From 798e44fd1b7c30d52278150863d890ff17e193a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sat, 10 May 2025 17:24:29 +0200
Subject: [PATCH] feat(networking): replace nextdns with self-hosted
 adguardhome

---
 system/networking.nix | 43 +++++++++++++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/system/networking.nix b/system/networking.nix
index 7aedcc2..3c50fc7 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -1,10 +1,25 @@
-{ config, ... }:
+{ config, lib, ... }:
 
+let
+  isAdguardHost = config.services.adguardhome.enable;
+  nameservers = {
+    local = [
+      "127.0.0.1"
+      "::1"
+    ];
+    remote = [
+      # LAN
+      "192.168.1.102#dns.felschr.com"
+      "fd1c:ca95:d74d::102#dns.felschr.com"
+
+      # Tailnet
+      "100.97.32.60#dns.felschr.com"
+      "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com"
+    ];
+  };
+in
 {
-  networking.nameservers = [
-    "127.0.0.1"
-    "::1"
-  ];
+  networking.nameservers = if isAdguardHost then nameservers.local else nameservers.remote;
 
   networking.nftables.enable = true;
   networking.networkmanager = {
@@ -20,15 +35,15 @@
   services.dnsmasq.enable = false;
   services.resolved = {
     enable = true;
-    # don't use fallback resolvers
-    fallbackDns = [ ];
-  };
-
-  services.nextdns = {
-    enable = true;
-    arguments = [
-      "-config"
-      "b8e2f7"
+    dnsovertls = if isAdguardHost then "opportunistic" else "true";
+    fallbackDns = [
+      "194.242.2.2#dns.mullvad.net"
+      "194.242.2.4#base.dns.mullvad.net"
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
     ];
+    extraConfig = lib.mkIf isAdguardHost ''
+      DNSStubListener=no
+    '';
   };
 }