From 43cb9890c9b6cfa66468178387c578cacd0da88f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com> Date: Sat, 10 May 2025 15:56:47 +0200 Subject: [PATCH 1/3] feat(networking): enable systemd-networkd --- system/networking.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/system/networking.nix b/system/networking.nix index 24e8003..7aedcc2 100644 --- a/system/networking.nix +++ b/system/networking.nix @@ -5,7 +5,17 @@ "127.0.0.1" "::1" ]; - networking.networkmanager.dns = "systemd-resolved"; + + networking.nftables.enable = true; + networking.networkmanager = { + enable = true; + dns = "systemd-resolved"; + }; + + systemd.network = { + enable = true; + wait-online.ignoredInterfaces = [ "tailscale0" ]; + }; services.dnsmasq.enable = false; services.resolved = { From 09554029fe8934789b7b25e55673f219c706624a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com> Date: Sat, 10 May 2025 16:58:42 +0200 Subject: [PATCH 2/3] feat(services): add adguardhome --- hosts/home-server/default.nix | 2 + services/adguardhome.nix | 107 ++++++++++++++++++++++++++++++++++ system/server.nix | 8 +-- 3 files changed, 113 insertions(+), 4 deletions(-) create mode 100644 services/adguardhome.nix diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix index a5a4471..3080828 100644 --- a/hosts/home-server/default.nix +++ b/hosts/home-server/default.nix @@ -24,6 +24,7 @@ in ../../virtualisation/containers.nix ../../virtualisation/podman.nix ../../modules/inadyn.nix + ../../services/adguardhome.nix ../../modules/systemdNotify.nix ../../services/postgres ../../services/mail.nix @@ -87,6 +88,7 @@ in ''}"; services.inadyn.domains = [ "felschr.com" + "dns.felschr.com" "openpgpkey.felschr.com" "ldap.felschr.com" "auth.felschr.com" diff --git a/services/adguardhome.nix b/services/adguardhome.nix new file mode 100644 index 0000000..2cbe302 --- /dev/null +++ b/services/adguardhome.nix @@ -0,0 +1,107 @@ +{ config, ... }: + +let + cfg = config.services.adguardhome; + host = "dns.felschr.com"; +in +{ + services.adguardhome = { + enable = true; + settings = { + dns = { + upstream_dns = [ + "https://dns.mullvad.net/dns-query" + ]; + fallback_dns = [ + "https://1.1.1.1/dns-query" + ]; + enable_dnssec = true; + }; + # encryption + tls = { + enabled = true; + server_name = host; + port_https = 0; + port_dns_over_tls = 853; + port_dns_over_quic = 853; + port_dnscrypt = 0; + force_https = false; # handled by nginx + allow_unencrypted_doh = true; + strict_sni_check = false; + certificate_path = "/run/credentials/adguardhome.service/fullchain.pem"; + private_key_path = "/run/credentials/adguardhome.service/key.pem"; + }; + # HINT: users needs to be set up manually: + # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset + # users = [ { name = "felschr"; } ]; + querylog = { + enabled = true; + interval = "24h"; + }; + statistics = { + enabled = true; + interval = "24h"; + }; + filtering = { + protection_enabled = true; + filtering_enabled = true; + safe_search.enabled = true; + rewrites = [ + { + domain = "felschr.com"; + answer = "home-server.tail05275.ts.net"; + } + { + domain = "*.felschr.com"; + answer = "home-server.tail05275.ts.net"; + } + ]; + }; + filters = [ + { + name = "HaGeZi Multi Pro"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt"; + enabled = true; + } + { + name = "OISD (Big)"; + url = "https://big.oisd.nl"; + enabled = false; + } + { + name = "AdGuard DNS filter"; + url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; + enabled = false; + } + ]; + whitelist_filters = [ + { + name = "HaGeZi Whitelist-Referral"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral.txt"; + enabled = true; + } + { + name = "Hagezi Whitelist-UrlShortener"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt"; + enabled = true; + } + ]; + }; + }; + + systemd.services.adguardhome.serviceConfig = { + LoadCredential = [ + "fullchain.pem:/var/lib/acme/${host}/fullchain.pem" + "key.pem:/var/lib/acme/${host}/key.pem" + ]; + }; + + services.nginx.virtualHosts."${host}" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:${toString cfg.port}"; + }; + + networking.firewall.allowedTCPPorts = [ 853 ]; + networking.firewall.allowedUDPPorts = [ 853 ]; +} diff --git a/system/server.nix b/system/server.nix index 2d466a8..f4cfa1a 100644 --- a/system/server.nix +++ b/system/server.nix @@ -15,14 +15,14 @@ table inet allow-incoming-traffic { chain allow-incoming { type filter hook input priority -100; policy accept; - tcp dport {80, 443, 2222} meta mark set 0x80000; - udp dport {80, 443, 2222} meta mark set 0x80000; + tcp dport {80, 443, 853, 2222} meta mark set 0x80000; + udp dport {80, 443, 853, 2222} meta mark set 0x80000; } chain allow-outgoing { type route hook output priority -100; policy accept; - tcp sport {80, 443, 2222} meta mark set 0x80000; - udp sport {80, 443, 2222} meta mark set 0x80000; + tcp sport {80, 443, 853, 2222} meta mark set 0x80000; + udp sport {80, 443, 853, 2222} meta mark set 0x80000; } } ''; From 3fbf1a443639df142c142510bf35dd6374b4ae34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com> Date: Sat, 10 May 2025 17:24:29 +0200 Subject: [PATCH 3/3] feat(networking): replace nextdns with self-hosted adguardhome --- system/networking.nix | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/system/networking.nix b/system/networking.nix index 7aedcc2..3c50fc7 100644 --- a/system/networking.nix +++ b/system/networking.nix @@ -1,10 +1,25 @@ -{ config, ... }: +{ config, lib, ... }: +let + isAdguardHost = config.services.adguardhome.enable; + nameservers = { + local = [ + "127.0.0.1" + "::1" + ]; + remote = [ + # LAN + "192.168.1.102#dns.felschr.com" + "fd1c:ca95:d74d::102#dns.felschr.com" + + # Tailnet + "100.97.32.60#dns.felschr.com" + "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com" + ]; + }; +in { - networking.nameservers = [ - "127.0.0.1" - "::1" - ]; + networking.nameservers = if isAdguardHost then nameservers.local else nameservers.remote; networking.nftables.enable = true; networking.networkmanager = { @@ -20,15 +35,15 @@ services.dnsmasq.enable = false; services.resolved = { enable = true; - # don't use fallback resolvers - fallbackDns = [ ]; - }; - - services.nextdns = { - enable = true; - arguments = [ - "-config" - "b8e2f7" + dnsovertls = if isAdguardHost then "opportunistic" else "true"; + fallbackDns = [ + "194.242.2.2#dns.mullvad.net" + "194.242.2.4#base.dns.mullvad.net" + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" ]; + extraConfig = lib.mkIf isAdguardHost '' + DNSStubListener=no + ''; }; }