nikstur";

+39

nixos/doc/manual/redirects.json

···

       2
       2
        
         "book-nixos-manual": [

     

       3
       3
        
           "index.html#book-nixos-manual"

     

       4
       4
        
         ],

     

       5
       5
       +
         "module-services-crab-hole": [

     

       6
       6
       +
           "index.html#module-services-crab-hole"

     

       7
       7
       +
         ],

     

       8
       8
       +
         "module-services-crab-hole-api": [

     

       9
       9
       +
           "index.html#module-services-crab-hole-api"

     

       10
       10
       +
         ],

     

       11
       11
       +
         "module-services-crab-hole-configuration": [

     

       12
       12
       +
           "index.html#module-services-crab-hole-configuration"

     

       13
       13
       +
         ],

     

       14
       14
       +
         "module-services-crab-hole-dnssec": [

     

       15
       15
       +
           "index.html#module-services-crab-hole-dnssec"

     

       16
       16
       +
         ],

     

       17
       17
       +
         "module-services-crab-hole-downstream": [

     

       18
       18
       +
           "index.html#module-services-crab-hole-downstream"

     

       19
       19
       +
         ],

     

       20
       20
       +
         "module-services-crab-hole-https": [

     

       21
       21
       +
           "index.html#module-services-crab-hole-https"

     

       22
       22
       +
         ],

     

       23
       23
       +
         "module-services-crab-hole-invalid-config": [

     

       24
       24
       +
           "index.html#module-services-crab-hole-invalid-config"

     

       25
       25
       +
         ],

     

       26
       26
       +
         "module-services-crab-hole-permission-error": [

     

       27
       27
       +
           "index.html#module-services-crab-hole-permission-error"

     

       28
       28
       +
         ],

     

       29
       29
       +
         "module-services-crab-hole-quic": [

     

       30
       30
       +
           "index.html#module-services-crab-hole-quic"

     

       31
       31
       +
         ],

     

       32
       32
       +
         "module-services-crab-hole-tls": [

     

       33
       33
       +
           "index.html#module-services-crab-hole-tls"

     

       34
       34
       +
         ],

     

       35
       35
       +
         "module-services-crab-hole-troubleshooting": [

     

       36
       36
       +
           "index.html#module-services-crab-hole-troubleshooting"

     

       37
       37
       +
         ],

     

       38
       38
       +
         "module-services-crab-hole-udp": [

     

       39
       39
       +
           "index.html#module-services-crab-hole-udp"

     

       40
       40
       +
         ],

     

       41
       41
       +
         "module-services-crab-hole-upstream-options": [

     

       42
       42
       +
           "index.html#module-services-crab-hole-upstream-options"

     

       43
       43
       +
         ],

     

       5
       44
        
         "preface": [

     

       6
       45
        
           "index.html#preface"

     

       7
       46
        
         ],

nixos/doc/manual/release-notes/rl-2505.section.md

···

       20
       20
        
       

     

       21
       21
        
       - [Traccar](https://www.traccar.org/), a modern GPS Tracking Platform. Available as [services.traccar](#opt-services.traccar.enable).

     

       22
       22
        
       

     

       23
       23
       +
       - [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable).

     

       24
       24
       +
       

     

       23
       25
        
       - [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable).

     

       24
       26
        
       

     

       25
       27
        
       - [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).

nixos/modules/module-list.nix

···

       1027
       1027
        
         ./services/networking/coredns.nix

     

       1028
       1028
        
         ./services/networking/corerad.nix

     

       1029
       1029
        
         ./services/networking/coturn.nix

     

       1030
       1030
       +
         ./services/networking/crab-hole.nix

     

       1030
       1031
        
         ./services/networking/create_ap.nix

     

       1031
       1032
        
         ./services/networking/croc.nix

     

       1032
       1033
        
         ./services/networking/dae.nix

+215

nixos/modules/services/networking/crab-hole.md

···

       1
       1
       +
       # 🦀 crab-hole {#module-services-crab-hole}

     

       2
       2
       +
       

     

       3
       3
       +
       Crab-hole is a cross platform Pi-hole clone written in Rust using [hickory-dns/trust-dns](https://github.com/hickory-dns/hickory-dns).

