feat(adguardhome): bind only external interface

2025-10-11 07:10:39 +02:00 · 2023-07-06 02:34:07 +02:00 · 2023-07-06 02:34:07 +02:00 · 3f6286ef31
commit 3f6286ef31
parent 31ef29569d
7 changed files with 122 additions and 59 deletions
--- a/flake.lock
+++ b/flake.lock
@ -415,7 +415,7 @@
      },
      "locked": {
        "lastModified": 1687369979,
-        "narHash": "sha256-Dr6BQSKE1iX85h5kanhSPyJR9RSjJYa20T5PhukQTV8=",
+        "narHash": "sha256-rRV+VKRVb0N2xYLVMfAGk8FQnII3mCuH5JMTOCLlEnk=",
        "type": "git",
        "url": "file:///root/projects/microvm.nix"
      },
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -18,6 +18,7 @@

    ./fs.nix
    ./net.nix
+    ./kea.nix
  ];

  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  utils,
+  nodes,
+  ...
+}: let
+  inherit
+    (lib)
+    flip
+    mapAttrsToList
+    mkOption
+    net
+    types
+    ;
+
+  lanCidrv4 = "192.168.100.0/24";
+  dnsIp = net.cidr.host 2 lanCidrv4;
+in {
+  # TODO make meta.kea module?
+  # TODO reserve by default using assignIps algo?
+  options.networking.dhcp4Reservations = mkOption {
+    default = {};
+    type = types.attrsOf (types.net.ipv4-in lanCidrv4);
+    description = "Maps MAC addresses to their reserved ipv4 address.";
+  };
+
+  config = {
+    services.kea.dhcp4 = {
+      enable = true;
+      settings = {
+        lease-database = {
+          name = "/var/lib/kea/dhcp4.leases";
+          persist = true;
+          type = "memfile";
+        };
+        valid-lifetime = 4000;
+        renew-timer = 1000;
+        rebind-timer = 2000;
+        interfaces-config = {
+          # XXX: why does this bind other macvtaps?
+          interfaces = ["lan-self"];
+          service-sockets-max-retries = -1;
+        };
+        option-data = [
+          {
+            name = "domain-name-servers";
+            data = dnsIp;
+          }
+        ];
+        subnet4 = [
+          {
+            interface = "lan-self";
+            subnet = lanCidrv4;
+            pools = [
+              {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
+            ];
+            option-data = [
+              {
+                name = "routers";
+                data = net.cidr.host 1 lanCidrv4;
+              }
+            ];
+            reservations = [
+              {
+                hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
+                ip-address = dnsIp;
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
+  };
+}
--- a/hosts/ward/microvms/adguardhome.nix
+++ b/hosts/ward/microvms/adguardhome.nix
@ -2,6 +2,7 @@
  config,
  lib,
  nodes,
+  pkgs,
  utils,
  ...
 }: let
@ -34,23 +35,50 @@ in {
    };
  };

+  networking.firewall = {
+    allowedTCPPorts = [53];
+    allowedUDPPorts = [53];
+  };
+
  services.adguardhome = {
    enable = true;
+    mutableSettings = false;
    settings = {
      bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
      bind_port = 3000;
-      #dns = {
-      #  edns_client_subnet.enabled = false;
-      #  bind_hosts = [ "127.0.0.1" ];
-      #  bootstrap_dns = [
-      #    "8.8.8.8"
-      #    "8.8.4.4"
-      #    "2001:4860:4860::8888"
-      #    "2001:4860:4860::8844"
-      #  ];
-      #};
+      dns = {
+        edns_client_subnet.enabled = false;
+        bind_hosts = [
+          # This dummy address passes the configuration check and will
+          # later be replaced by the actual interface address.
+          "123.123.123.123"
+        ];
+        # allowed_clients = [
+        # ];
+        #trusted_proxied = [];
+        ratelimit = 60;
+        upstream_dns = [
+          "8.8.8.8"
+          "8.8.4.4"
+          "2001:4860:4860::8888"
+          "2001:4860:4860::8844"
+        ];
+        bootstrap_dns = [
+          "8.8.8.8"
+          "8.8.4.4"
+          "2001:4860:4860::8888"
+          "2001:4860:4860::8844"
+        ];
+        dhcp.enabled = false;
+      };
    };
  };

-  systemd.services.influxdb.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.adguardhome = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"];
+    preStart = lib.mkAfter ''
+      INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
+      sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
+    '';
+  };
 }
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -1,7 +1,6 @@
 {
  config,
  lib,
-  utils,
  ...
 }: let
  lanCidrv4 = "192.168.100.0/24";
@ -125,51 +124,6 @@ in {
    };
  };

-  services.kea = {
-    dhcp4 = {
-      enable = true;
-      settings = {
-        lease-database = {
-          name = "/var/lib/kea/dhcp4.leases";
-          persist = true;
-          type = "memfile";
-        };
-        valid-lifetime = 4000;
-        renew-timer = 1000;
-        rebind-timer = 2000;
-        interfaces-config = {
-          # TODO why does this bind other macvtaps?
-          interfaces = ["lan-self"];
-          service-sockets-max-retries = -1;
-        };
-        option-data = [
-          {
-            name = "domain-name-servers";
-            # TODO pihole via self
-            data = "1.1.1.1, 8.8.8.8";
-          }
-        ];
-        subnet4 = [
-          {
-            interface = "lan-self";
-            subnet = lanCidrv4;
-            pools = [
-              {pool = "${lib.net.cidr.host 20 lanCidrv4} - ${lib.net.cidr.host (-6) lanCidrv4}";}
-            ];
-            option-data = [
-              {
-                name = "routers";
-                data = lib.net.cidr.host 1 lanCidrv4;
-              }
-            ];
-          }
-        ];
-      };
-    };
-  };
-
-  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
-
  meta.microvms.networking = {
    baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
    macvtapInterface = "lan";
--- a/modules/meta/microvms.nix
+++ b/modules/meta/microvms.nix
@ -111,6 +111,8 @@
      config = {config, ...}: {
        imports = cfg.commonImports ++ node.imports ++ vmCfg.modules;

+        lib.microvm.mac = mac;
+
        microvm = {
          hypervisor = mkDefault "cloud-hypervisor";

--- a/modules/meta/telegraf.nix
+++ b/modules/meta/telegraf.nix
@ -158,7 +158,8 @@ in {
    systemd.services.telegraf = {
      path = [
        # Make sensors refer to the correct wrapper
-        (mkIf config.services.smartd.enable (pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path))
+        (mkIf config.services.smartd.enable
+          (pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path))
      ];
      serviceConfig = {
        # For wireguard statistics