Crab-hole Configuration: QUIC Protocol, Upstream Options, API, and Troubleshooting

dns_hostname = "dns.example.com"; # optional (default = 3000) timeout_ms = 3000; } ]; } ``` #### QUIC {#module-services-crab-hole-quic} QUIC has identical settings to the HTTPS protocol. Since by default it doesn't run on the standard HTTPS port, you shouldn't need a reverse proxy. Make sure the service has permissions to access the certificate and key. ```nix { services.crab-hole.settings.downstream = [ { protocol = "quic"; listen = "127.0.0.1"; port = 853; certificate = ./dns.example.com.crt; key = "/dns.example.com.key"; # optional dns_hostname = "dns.example.com"; # optional (default = 3000) timeout_ms = 3000; } ]; } ``` ### Upstream options {#module-services-crab-hole-upstream-options} You can set additional options of the underlying DNS server. A full list of all the options can be found in the [hickory-dns documentation](https://docs.rs/trust-dns-resolver/0.23.0/trust_dns_resolver/config/struct.ResolverOpts.html). This can look like the following example. ```nix { services.crab-hole.settings.upstream.options = { validate = false; }; } ``` #### DNSSEC Issues {#module-services-crab-hole-dnssec} Due to an upstream issue of [hickory-dns](https://github.com/hickory-dns/hickory-dns/issues/2429), sites without DNSSEC will not be resolved if `validate = true`. Only DNSSEC capable sites will be resolved with this setting. To prevent this, set `validate = false` or omit the `[upstream.options]`. ### API {#module-services-crab-hole-api} The API allows a user to fetch statistic and information about the crab-hole instance. Basic information is available for everyone, while more detailed information is secured by a key, which will be set with the `admin_key` option. ```nix { services.crab-hole.settings.api = { listen = "127.0.0.1"; port = 8080; # optional (default = false) show_doc = true; # OpenAPI doc loads content from third party websites # optional admin_key = "1234"; }; } ``` The documentation can be enabled separately for the instance with `show_doc`. This will then create an additional webserver, which hosts the API documentation. An additional resource is in work in the [crab-hole repository](https://github.com/LuckyTurtleDev/crab-hole). ## Troubleshooting {#module-services-crab-hole-troubleshooting} You can check for errors using `systemctl status crab-hole` or `journalctl -xeu crab-hole.service`. ### Invalid config {#module-services-crab-hole-invalid-config} Some options of the service are in freeform and not type checked. This can lead to a config which is not valid or cannot be parsed by crab-hole. The error message will tell you what config value could not be parsed. For more information check the [example config](https://github.com/LuckyTurtleDev/crab-hole/blob/main/example-config.toml). ### Permission Error {#module-services-crab-hole-permission-error} It can happen that the created certificates for TLS, HTTPS or QUIC are owned by another user or group. For ACME for example this would be `acme:acme`. To give the crab-hole service access to these files, the group which owns the certificate can be added as a supplementary group to the service. For ACME for example: ```nix { services.crab-hole.supplementaryGroups = [ "acme" ]; } ```

This chunk covers Crab-hole's QUIC protocol configuration, which mirrors HTTPS but typically avoids reverse proxy needs. It details 'Upstream options' for DNS server tuning, referencing `hickory-dns` docs and showing `validate` settings. A critical 'DNSSEC Issues' note highlights a `hickory-dns` bug where `validate = true` prevents non-DNSSEC site resolution, advising `validate = false` as a fix. The 'API' section describes enabling a local API for statistics, securing advanced data with an `admin_key`, and optional documentation. Finally, 'Troubleshooting' offers guidance on service status checks, addressing 'Invalid config' errors from freeform options, and resolving 'Permission Error' for certificates by adding the owner group to `supplementaryGroups`.