parent
a3da0a3163
commit
c4e797e880
GPG key ID:
671E39E6744C807D
1 changed files with 47 additions and 13 deletions
|
|
@ -3,6 +3,12 @@
|
|||
let
|
||||
cfg = config.services.adguardhome;
|
||||
host = "dns.felschr.com";
|
||||
|
||||
ports = {
|
||||
plain = 53;
|
||||
tls = 853;
|
||||
doh = 10443;
|
||||
};
|
||||
in
|
||||
{
|
||||
services.adguardhome = {
|
||||
|
|
@ -22,14 +28,14 @@ in
|
|||
enabled = true;
|
||||
server_name = host;
|
||||
port_https = 0;
|
||||
port_dns_over_tls = 853;
|
||||
port_dns_over_quic = 853;
|
||||
port_dns_over_tls = ports.tls;
|
||||
port_dns_over_quic = ports.tls;
|
||||
port_dnscrypt = 0;
|
||||
force_https = false; # handled by nginx
|
||||
allow_unencrypted_doh = true;
|
||||
strict_sni_check = false;
|
||||
certificate_path = "/run/credentials/adguardhome.service/fullchain.pem";
|
||||
private_key_path = "/run/credentials/adguardhome.service/key.pem";
|
||||
certificate_path = "${config.security.acme.certs."${host}".directory}/fullchain.pem";
|
||||
private_key_path = "${config.security.acme.certs."${host}".directory}/key.pem";
|
||||
};
|
||||
# HINT: users needs to be set up manually:
|
||||
# https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
|
||||
|
|
@ -76,22 +82,50 @@ in
|
|||
enabled = true;
|
||||
}
|
||||
];
|
||||
log.verbose = true;
|
||||
};
|
||||
};
|
||||
|
||||
# AdGuardHome's built-in DoH gives me Bad Request responses for some reason
|
||||
# So, I instead use `doh-server` as a proxy for now.
|
||||
services.doh-server = {
|
||||
enable = true;
|
||||
settings = {
|
||||
listen = [ ":${toString ports.doh}" ];
|
||||
upstream = [ "udp:127.0.0.1:${toString ports.plain}" ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.adguardhome.serviceConfig = {
|
||||
LoadCredential = [
|
||||
"fullchain.pem:/var/lib/acme/${host}/fullchain.pem"
|
||||
"key.pem:/var/lib/acme/${host}/key.pem"
|
||||
SupplementaryGroups = [
|
||||
"acme"
|
||||
"nginx"
|
||||
];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${host}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
|
||||
services.nginx = {
|
||||
virtualHosts."${host}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://localhost:${toString cfg.port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
"/dns-query" = {
|
||||
proxyPass = "http://localhost:${toString ports.doh}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 853 ];
|
||||
networking.firewall.allowedUDPPorts = [ 853 ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
53 # Plain DNS
|
||||
853 # DNS over TLS / QUIC
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
53 # Plain DNS
|
||||
853 # DNS over TLS / QUIC
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue