From 43cb9890c9b6cfa66468178387c578cacd0da88f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sat, 10 May 2025 15:56:47 +0200
Subject: [PATCH 1/3] feat(networking): enable systemd-networkd

---
 system/networking.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/system/networking.nix b/system/networking.nix
index 24e8003..7aedcc2 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -5,7 +5,17 @@
     "127.0.0.1"
     "::1"
   ];
-  networking.networkmanager.dns = "systemd-resolved";
+
+  networking.nftables.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    dns = "systemd-resolved";
+  };
+
+  systemd.network = {
+    enable = true;
+    wait-online.ignoredInterfaces = [ "tailscale0" ];
+  };
 
   services.dnsmasq.enable = false;
   services.resolved = {

From 09554029fe8934789b7b25e55673f219c706624a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sat, 10 May 2025 16:58:42 +0200
Subject: [PATCH 2/3] feat(services): add adguardhome

---
 hosts/home-server/default.nix |   2 +
 services/adguardhome.nix      | 107 ++++++++++++++++++++++++++++++++++
 system/server.nix             |   8 +--
 3 files changed, 113 insertions(+), 4 deletions(-)
 create mode 100644 services/adguardhome.nix

diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix
index a5a4471..3080828 100644
--- a/hosts/home-server/default.nix
+++ b/hosts/home-server/default.nix
@@ -24,6 +24,7 @@ in
     ../../virtualisation/containers.nix
     ../../virtualisation/podman.nix
     ../../modules/inadyn.nix
+    ../../services/adguardhome.nix
     ../../modules/systemdNotify.nix
     ../../services/postgres
     ../../services/mail.nix
@@ -87,6 +88,7 @@ in
   ''}";
   services.inadyn.domains = [
     "felschr.com"
+    "dns.felschr.com"
     "openpgpkey.felschr.com"
     "ldap.felschr.com"
     "auth.felschr.com"
diff --git a/services/adguardhome.nix b/services/adguardhome.nix
new file mode 100644
index 0000000..2cbe302
--- /dev/null
+++ b/services/adguardhome.nix
@@ -0,0 +1,107 @@
+{ config, ... }:
+
+let
+  cfg = config.services.adguardhome;
+  host = "dns.felschr.com";
+in
+{
+  services.adguardhome = {
+    enable = true;
+    settings = {
+      dns = {
+        upstream_dns = [
+          "https://dns.mullvad.net/dns-query"
+        ];
+        fallback_dns = [
+          "https://1.1.1.1/dns-query"
+        ];
+        enable_dnssec = true;
+      };
+      # encryption
+      tls = {
+        enabled = true;
+        server_name = host;
+        port_https = 0;
+        port_dns_over_tls = 853;
+        port_dns_over_quic = 853;
+        port_dnscrypt = 0;
+        force_https = false; # handled by nginx
+        allow_unencrypted_doh = true;
+        strict_sni_check = false;
+        certificate_path = "/run/credentials/adguardhome.service/fullchain.pem";
+        private_key_path = "/run/credentials/adguardhome.service/key.pem";
+      };
+      # HINT: users needs to be set up manually:
+      # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
+      # users = [ { name = "felschr"; } ];
+      querylog = {
+        enabled = true;
+        interval = "24h";
+      };
+      statistics = {
+        enabled = true;
+        interval = "24h";
+      };
+      filtering = {
+        protection_enabled = true;
+        filtering_enabled = true;
+        safe_search.enabled = true;
+        rewrites = [
+          {
+            domain = "felschr.com";
+            answer = "home-server.tail05275.ts.net";
+          }
+          {
+            domain = "*.felschr.com";
+            answer = "home-server.tail05275.ts.net";
+          }
+        ];
+      };
+      filters = [
+        {
+          name = "HaGeZi Multi Pro";
+          url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt";
+          enabled = true;
+        }
+        {
+          name = "OISD (Big)";
+          url = "https://big.oisd.nl";
+          enabled = false;
+        }
+        {
+          name = "AdGuard DNS filter";
+          url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
+          enabled = false;
+        }
+      ];
+      whitelist_filters = [
+        {
+          name = "HaGeZi Whitelist-Referral";
+          url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral.txt";
+          enabled = true;
+        }
+        {
+          name = "Hagezi Whitelist-UrlShortener";
+          url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt";
+          enabled = true;
+        }
+      ];
+    };
+  };
+
+  systemd.services.adguardhome.serviceConfig = {
+    LoadCredential = [
+      "fullchain.pem:/var/lib/acme/${host}/fullchain.pem"
+      "key.pem:/var/lib/acme/${host}/key.pem"
+    ];
+  };
+
+  services.nginx.virtualHosts."${host}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 853 ];
+  networking.firewall.allowedUDPPorts = [ 853 ];
+}
diff --git a/system/server.nix b/system/server.nix
index 2d466a8..f4cfa1a 100644
--- a/system/server.nix
+++ b/system/server.nix
@@ -15,14 +15,14 @@
     table inet allow-incoming-traffic {
       chain allow-incoming {
         type filter hook input priority -100; policy accept;
-        tcp dport {80, 443, 2222} meta mark set 0x80000;
-        udp dport {80, 443, 2222} meta mark set 0x80000;
+        tcp dport {80, 443, 853, 2222} meta mark set 0x80000;
+        udp dport {80, 443, 853, 2222} meta mark set 0x80000;
       }
 
       chain allow-outgoing {
         type route hook output priority -100; policy accept;
-        tcp sport {80, 443, 2222} meta mark set 0x80000;
-        udp sport {80, 443, 2222} meta mark set 0x80000;
+        tcp sport {80, 443, 853, 2222} meta mark set 0x80000;
+        udp sport {80, 443, 853, 2222} meta mark set 0x80000;
       }
     }
   '';

From 3fbf1a443639df142c142510bf35dd6374b4ae34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sat, 10 May 2025 17:24:29 +0200
Subject: [PATCH 3/3] feat(networking): replace nextdns with self-hosted
 adguardhome

---
 system/networking.nix | 43 +++++++++++++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/system/networking.nix b/system/networking.nix
index 7aedcc2..3c50fc7 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -1,10 +1,25 @@
-{ config, ... }:
+{ config, lib, ... }:
 
+let
+  isAdguardHost = config.services.adguardhome.enable;
+  nameservers = {
+    local = [
+      "127.0.0.1"
+      "::1"
+    ];
+    remote = [
+      # LAN
+      "192.168.1.102#dns.felschr.com"
+      "fd1c:ca95:d74d::102#dns.felschr.com"
+
+      # Tailnet
+      "100.97.32.60#dns.felschr.com"
+      "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com"
+    ];
+  };
+in
 {
-  networking.nameservers = [
-    "127.0.0.1"
-    "::1"
-  ];
+  networking.nameservers = if isAdguardHost then nameservers.local else nameservers.remote;
 
   networking.nftables.enable = true;
   networking.networkmanager = {
@@ -20,15 +35,15 @@
   services.dnsmasq.enable = false;
   services.resolved = {
     enable = true;
-    # don't use fallback resolvers
-    fallbackDns = [ ];
-  };
-
-  services.nextdns = {
-    enable = true;
-    arguments = [
-      "-config"
-      "b8e2f7"
+    dnsovertls = if isAdguardHost then "opportunistic" else "true";
+    fallbackDns = [
+      "194.242.2.2#dns.mullvad.net"
+      "194.242.2.4#base.dns.mullvad.net"
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
     ];
+    extraConfig = lib.mkIf isAdguardHost ''
+      DNSStubListener=no
+    '';
   };
 }