     

       4
       4
       +
       It can be used as a network wide ad and spy blocker or run on your local PC.

     

       5
       5
       +
       

     

       6
       6
       +
       For a secure and private communication, crab-hole has builtin support for DoH(HTTPS), DoQ(QUIC) and DoT(TLS) for down- and upstreams and DNSSEC for upstreams.

     

       7
       7
       +
       It also comes with privacy friendly default logging settings.

     

       8
       8
       +
       

     

       9
       9
       +
       ## Configuration {#module-services-crab-hole-configuration}

     

       10
       10
       +
       As an example config file using Cloudflare as DoT upstream, you can use this [crab-hole.toml](https://github.com/LuckyTurtleDev/crab-hole/blob/main/example-config.toml)

     

       11
       11
       +
       

     

       12
       12
       +
       

     

       13
       13
       +
       The following is a basic nix config using UDP as a downstream and Cloudflare as upstream.

     

       14
       14
       +
       

     

       15
       15
       +
       ```nix

     

       16
       16
       +
       {

     

       17
       17
       +
         services.crab-hole = {

     

       18
       18
       +
           enable = true;

     

       19
       19
       +
       

     

       20
       20
       +
           settings = {

     

       21
       21
       +
             blocklist = {

     

       22
       22
       +
               include_subdomains = true;

     

       23
       23
       +
               lists = [

     

       24
       24
       +
                 "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts"

     

       25
       25
       +
                 "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"

     

       26
       26
       +
               ];

     

       27
       27
       +
             };

     

       28
       28
       +
       

     

       29
       29
       +
             downstream = [

     

       30
       30
       +
               {

     

       31
       31
       +
                 protocol = "udp";

     

       32
       32
       +
                 listen = "127.0.0.1";

     

       33
       33
       +
                 port = 53;

     

       34
       34
       +
               }

     

       35
       35
       +
               {

     

       36
       36
       +
                 protocol = "udp";

     

       37
       37
       +
                 listen = "::1";

     

       38
       38
       +
                 port = 53;

     

       39
       39
       +
               }

     

       40
       40
       +
             ];

     

       41
       41
       +
       

     

       42
       42
       +
             upstream = {

     

       43
       43
       +
               name_servers = [

     

       44
       44
       +
                 {

     

       45
       45
       +
                   socket_addr = "1.1.1.1:853";

     

       46
       46
       +
                   protocol = "tls";

     

       47
       47
       +
                   tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";

     

       48
       48
       +
                   trust_nx_responses = false;

     

       49
       49
       +
                 }

     

       50
       50
       +
                 {

     

       51
       51
       +
                   socket_addr = "[2606:4700:4700::1111]:853";

     

       52
       52
       +
                   protocol = "tls";

     

       53
       53
       +
                   tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";

     

       54
       54
       +
                   trust_nx_responses = false;

     

       55
       55
       +
                 }

     

       56
       56
       +
               ];

     

       57
       57
       +
             };

     

       58
       58
       +
           };

     

       59
       59
       +
         };

     

       60
       60
       +
       }

     

       61
       61
       +
       ```

     

       62
       62
       +
       

     

       63
       63
       +
       To test your setup, just query the DNS server with any domain like `example.com`.

     

       64
       64
       +
       To test if a domain gets blocked, just choose one of the domains from the blocklist.

     

       65
       65
       +
       If the server does not return an IP, this worked correctly.

     

       66
       66
       +
       

     

       67
       67
       +
       ### Downstream options {#module-services-crab-hole-downstream}

     

       68
       68
       +
       There are multiple protocols which are supported for the downstream:

     

       69
       69
       +
       UDP, TLS, HTTPS and QUIC.

     

       70
       70
       +
       Below you can find a brief overview over the various protocol options together with an example for each protocol.

     

       71
       71
       +
       

     

       72
       72
       +
       #### UDP {#module-services-crab-hole-udp}

     

       73
       73
       +
       UDP is the simplest downstream, but it is not encrypted.

