parent
a3da0a3163
commit
c4e797e880
GPG key ID:
671E39E6744C807D
1 changed files with 47 additions and 13 deletions
|
|
@ -3,6 +3,12 @@
|
||||||
let
|
let
|
||||||
cfg = config.services.adguardhome;
|
cfg = config.services.adguardhome;
|
||||||
host = "dns.felschr.com";
|
host = "dns.felschr.com";
|
||||||
|
|
||||||
|
ports = {
|
||||||
|
plain = 53;
|
||||||
|
tls = 853;
|
||||||
|
doh = 10443;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.adguardhome = {
|
services.adguardhome = {
|
||||||
|
|
@ -22,14 +28,14 @@ in
|
||||||
enabled = true;
|
enabled = true;
|
||||||
server_name = host;
|
server_name = host;
|
||||||
port_https = 0;
|
port_https = 0;
|
||||||
port_dns_over_tls = 853;
|
port_dns_over_tls = ports.tls;
|
||||||
port_dns_over_quic = 853;
|
port_dns_over_quic = ports.tls;
|
||||||
port_dnscrypt = 0;
|
port_dnscrypt = 0;
|
||||||
force_https = false; # handled by nginx
|
force_https = false; # handled by nginx
|
||||||
allow_unencrypted_doh = true;
|
allow_unencrypted_doh = true;
|
||||||
strict_sni_check = false;
|
strict_sni_check = false;
|
||||||
certificate_path = "/run/credentials/adguardhome.service/fullchain.pem";
|
certificate_path = "${config.security.acme.certs."${host}".directory}/fullchain.pem";
|
||||||
private_key_path = "/run/credentials/adguardhome.service/key.pem";
|
private_key_path = "${config.security.acme.certs."${host}".directory}/key.pem";
|
||||||
};
|
};
|
||||||
# HINT: users needs to be set up manually:
|
# HINT: users needs to be set up manually:
|
||||||
# https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
|
# https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
|
||||||
|
|
@ -76,22 +82,50 @@ in
|
||||||
enabled = true;
|
enabled = true;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
log.verbose = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# AdGuardHome's built-in DoH gives me Bad Request responses for some reason
|
||||||
|
# So, I instead use `doh-server` as a proxy for now.
|
||||||
|
services.doh-server = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
listen = [ ":${toString ports.doh}" ];
|
||||||
|
upstream = [ "udp:127.0.0.1:${toString ports.plain}" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.adguardhome.serviceConfig = {
|
systemd.services.adguardhome.serviceConfig = {
|
||||||
LoadCredential = [
|
SupplementaryGroups = [
|
||||||
"fullchain.pem:/var/lib/acme/${host}/fullchain.pem"
|
"acme"
|
||||||
"key.pem:/var/lib/acme/${host}/key.pem"
|
"nginx"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${host}" = {
|
services.nginx = {
|
||||||
enableACME = true;
|
virtualHosts."${host}" = {
|
||||||
forceSSL = true;
|
enableACME = true;
|
||||||
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
|
forceSSL = true;
|
||||||
|
http3 = true;
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://localhost:${toString cfg.port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
"/dns-query" = {
|
||||||
|
proxyPass = "http://localhost:${toString ports.doh}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 853 ];
|
networking.firewall.allowedTCPPorts = [
|
||||||
networking.firewall.allowedUDPPorts = [ 853 ];
|
53 # Plain DNS
|
||||||
|
853 # DNS over TLS / QUIC
|
||||||
|
];
|
||||||
|
networking.firewall.allowedUDPPorts = [
|
||||||
|
53 # Plain DNS
|
||||||
|
853 # DNS over TLS / QUIC
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue