Home Explore Blog CI



nixpkgs
3rd chunk of `nixos/modules/services/networking/crab-hole.md`
e44dfd731f48ff641a354db6c41639dccf95831dc14738280000000100000d09
      dns_hostname = "dns.example.com";
      # optional (default = 3000)
      timeout_ms = 3000;
    }
  ];
}
```

#### QUIC {#module-services-crab-hole-quic}
QUIC has identical settings to the HTTPS protocol.
Since by default it doesn't run on the standard HTTPS port, you shouldn't need a reverse proxy.
Make sure the service has permissions to access the certificate and key.
```nix
{
  services.crab-hole.settings.downstream = [
    {
      protocol = "quic";
      listen = "127.0.0.1";
      port = 853;
      certificate = ./dns.example.com.crt;
      key = "/dns.example.com.key";
      # optional
      dns_hostname = "dns.example.com";
      # optional (default = 3000)
      timeout_ms = 3000;
    }
  ];
}
```

### Upstream options {#module-services-crab-hole-upstream-options}
You can set additional options of the underlying DNS server. A full list of all the options can be found in the [hickory-dns documentation](https://docs.rs/trust-dns-resolver/0.23.0/trust_dns_resolver/config/struct.ResolverOpts.html).

This can look like the following example.
```nix
{
  services.crab-hole.settings.upstream.options = {
    validate = false;
  };
}
```

#### DNSSEC Issues {#module-services-crab-hole-dnssec}
Due to an upstream issue of [hickory-dns](https://github.com/hickory-dns/hickory-dns/issues/2429), sites without DNSSEC will not be resolved if `validate = true`.
Only DNSSEC capable sites will be resolved with this setting.
To prevent this, set `validate = false` or omit the `[upstream.options]`.

### API {#module-services-crab-hole-api}
The API allows a user to fetch statistic and information about the crab-hole instance.
Basic information is available for everyone, while more detailed information is secured by a key, which will be set with the `admin_key` option.

```nix
{
  services.crab-hole.settings.api = {
    listen = "127.0.0.1";
    port = 8080;
    # optional (default = false)
    show_doc = true; # OpenAPI doc loads content from third party websites
    # optional
    admin_key = "1234";
  };
}

```

The documentation can be enabled separately for the instance with `show_doc`.
This will then create an additional webserver, which hosts the API documentation.
An additional resource is in work in the [crab-hole repository](https://github.com/LuckyTurtleDev/crab-hole).

## Troubleshooting {#module-services-crab-hole-troubleshooting}
You can check for errors using `systemctl status crab-hole` or `journalctl -xeu crab-hole.service`.

### Invalid config {#module-services-crab-hole-invalid-config}
Some options of the service are in freeform and not type checked.
This can lead to a config which is not valid or cannot be parsed by crab-hole.
The error message will tell you what config value could not be parsed.
For more information check the [example config](https://github.com/LuckyTurtleDev/crab-hole/blob/main/example-config.toml).

### Permission Error {#module-services-crab-hole-permission-error}
It can happen that the created certificates for TLS, HTTPS or QUIC are owned by another user or group.
For ACME for example this would be `acme:acme`.
To give the crab-hole service access to these files, the group which owns the certificate can be added as a supplementary group to the service.
For ACME for example:
```nix
{
  services.crab-hole.supplementaryGroups = [ "acme" ];
}
```
Title: Crab-hole Upstream Options, API, and Troubleshooting
Summary
This section details Crab-hole's upstream options, DNSSEC issues, API configuration, and troubleshooting steps. Upstream options allow customization of the DNS server, while DNSSEC issues may require disabling validation for non-DNSSEC sites. The API allows fetching statistics, secured by an admin key. Troubleshooting tips include checking service status and logs, addressing invalid configurations, and resolving permission errors by adding supplementary groups.