     

       74
       74
       +
       If you want encryption, you need to use another protocol.

     

       75
       75
       +
       ***Note:** This also opens a TCP port*

     

       76
       76
       +
       ```nix

     

       77
       77
       +
       {

     

       78
       78
       +
         services.crab-hole.settings.downstream = [

     

       79
       79
       +
           {

     

       80
       80
       +
             protocol = "udp";

     

       81
       81
       +
             listen = "localhost";

     

       82
       82
       +
             port = 53;

     

       83
       83
       +
           }

     

       84
       84
       +
         ];

     

       85
       85
       +
       }

     

       86
       86
       +
       ```

     

       87
       87
       +
       

     

       88
       88
       +
       #### TLS {#module-services-crab-hole-tls}

     

       89
       89
       +
       TLS is a simple encrypted options to serve DNS.

     

       90
       90
       +
       It comes with similar settings to UDP,

     

       91
       91
       +
       but you additionally need a valid TLS certificate and its private key.

     

       92
       92
       +
       The later are specified via a path to the files.

     

       93
       93
       +
       A valid TLS certificate and private key can be obtained using services like ACME.

     

       94
       94
       +
       Make sure the crab-hole service user has access to these files.

     

       95
       95
       +
       Additionally you can set an optional timeout value.

     

       96
       96
       +
       ```nix

     

       97
       97
       +
       {

     

       98
       98
       +
         services.crab-hole.settings.downstream = [

     

       99
       99
       +
           {

     

       100
       100
       +
             protocol = "tls";

     

       101
       101
       +
             listen = "[::]";

     

       102
       102
       +
             port = 853;

     

       103
       103
       +
             certificate = ./dns.example.com.crt;

     

       104
       104
       +
             key = "/dns.example.com.key";

     

       105
       105
       +
             # optional (default = 3000)

     

       106
       106
       +
             timeout_ms = 3000

     

       107
       107
       +
           }

     

       108
       108
       +
         ];

     

       109
       109
       +
       }

     

       110
       110
       +
       ```

     

       111
       111
       +
       

     

       112
       112
       +
       #### HTTPS {#module-services-crab-hole-https}

     

       113
       113
       +
       HTTPS has similar settings to TLS, with the only difference being the additional `dns_hostname` option.

     

       114
       114
       +
       This protocol might need a reverse proxy if other HTTPS services are to share the same port.

     

       115
       115
       +
       Make sure the service has permissions to access the certificate and key.

     

       116
       116
       +
       

     

       117
       117
       +
       ***Note:** this config is untested*

     

       118
       118
       +
       ```nix

     

       119
       119
       +
       {

     

       120
       120
       +
         services.crab-hole.settings.downstream = [

     

       121
       121
       +
           {

     

       122
       122
       +
             protocol = "https";

     

       123
       123
       +
             listen = "[::]";

     

       124
       124
       +
             port = 443;

     

       125
       125
       +
             certificate = ./dns.example.com.crt;

     

       126
       126
       +
             key = "/dns.example.com.key";

     

       127
       127
       +
             # optional

     

       128
       128
       +
             dns_hostname = "dns.example.com";

     

       129
       129
       +
             # optional (default = 3000)

     

       130
       130
       +
             timeout_ms = 3000;

     

       131
       131
       +
           }

     

       132
       132
       +
         ];

     

       133
       133
       +
       }

     

       134
       134
       +
       ```

     

       135
       135
       +
       

     

       136
       136
       +
       #### QUIC {#module-services-crab-hole-quic}

     

       137
       137
       +
       QUIC has identical settings to the HTTPS protocol.

     

       138
       138
       +
       Since by default it doesn't run on the standard HTTPS port, you shouldn't need a reverse proxy.

     

       139
       139
       +
       Make sure the service has permissions to access the certificate and key.

