feat(adguardhome): bind only external interface

hosts/ward/microvms/adguardhome.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   nodes,
+  pkgs,
   utils,
   ...
 }: let
@@ -34,23 +35,50 @@ in {
     };
   };
 
+  networking.firewall = {
+    allowedTCPPorts = [53];
+    allowedUDPPorts = [53];
+  };
+
   services.adguardhome = {
     enable = true;
+    mutableSettings = false;
     settings = {
       bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
       bind_port = 3000;
-      #dns = {
-      #  edns_client_subnet.enabled = false;
-      #  bind_hosts = [ "127.0.0.1" ];
-      #  bootstrap_dns = [
-      #    "8.8.8.8"
-      #    "8.8.4.4"
-      #    "2001:4860:4860::8888"
-      #    "2001:4860:4860::8844"
-      #  ];
-      #};
+      dns = {
+        edns_client_subnet.enabled = false;
+        bind_hosts = [
+          # This dummy address passes the configuration check and will
+          # later be replaced by the actual interface address.
+          "123.123.123.123"
+        ];
+        # allowed_clients = [
+        # ];
+        #trusted_proxied = [];
+        ratelimit = 60;
+        upstream_dns = [
+          "8.8.8.8"
+          "8.8.4.4"
+          "2001:4860:4860::8888"
+          "2001:4860:4860::8844"
+        ];
+        bootstrap_dns = [
+          "8.8.8.8"
+          "8.8.4.4"
+          "2001:4860:4860::8888"
+          "2001:4860:4860::8844"
+        ];
+        dhcp.enabled = false;
+      };
     };
   };
 
-  systemd.services.influxdb.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.adguardhome = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"];
+    preStart = lib.mkAfter ''
+      INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
+      sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
+    '';
+  };
 }