sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mynixos-config/hosts/ward/guests/adguardhome.nix

146 lines
4.2 KiB
Nix
Raw Permalink Blame History

{
config,
globals,
lib,
...
}:
let
adguardhomeDomain = "adguardhome.${globals.domains.me}";
in
{
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
[
config.services.adguardhome.port
];
# Allow home-assistant to access it directly
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.sausebiene.allowedTCPPorts =
[
config.services.adguardhome.port
];
globals.services.adguardhome.domain = adguardhomeDomain;
globals.monitoring.dns.adguardhome = {
server = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
domain = ".";
network = "home-lan.vlans.services";
};
nodes.sentinel = {
services.nginx = {
upstreams.adguardhome = {
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.adguardhome.port}" =
{ };
extraConfig = ''
zone adguardhome 64k;
keepalive 2;
'';
monitoring = {
enable = true;
expectedBodyRegex = "AdGuard Home";
};
};
virtualHosts.${adguardhomeDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
oauth2.enable = true;
oauth2.allowedGroups = [ "access_adguardhome" ];
locations."/" = {
proxyPass = "http://adguardhome";
proxyWebsockets = true;
};
};
};
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/private/AdGuardHome";
mode = "0700";
}
];
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
topology.self.services.adguardhome.info = "https://" + adguardhomeDomain;
services.adguardhome = {
enable = true;
mutableSettings = false;
host = "0.0.0.0";
port = 3000;
settings = {
dns = {
bind_hosts = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
# allowed_clients = [
# ];
#trusted_proxies = [];
ratelimit = 300;
upstream_dns = [
"https://dns.cloudflare.com/dns-query"
"https://dns.google/dns-query"
"https://doh.mullvad.net/dns-query"
];
bootstrap_dns = [
"1.1.1.1"
# FIXME: enable ipv6 "2606:4700:4700::1111"
"8.8.8.8"
# FIXME: enable ipv6 "2001:4860:4860::8844"
];
dhcp.enabled = false;
};
filtering.rewrites = [
# Undo the /etc/hosts entry so we don't answer with the internal
# wireguard address for influxdb
{
inherit (globals.services.influxdb) domain;
answer = globals.domains.me;
}
]
# Use the local mirror-proxy for some services (not necessary, just for speed)
++
map
(domain: {
inherit domain;
answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
})
[
# FIXME: dont hardcode, filter global service domains by internal state
# FIXME: new entry here? make new firezone entry too.
# FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain
globals.services.mealie.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain
globals.services.paperless.domain
globals.services.esphome.domain
globals.services.home-assistant.domain
"fritzbox.${globals.domains.personal}"
];
filters = [
{
name = "AdGuard DNS filter";
url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
enabled = true;
}
{
name = "AdAway Default Blocklist";
url = "https://adaway.org/hosts.txt";
enabled = true;
}
{
name = "OISD (Big)";
url = "https://big.oisd.nl";
enabled = true;
}
];
};
};
systemd.services.adguardhome.serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
}
Reference in a new issue View git blame Copy permalink