From b545967e7a05bfc27625ca1ed159579cbc8e2914 Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 21 Jun 2023 01:37:25 +0200 Subject: [PATCH] feat: add adguardhome microvm --- hosts/ward/default.nix | 4 +- hosts/ward/microvms/adguardhome/default.nix | 68 +++++++++++++++++++ .../microvms/adguardhome/secrets/host.pub | 1 + .../promtail-loki-basic-auth-password.age | 9 +++ 4 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 hosts/ward/microvms/adguardhome/default.nix create mode 100644 hosts/ward/microvms/adguardhome/secrets/host.pub create mode 100644 hosts/ward/microvms/adguardhome/secrets/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 0ce87f2..5456e0c 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -39,12 +39,11 @@ grafana = defaults; loki = defaults; vaultwarden = defaults; + adguardhome = defaults; }; #ddclient = defineVm; - #kanidm = defineVm; #gitea/forgejo = defineVm; - #vaultwarden = defineVm; #samba+wsdd = defineVm; #fasten-health = defineVm; #immich = defineVm; @@ -52,7 +51,6 @@ #radicale = defineVm; #minecraft = defineVm; #firefly - #adguardhome #prometheus #influxdb diff --git a/hosts/ward/microvms/adguardhome/default.nix b/hosts/ward/microvms/adguardhome/default.nix new file mode 100644 index 0000000..02d0bac --- /dev/null +++ b/hosts/ward/microvms/adguardhome/default.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + nodes, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + adguardDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}"; +in { + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; + + extra.promtail = { + enable = true; + proxy = "sentinel"; + }; + + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [config.services.adguardhome.settings.bind_port]; + }; + + nodes.sentinel = { + proxiedDomains.adguard = adguardDomain; + + globalConfig = '' + security { + authorization policy mypolicy { + set auth url https://auth.myfiosgateway.com:8443/ + allow roles authp/user + crypto key verify {env.JWT_SHARED_KEY} + } + } + ''; + + services.caddy.virtualHosts.${adguardDomain} = { + useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert adguardDomain; + extraConfig = '' + import common + reverse_proxy { + to http://${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port} + header_up X-Real-IP {remote_host} + } + ''; + }; + }; + + services.adguardhome = { + enable = true; + settings = { + bind_host = config.extra.wireguard.proxy-sentinel.ipv4; + bind_port = 3000; + #dns = { + # edns_client_subnet.enabled = false; + # bind_hosts = [ "127.0.0.1" ]; + # bootstrap_dns = [ + # "8.8.8.8" + # "8.8.4.4" + # "2001:4860:4860::8888" + # "2001:4860:4860::8844" + # ]; + #}; + }; + }; + + systemd.services.influxdb.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; +} diff --git a/hosts/ward/microvms/adguardhome/secrets/host.pub b/hosts/ward/microvms/adguardhome/secrets/host.pub new file mode 100644 index 0000000..f227506 --- /dev/null +++ b/hosts/ward/microvms/adguardhome/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno diff --git a/hosts/ward/microvms/adguardhome/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/adguardhome/secrets/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..04eb67e --- /dev/null +++ b/hosts/ward/microvms/adguardhome/secrets/promtail-loki-basic-auth-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 bh8fwQruEHmdxScw+dcMTWh0glw6YiRNMgjbMdo5OEE +0dj/BAUTL3s3KS5SYKSGoQBlFTVbWJwShKEZCK8JiH8 +-> piv-p256 xqSe8Q AvDgcX/5rsg9BeqDFRhk74nA1iDKAb27Nr83IxhYvsDC +incamQkzY1sjpqZyAsiYfPXRo6Wmpy1v+HPwEJ6bxOI +-> QiWG-grease 9Ye .2/ `ao[ 79Qu+e +/XooMMBJ7rlyir1gJg +--- D/V5bteoODs/ogRGHrFVGWblgwpKwdtvL3wG7EaJpf4 +ȕJy㥨8/xzLFdʏ(ݢu!Iܛ8zjIU0`ac1} \ No newline at end of file