     

       140
       140
       +
       ```nix

     

       141
       141
       +
       {

     

       142
       142
       +
         services.crab-hole.settings.downstream = [

     

       143
       143
       +
           {

     

       144
       144
       +
             protocol = "quic";

     

       145
       145
       +
             listen = "127.0.0.1";

     

       146
       146
       +
             port = 853;

     

       147
       147
       +
             certificate = ./dns.example.com.crt;

     

       148
       148
       +
             key = "/dns.example.com.key";

     

       149
       149
       +
             # optional

     

       150
       150
       +
             dns_hostname = "dns.example.com";

     

       151
       151
       +
             # optional (default = 3000)

     

       152
       152
       +
             timeout_ms = 3000;

     

       153
       153
       +
           }

     

       154
       154
       +
         ];

     

       155
       155
       +
       }

     

       156
       156
       +
       ```

     

       157
       157
       +
       

     

       158
       158
       +
       ### Upstream options {#module-services-crab-hole-upstream-options}

     

       159
       159
       +
       You can set additional options of the underlying DNS server. A full list of all the options can be found in the [hickory-dns documentation](https://docs.rs/trust-dns-resolver/0.23.0/trust_dns_resolver/config/struct.ResolverOpts.html).

     

       160
       160
       +
       

     

       161
       161
       +
       This can look like the following example.

     

       162
       162
       +
       ```nix

     

       163
       163
       +
       {

     

       164
       164
       +
         services.crab-hole.settings.upstream.options = {

     

       165
       165
       +
           validate = false;

     

       166
       166
       +
         };

     

       167
       167
       +
       }

     

       168
       168
       +
       ```

     

       169
       169
       +
       

     

       170
       170
       +
       #### DNSSEC Issues {#module-services-crab-hole-dnssec}

     

       171
       171
       +
       Due to an upstream issue of [hickory-dns](https://github.com/hickory-dns/hickory-dns/issues/2429), sites without DNSSEC will not be resolved if `validate = true`.

     

       172
       172
       +
       Only DNSSEC capable sites will be resolved with this setting.

     

       173
       173
       +
       To prevent this, set `validate = false` or omit the `[upstream.options]`.

     

       174
       174
       +
       

     

       175
       175
       +
       ### API {#module-services-crab-hole-api}

     

       176
       176
       +
       The API allows a user to fetch statistic and information about the crab-hole instance.

     

       177
       177
       +
       Basic information is availablee for everyone, while more detailed information is secured by a key, which will be set with the `admin_key` option.

     

       178
       178
       +
       

     

       179
       179
       +
       ```nix

     

       180
       180
       +
       {

     

       181
       181
       +
         services.crab-hole.settings.api = {

     

       182
       182
       +
           listen = "127.0.0.1";

     

       183
       183
       +
           port = 8080;

     

       184
       184
       +
           # optional (default = false)

     

       185
       185
       +
           show_doc = true; # OpenAPI doc loads content from third party websites

     

       186
       186
       +
           # optional

     

       187
       187
       +
           admin_key = "1234";

     

       188
       188
       +
         };

     

       189
       189
       +
       }

     

       190
       190
       +
       

     

       191
       191
       +
       ```

     

       192
       192
       +
       

     

       193
       193
       +
       The documentation can be enabled seperately for the instance with `show_doc`.

     

       194
       194
       +
       This will then create an additional webserver, which hosts the API documentation.

     

       195
       195
       +
       An additional resource is in work in the [crab-hole repository](https://github.com/LuckyTurtleDev/crab-hole).

     

       196
       196
       +
       

     

       197
       197
       +
       ## Troubleshooting {#module-services-crab-hole-troubleshooting}

     

       198
       198
       +
       You can check for errors using `systemctl status crab-hole` or `journalctl -xeu crab-hole.service`.

     

       199
       199
       +
       

     

       200
       200
       +
       ### Invalid config {#module-services-crab-hole-invalid-config}

     

       201
       201
       +
       Some options of the service are in freeform and not type checked.

     

       202
       202
       +
       This can lead to a config which is not valid or cannot be parsed by crab-hole.

     

       203
       203
       +
       The error message will tell you what config value could not be parsed.

     

       204
       204
       +
       For more information check the [example config](https://github.com/LuckyTurtleDev/crab-hole/blob/main/example-config.toml).

