diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix
index a5a4471..3080828 100644
--- a/hosts/home-server/default.nix
+++ b/hosts/home-server/default.nix
@@ -24,6 +24,7 @@ in
../../virtualisation/containers.nix
../../virtualisation/podman.nix
../../modules/inadyn.nix
+ ../../services/adguardhome.nix
../../modules/systemdNotify.nix
../../services/postgres
../../services/mail.nix
@@ -87,6 +88,7 @@ in
''}";
services.inadyn.domains = [
"felschr.com"
+ "dns.felschr.com"
"openpgpkey.felschr.com"
"ldap.felschr.com"
"auth.felschr.com"
diff --git a/services/adguardhome.nix b/services/adguardhome.nix
new file mode 100644
index 0000000..2cbe302
--- /dev/null
+++ b/services/adguardhome.nix
@@ -0,0 +1,107 @@
+{ config, ... }:
+
+let
+ cfg = config.services.adguardhome;
+ host = "dns.felschr.com";
+in
+{
+ services.adguardhome = {
+ enable = true;
+ settings = {
+ dns = {
+ upstream_dns = [
+ "https://dns.mullvad.net/dns-query"
+ ];
+ fallback_dns = [
+ "https://1.1.1.1/dns-query"
+ ];
+ enable_dnssec = true;
+ };
+ # encryption
+ tls = {
+ enabled = true;
+ server_name = host;
+ port_https = 0;
+ port_dns_over_tls = 853;
+ port_dns_over_quic = 853;
+ port_dnscrypt = 0;
+ force_https = false; # handled by nginx
+ allow_unencrypted_doh = true;
+ strict_sni_check = false;
+ certificate_path = "/run/credentials/adguardhome.service/fullchain.pem";
+ private_key_path = "/run/credentials/adguardhome.service/key.pem";
+ };
+ # HINT: users needs to be set up manually:
+ # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
+ # users = [ { name = "felschr"; } ];
+ querylog = {
+ enabled = true;
+ interval = "24h";
+ };
+ statistics = {
+ enabled = true;
+ interval = "24h";
+ };
+ filtering = {
+ protection_enabled = true;
+ filtering_enabled = true;
+ safe_search.enabled = true;
+ rewrites = [
+ {
+ domain = "felschr.com";
+ answer = "home-server.tail05275.ts.net";
+ }
+ {
+ domain = "*.felschr.com";
+ answer = "home-server.tail05275.ts.net";
+ }
+ ];
+ };
+ filters = [
+ {
+ name = "HaGeZi Multi Pro";
+ url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt";
+ enabled = true;
+ }
+ {
+ name = "OISD (Big)";
+ url = "https://big.oisd.nl";
+ enabled = false;
+ }
+ {
+ name = "AdGuard DNS filter";
+ url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
+ enabled = false;
+ }
+ ];
+ whitelist_filters = [
+ {
+ name = "HaGeZi Whitelist-Referral";
+ url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral.txt";
+ enabled = true;
+ }
+ {
+ name = "Hagezi Whitelist-UrlShortener";
+ url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt";
+ enabled = true;
+ }
+ ];
+ };
+ };
+
+ systemd.services.adguardhome.serviceConfig = {
+ LoadCredential = [
+ "fullchain.pem:/var/lib/acme/${host}/fullchain.pem"
+ "key.pem:/var/lib/acme/${host}/key.pem"
+ ];
+ };
+
+ services.nginx.virtualHosts."${host}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+ };
+
+ networking.firewall.allowedTCPPorts = [ 853 ];
+ networking.firewall.allowedUDPPorts = [ 853 ];
+}
diff --git a/system/server.nix b/system/server.nix
index 2d466a8..f4cfa1a 100644
--- a/system/server.nix
+++ b/system/server.nix
@@ -15,14 +15,14 @@
table inet allow-incoming-traffic {
chain allow-incoming {
type filter hook input priority -100; policy accept;
- tcp dport {80, 443, 2222} meta mark set 0x80000;
- udp dport {80, 443, 2222} meta mark set 0x80000;
+ tcp dport {80, 443, 853, 2222} meta mark set 0x80000;
+ udp dport {80, 443, 853, 2222} meta mark set 0x80000;
}
chain allow-outgoing {
type route hook output priority -100; policy accept;
- tcp sport {80, 443, 2222} meta mark set 0x80000;
- udp sport {80, 443, 2222} meta mark set 0x80000;
+ tcp sport {80, 443, 853, 2222} meta mark set 0x80000;
+ udp sport {80, 443, 853, 2222} meta mark set 0x80000;
}
}
'';