From 75186e2f193733cced43ff8eadb906a49db4d1e2 Mon Sep 17 00:00:00 2001 From: Joakim Repomaa Date: Sat, 15 Feb 2025 16:50:47 +0200 Subject: [PATCH] add adguardhome --- hosts/apu/configuration.nix | 30 +++++++++++++-- hosts/freun-dev/services.nix | 6 +++ hosts/radish/configuration.nix | 2 +- modules/firewall.nix | 2 +- modules/services/adguardhome.nix | 63 ++++++++++++++++++++++++++++++++ modules/services/default.nix | 1 + modules/services/webserver.nix | 15 +++++++- 7 files changed, 113 insertions(+), 6 deletions(-) create mode 100644 modules/services/adguardhome.nix diff --git a/hosts/apu/configuration.nix b/hosts/apu/configuration.nix index c622d5d..71bbcc5 100644 --- a/hosts/apu/configuration.nix +++ b/hosts/apu/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is availanodev"; # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ ssh, pkgs, config, ... }: +{ ssh, pkgs, config, lib, ... }: { boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; @@ -183,9 +183,33 @@ services.resolved.enable = false; - services.nextdns = { + services.unbound = { enable = true; - arguments = [ "-profile" "9c4ac9" "-setup-router" "-mdns" "koti" ]; + settings = { + server = { + interface = (lib.map + (name: config.systemd.network.networks."30-${name}".dhcpServerConfig.DNS) + (lib.attrNames config.modules.vlans.networks) + ) ++ [ + "127.0.0.1" + "::1" + ]; + access-control = [ + "10.0.0.0/8 allow" + "127.0.0.0/8 allow" + "::1/128 allow" + ]; + verbosity = 2; + }; + + forward-zone = [ + { + name = "."; + forward-addr = "100.84.105.63#dns.freun.dev"; + forward-tls-upstream = true; + } + ]; + }; }; services.home-assistant = { diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix index b692bd9..48be501 100644 --- a/hosts/freun-dev/services.nix +++ b/hosts/freun-dev/services.nix @@ -170,5 +170,11 @@ in }; environmentFile = secrets.dnote.path; }; + + tailscaledAdguardhome = { + enable = true; + subdomain = "dns"; + port = 3006; + }; }; } diff --git a/hosts/radish/configuration.nix b/hosts/radish/configuration.nix index 49a8906..1303b35 100644 --- a/hosts/radish/configuration.nix +++ b/hosts/radish/configuration.nix @@ -14,7 +14,7 @@ }; networking.extraHosts = '' - 10.10.0.1 warden.apu.repomaa.com + 100.84.105.63 dns.freun.dev ''; networking.nftables.enable = true; diff --git a/modules/firewall.nix b/modules/firewall.nix index 5206198..74a1f08 100644 --- a/modules/firewall.nix +++ b/modules/firewall.nix @@ -3,7 +3,7 @@ let services = { ssh = { tcp = [ 22 ]; }; dhcp = { udp = [ 67 68 ]; }; - dns = { udp = [ 53 ]; }; + dns = { udp = [ 53 853 ]; tcp = [ 53 853 ]; }; web = { tcp = [ 80 443 ]; }; }; diff --git a/modules/services/adguardhome.nix b/modules/services/adguardhome.nix new file mode 100644 index 0000000..fb9047a --- /dev/null +++ b/modules/services/adguardhome.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: +let + cfg = config.services.tailscaledAdguardhome; + fqdn = "${cfg.subdomain}.${config.networking.domain}"; + tailscaleIps = [ + "100.84.105.63" + "fd7a:115c:a1e0::7901:693f" + ]; + acme = config.security.acme; +in +{ + imports = [ + (lib.mkAliasOptionModule + [ "services" "tailscaledAdguardhome" "settings" ] + [ "services" "adguardhome" "settings" ] + ) + (lib.mkAliasOptionModule + [ "services" "tailscaledAdguardhome" "port" ] + [ "services" "adguardhome" "port" ] + ) + ]; + + options.services.tailscaledAdguardhome = { + enable = lib.mkEnableOption "Enable tailscaled adguardhome"; + subdomain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = lib.mkIf cfg.enable { + services.tailscale.enable = true; + modules.firewall.interfaces.${config.services.tailscale.interfaceName} = [ "dns" ]; + + systemd.services.adguardhome.serviceConfig.LoadCredential = [ + "fullchain.pem:${acme.certs.${fqdn}.directory}/fullchain.pem" + "key.pem:${acme.certs.${fqdn}.directory}/key.pem" + ]; + + services.adguardhome = { + enable = cfg.enable; + settings = { + tls = { + enabled = true; + server_name = fqdn; + port_https = 4443; + certificate_chain = "/run/credentials/adguardhome.service/fullchain.pem"; + private_key = "/run/credentials/adguardhome.service/key.pem"; + }; + dns.bind_hosts = tailscaleIps; + }; + }; + + systemd.services.adguardhome = { + requires = [ "tailscaled.service" ]; + after = [ "tailscaled.service" ]; + }; + + services.webserver.vHosts.${fqdn} = { + tailscaleAuth = true; + locations."/".proxyPort = cfg.port; + }; + }; +} diff --git a/modules/services/default.nix b/modules/services/default.nix index 272b03c..ad002da 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -18,5 +18,6 @@ ./donetick.nix ./dnote.nix ./octodns.nix + ./adguardhome.nix ]; } diff --git a/modules/services/webserver.nix b/modules/services/webserver.nix index 4d5bca5..d0689c8 100644 --- a/modules/services/webserver.nix +++ b/modules/services/webserver.nix @@ -25,9 +25,17 @@ let locations = lib.mkOption { type = lib.types.attrsOf types.location; }; + tailscaleAuth = lib.mkOption { + type = lib.types.bool; + default = false; + }; }; }; }; + + tailscaleAuthVhosts = lib.attrNames ( + lib.filterAttrs (name: { tailscaleAuth, ... }: tailscaleAuth) cfg.vHosts + ); in { options.services.webserver = { @@ -56,8 +64,13 @@ in recommendedZstdSettings = true; recommendedOptimisation = true; + tailscaleAuth = { + enable = (lib.length tailscaleAuthVhosts) > 0; + virtualHosts = tailscaleAuthVhosts; + }; + virtualHosts = lib.mapAttrs - (_: { proxyBuffering, locations }: { + (_: { proxyBuffering, locations, ... }: { forceSSL = true; enableACME = true; http2 = true;