     

       205
       205
       +
       

     

       206
       206
       +
       ### Permission Error {#module-services-crab-hole-permission-error}

     

       207
       207
       +
       It can happen that the created certificates for TLS, HTTPS or QUIC are owned by another user or group.

     

       208
       208
       +
       For ACME for example this would be `acme:acme`.

     

       209
       209
       +
       To give the crab-hole service access to these files, the group which owns the certificate can be added as a supplementary group to the service.

     

       210
       210
       +
       For ACME for example:

     

       211
       211
       +
       ```nix

     

       212
       212
       +
       {

     

       213
       213
       +
         services.crab-hole.supplementaryGroups = [ "acme" ];

     

       214
       214
       +
       }

     

       215
       215
       +
       ```

+180

nixos/modules/services/networking/crab-hole.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         pkgs,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       7
       7
       +
       let

     

       8
       8
       +
         cfg = config.services.crab-hole;

     

       9
       9
       +
       

     

       10
       10
       +
         settingsFormat = pkgs.formats.toml { };

     

       11
       11
       +
       

     

       12
       12
       +
         checkConfig =

     

       13
       13
       +
           file:

     

       14
       14
       +
           pkgs.runCommand "check-config"

     

       15
       15
       +
             {

     

       16
       16
       +
               nativeBuildInputs = [

     

       17
       17
       +
                 cfg.package

     

       18
       18
       +
                 pkgs.cacert

     

       19
       19
       +
                 pkgs.dig

     

       20
       20
       +
               ];

     

       21
       21
       +
             }

     

       22
       22
       +
             ''

     

       23
       23
       +
               ln -s ${file} $out

     

       24
       24
       +
       

     

       25
       25
       +
               ln -s ${file} ./config.toml

     

       26
       26
       +
               export CRAB_HOLE_DIR=$(pwd)

     

       27
       27
       +
       

     

       28
       28
       +
               ${lib.getExe cfg.package} validate-config

     

       29
       29
       +
             '';

     

       30
       30
       +
       in

     

       31
       31
       +
       {

     

       32
       32
       +
         options = {

     

       33
       33
       +
           services.crab-hole = {

     

       34
       34
       +
             enable = lib.mkEnableOption "Crab-hole Service";

     

       35
       35
       +
       

     

       36
       36
       +
             package = lib.mkPackageOption pkgs "crab-hole" { };

     

       37
       37
       +
       

     

       38
       38
       +
             supplementaryGroups = lib.mkOption {

     

       39
       39
       +
               type = lib.types.listOf lib.types.str;

     

       40
       40
       +
               default = [ ];

     

       41
       41
       +
               example = [ "acme" ];

     

       42
       42
       +
               description = "Adds additional groups to the crab-hole service. Can be useful to prevent permission issues.";

     

       43
       43
       +
             };

     

       44
       44
       +
       

     

       45
       45
       +
             settings = lib.mkOption {

     

       46
       46
       +
               description = "Crab-holes config. See big example https://github.com/LuckyTurtleDev/crab-hole/blob/main/example-config.toml";

     

       47
       47
       +
       

     

       48
       48
       +
               example = {

     

       49
       49
       +
                 downstream = [

     

       50
       50
       +
                   {

     

       51
       51
       +
                     listen = "localhost";

     

       52
       52
       +
                     port = 8080;

     

       53
       53
       +
                     protocol = "udp";

     

       54
       54
       +
                   }

     

       55
       55
       +
                   {

     

       56
       56
       +
                     certificate = "dns.example.com.crt";

     

       57
       57
       +
                     dns_hostname = "dns.example.com";

     

       58
       58
       +
                     key = "dns.example.com.key";

     

       59
       59
       +
                     listen = "[::]";

     

       60
       60
       +
                     port = 8055;

     

       61
       61
       +
                     protocol = "https";

     

       62
       62
       +
                     timeout_ms = 3000;

     

       63
       63
       +
                   }

     

       64
       64
       +
                 ];

     

       65
       65
       +
                 api = {

     

       66
       66
       +
                   admin_key = "1234";

