Added adguardhome service

flake.lock

@@ -1,5 +1,29 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1684153753,
+        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -74,15 +98,16 @@
         "flake-utils": "flake-utils"
       },
       "locked": {
-        "lastModified": 1657226504,
-        "narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=",
-        "owner": "gytis-ivaskevicius",
+        "lastModified": 1683999906,
+        "narHash": "sha256-LZprVmOTM+3iykh248bajobX9ludnMC/Ai5rOqimtFc=",
+        "owner": "ravensiris",
         "repo": "flake-utils-plus",
-        "rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a",
+        "rev": "7a8d789d4d13e45d20e6826d7b2a1757d52f2e13",
         "type": "github"
       },
       "original": {
-        "owner": "gytis-ivaskevicius",
+        "owner": "ravensiris",
+        "ref": "ravensiris/fix-devshell-legacy-packages",
         "repo": "flake-utils-plus",
         "type": "github"
       }
@@ -94,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687506590,
-        "narHash": "sha256-CSou9mrG9h/WVRjCptfTrATVxvhmtdQXElmWV/ZkrAs=",
+        "lastModified": 1688220547,
+        "narHash": "sha256-cNKKLPaEOxd6t22Mt3tHGubyylbKGdoi2A3QkMTKes0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d2b6f2d154bf6b27a93ed895392f80c503df7cfa",
+        "rev": "89d10f8adce369a80e046c2fd56d1e7b7507bb5b",
         "type": "github"
       },
       "original": {
@@ -110,11 +135,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1687049841,
-        "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
+        "lastModified": 1687654967,
+        "narHash": "sha256-ki8vItcjn8Z8n+QD9NEoCQbbbG7VzWy71hyOkFFwCkM=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
+        "rev": "b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777",
         "type": "github"
       },
       "original": {
@@ -131,11 +156,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1687398392,
-        "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=",
+        "lastModified": 1688003049,
+        "narHash": "sha256-5oSxbv8OVSg2dOvycJ9eisacxF8e52N0PVUFryWWJmE=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "649171f56a45af13ba693c156207eafbbbf7edfe",
+        "rev": "bde0bc291c95b710dd63d5e5c422e47f760a1406",
         "type": "github"
       },
       "original": {
@@ -146,11 +171,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1687502512,
-        "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
+        "lastModified": 1688049487,
+        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
+        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
         "type": "github"
       },
       "original": {
@@ -162,7 +187,9 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "deploy-rs": "deploy-rs",
+        "flake-utils-plus": "flake-utils-plus",
         "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
@@ -172,7 +199,9 @@
     "snowfall-lib": {
       "inputs": {
         "flake-compat": "flake-compat_2",
-        "flake-utils-plus": "flake-utils-plus",
+        "flake-utils-plus": [
+          "flake-utils-plus"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]

flake.nix

@@ -4,6 +4,10 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
+    # Fixes #133
+    # See: https://github.com/gytis-ivaskevicius/flake-utils-plus/issues/133
+    flake-utils-plus.url = github:ravensiris/flake-utils-plus?ref=ravensiris/fix-devshell-legacy-packages;
+
     home-manager.url = "github:nix-community/home-manager/master";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -12,9 +16,15 @@
 
     snowfall-lib.url = "github:snowfallorg/lib";
     snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
+    snowfall-lib.inputs.flake-utils-plus.follows = "flake-utils-plus";
 
     deploy-rs.url = "github:serokell/deploy-rs";
     deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
+
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.home-manager.follows = "home-manager";
+    agenix.inputs.darwin.follows = "";
   };
 
   outputs = inputs: let
@@ -30,6 +40,7 @@
 
       systems.modules = with inputs; [
         home-manager.nixosModules.home-manager
+        agenix.nixosModules.default
       ];
 
       deploy.nodes.node = {
@@ -38,7 +49,7 @@
           user = "root";
           sshUser = "alejandro";
           path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
-          sshOpts = [ "-A" ];
+          sshOpts = ["-A"];
         };
       };
 

modules/apps/yubikey/default.nix

@@ -17,6 +17,8 @@ in {
       yubikey-manager
       yubikey-agent
       yubico-pam
+      age-plugin-yubikey
+      rage
     ];
 