     

       67
       67
       +
                   listen = "127.0.0.1";

     

       68
       68
       +
                   port = 8080;

     

       69
       69
       +
                   show_doc = true;

     

       70
       70
       +
                 };

     

       71
       71
       +
                 blocklist = {

     

       72
       72
       +
                   allow_list = [

     

       73
       73
       +
                     "file:///allowed.txt"

     

       74
       74
       +
                   ];

     

       75
       75
       +
                   include_subdomains = true;

     

       76
       76
       +
                   lists = [

     

       77
       77
       +
                     "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts"

     

       78
       78
       +
                     "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"

     

       79
       79
       +
                     "file:///blocked.txt"

     

       80
       80
       +
                   ];

     

       81
       81
       +
                 };

     

       82
       82
       +
                 upstream = {

     

       83
       83
       +
                   name_servers = [

     

       84
       84
       +
                     {

     

       85
       85
       +
                       protocol = "tls";

     

       86
       86
       +
                       socket_addr = "[2606:4700:4700::1111]:853";

     

       87
       87
       +
                       tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";

     

       88
       88
       +
                       trust_nx_responses = false;

     

       89
       89
       +
                     }

     

       90
       90
       +
                     {

     

       91
       91
       +
                       protocol = "tls";

     

       92
       92
       +
                       socket_addr = "1.1.1.1:853";

     

       93
       93
       +
                       tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";

     

       94
       94
       +
                       trust_nx_responses = false;

     

       95
       95
       +
                     }

     

       96
       96
       +
                   ];

     

       97
       97
       +
                   options = {

     

       98
       98
       +
                     validate = false;

     

       99
       99
       +
                   };

     

       100
       100
       +
                 };

     

       101
       101
       +
               };

     

       102
       102
       +
       

     

       103
       103
       +
               type = lib.types.submodule {

     

       104
       104
       +
                 freeformType = settingsFormat.type;

     

       105
       105
       +
                 options = {

     

       106
       106
       +
                   blocklist =

     

       107
       107
       +
                     let

     

       108
       108
       +
                       listOption =

     

       109
       109
       +
                         name:

     

       110
       110
       +
                         lib.mkOption {

     

       111
       111
       +
                           type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);

     

       112
       112
       +
                           default = [ ];

     

       113
       113
       +
                           description = "List of ${name}. If files are added via url, make sure the service has access to them!";

     

       114
       114
       +
                           apply = map (v: if builtins.isPath v then "file://${v}" else v);

     

       115
       115
       +
                         };

     

       116
       116
       +
                     in

     

       117
       117
       +
                     {

     

       118
       118
       +
                       include_subdomains = lib.mkEnableOption "Include subdomains";

     

       119
       119
       +
                       lists = listOption "blocklists";

     

       120
       120
       +
                       allow_list = listOption "allowlists";

     

       121
       121
       +
                     };

     

       122
       122
       +
                 };

     

       123
       123
       +
               };

     

       124
       124
       +
             };

     

       125
       125
       +
       

     

       126
       126
       +
             configFile = lib.mkOption {

     

       127
       127
       +
               type = lib.types.path;

     

       128
       128
       +
               description = ''

     

       129
       129
       +
                 The config file of crab-hole.

     

       130
       130
       +
       

     

       131
       131
       +
                 If files are added via url, make sure the service has access to them.

     

       132
       132
       +
                 Setting this option will override any configuration applied by the settings option.

     

       133
       133
       +
               '';

     

       134
       134
       +
             };

     

       135
       135
       +
           };

     

       136
       136
       +
         };

     

       137
       137
       +
       

     

       138
       138
       +
         config = lib.mkIf cfg.enable {

     

       139
       139
       +
           # Warning due to DNSSec issue in crab-hole

     

       140
       140
       +
           warnings = lib.optional (cfg.settings.upstream.options.validate or false) ''

     

       141
       141
       +
             Validate options will ONLY allow DNSSec domains. See https://github.com/LuckyTurtleDev/crab-hole/issues/29

     

       142
       142
       +
           '';

     

       143
       143
       +
       

     

       144
       144
       +
           services.crab-hole.configFile = lib.mkDefault (

     

       145
       145
       +
             checkConfig (settingsFormat.generate "crab-hole.toml" cfg.settings)

     

       146
       146
       +
           );

     

       147
       147
       +
           environment.etc."crab-hole.toml".source = cfg.configFile;

     

       148
       148
       +
       

     

       149
       149
       +
           systemd.services.crab-hole = {

     

       150
       150
       +
             wantedBy = [ "multi-user.target" ];

     

       151
       151
       +
             after = [ "network-online.target" ];

     

       152
       152
       +
             wants = [ "network-online.target" ];

     

       153
       153
       +
             description = "Crab-hole dns server";

     

       154
       154
       +
             environment.HOME = "/var/lib/crab-hole";

     

       155
       155
       +
             restartTriggers = [ cfg.configFile ];

     

       156
       156
       +
             serviceConfig = {

     

       157
       157
       +
               Type = "simple";

     

       158
       158
       +
               DynamicUser = true;

     

       159
       159
       +
               SupplementaryGroups = cfg.supplementaryGroups;

     

       160
       160
       +
       

     

       161
       161
       +
               StateDirectory = "crab-hole";

     

       162
       162
       +
               WorkingDirectory = "/var/lib/crab-hole";

     

       163
       163
       +
       

     

       164
       164
       +
               ExecStart = lib.getExe cfg.package;

     

       165
       165
       +
       

     

       166
       166
       +
               AmbientCapabilities = "CAP_NET_BIND_SERVICE";

     

       167
       167
       +
               CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       168
       168
       +
       

     

       169
       169
       +
               Restart = "on-failure";

     

       170
       170
       +
               RestartSec = 1;

     

       171
       171
       +
             };

     

       172
       172
       +
           };

     

       173
       173
       +
         };

     

       174
       174
       +
       

     

       175
       175
       +
         meta.maintainers = [

     

       176
       176
       +
           lib.maintainers.NiklasVousten

     

       177
       177
       +
         ];

     

       178
       178
       +
         # Readme from upstream

     

       179
       179
       +
         meta.doc = ./crab-hole.md;

     

       180
       180
       +
       }

+30

pkgs/by-name/cr/crab-hole/package.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         lib,

     

       3
       3
       +
         fetchFromGitHub,

     

       4
       4
       +
         rustPlatform,

     

       5
       5
       +
       }:

     

       6
       6
       +
       

     

       7
       7
       +
       rustPlatform.buildRustPackage rec {

     

       8
       8
       +
         pname = "crab-hole";

     

       9
       9
       +
         version = "0.1.10";

     

       10
       10
       +
       

     

       11
       11
       +
         src = fetchFromGitHub {

     

       12
       12
       +
           owner = "LuckyTurtleDev";

     

       13
       13
       +
           repo = "crab-hole";

     

       14
       14
       +
           rev = "refs/tags/v${version}";

     

       15
       15
       +
           hash = "sha256-OyZ+GkWU+OMnS6X7yk7H1e1MzfQQQkhOkoxUmWn6k7I=";

     

       16
       16
       +
         };

     

       17
       17
       +
       

     

       18
       18
       +
         cargoHash = "sha256-NeVCGN2ZIyrufa3geO8bbwV7ncenguftnr5SClRZLi8=";

     

       19
       19
       +
       

     

       20
       20
       +
         meta = {

     

       21
       21
       +
           description = "Pi-Hole clone written in Rust using Hickory DNS";

     

       22
       22
       +
           homepage = "https://github.com/LuckyTurtleDev/crab-hole";

     

       23
       23
       +
           license = lib.licenses.agpl3Plus;

     

       24
       24
       +
           mainProgram = "crab-hole";

     

       25
       25
       +
           maintainers = [

     

       26
       26
       +
             lib.maintainers.NiklasVousten

     

       27
       27
       +
           ];

     

       28
       28
       +
           platforms = lib.platforms.linux;

     

       29
       29
       +
         };

     

       30
       30
       +
       }