     services.pcscd.enable = true;

modules/services/adguardhome/default.nix

@@ -0,0 +1,89 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  format,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.openssh;
+in {
+  options.aa.services.adguardhome = with types; {
+    enable = mkEnableOption "adguardhome";
+  };
+
+  config = mkIf cfg.enable {
+    services.adguardhome = {
+      enable = true;
+      mutableSettings = true;
+      settings = {
+        bind_host = "0.0.0.0";
+        bind_port = 3000;
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts."adguardhome.kilonull.com" = {
+        forceSSL = true;
+        useACMEHost = "kilonull.com";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3000";
+        };
+      };
+    };
+
+    # So that nginx has access to the ACME certs
+    users.users.nginx.extraGroups = ["acme"];
+
+    age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
+
+    security.acme = {
+      # NOTE: Uncomment line below when testing changes
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      acceptTerms = true;
+      defaults.email = "iam@alejandr0angul0.dev";
+
+      # Wildcard cert
+      certs."kilonull.com" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        credentialsFile = config.age.secrets.cf_dns_kilonull.path;
+        extraDomainNames = ["*.kilonull.com"];
+      };
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        # Plain DNS
+        53
+        # DHCP
+        68
+        # HTTP
+        80
+        # HTTPS
+        443
+        # DNS over TLS
+        853
+        # DNSCrypt
+        5443
+      ];
+      allowedUDPPorts = [
+        # Plain DNS
+        53
+        # DHCP
+        67
+        68
+        # DNS over QUIC
+        784
+        853
+        8853
+        # DNSCrypt
+        5443
+      ];
+    };
+  };
+}

modules/suites/utils/default.nix

@@ -3,6 +3,7 @@
   config,
   lib,
   pkgs,
+  inputs,
   ...
 }:
 with lib; let
@@ -15,6 +16,7 @@ in {
   config = mkIf cfg.enable {
     aa.apps.bat.enable = true;
     environment.systemPackages = with pkgs; [
+      inputs.agenix.packages.x86_64-linux.default
       alejandra
       curl
       deploy-rs
@@ -28,6 +30,9 @@ in {
       ripgrep
       usbutils
       wget
+      lsof
+      bind # for dig
+      tcpdump
     ];
   };
 }

secrets/identities/me.txt

@@ -0,0 +1 @@
+AGE-PLUGIN-YUBIKEY-18E3RSQVZ2ZQSDNS67QTTC

secrets/secrets.nix

@@ -0,0 +1,8 @@
+let
+  # Remember to pass '--identity identities/me.txt` when using this key
+  users.me = "age1yubikey1qdwgvfqrcqmyw56ux7azuvqr6f8nanszu27nztvxmn4utmplgxctzt90g25";
+
+  machines.node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
+in {
+  "cf_dns_kilonull.age".publicKeys = [users.me machines.node];
+}

systems/x86_64-linux/gospel/default.nix

@@ -51,7 +51,7 @@
     hostName = "gospel";
     useDHCP = false;
     defaultGateway = "192.168.113.1";
-    nameservers = ["1.1.1.1"];
+    nameservers = ["192.168.113.13"];
     interfaces.eno1.ipv4.addresses = [
       {
         address = "192.168.113.69"; # nice

systems/x86_64-linux/node/default.nix

@@ -9,10 +9,17 @@
   ];
 
   aa = {
-    nix.enable =  true;
+    nix.enable = true;
     nix.useSelfhostedCache = true;
 
+    services.tailscale = {
+      enable = true;
+      configureClientRouting = true;
+      configureServerRouting = true;
+    };
     services.openssh.enable = true;
+    services.adguardhome.enable = true;
+
     system.zfs.enable = true;
     system.monitoring.enable = true;
 
@@ -33,6 +40,19 @@
     execWheelOnly = true;
   };
 
+  networking = {
+    hostName = "node";
+    useDHCP = false;
+    defaultGateway = "192.168.113.1";
+    nameservers = ["127.0.0.1" "1.1.1.1"];
+    interfaces.enp7s0.ipv4.addresses = [
+      {
+        address = "192.168.113.13";
+        prefixLength = 24;
+      }
+    ];
+  };
+
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [