From af82d2ea596d1a78b09179777d3811bc470e9fcf Mon Sep 17 00:00:00 2001 From: Alejandro Angulo Date: Sun, 9 Jul 2023 08:24:54 -0700 Subject: [PATCH] Added adguardhome service --- flake.lock | 65 ++++++++++++----- flake.nix | 13 +++- modules/apps/yubikey/default.nix | 2 + modules/services/adguardhome/default.nix | 89 +++++++++++++++++++++++ modules/suites/utils/default.nix | 5 ++ secrets/cf_dns_kilonull.age | Bin 0 -> 566 bytes secrets/identities/me.txt | 1 + secrets/secrets.nix | 8 ++ systems/x86_64-linux/gospel/default.nix | 2 +- systems/x86_64-linux/node/default.nix | 22 +++++- 10 files changed, 186 insertions(+), 21 deletions(-) create mode 100644 modules/services/adguardhome/default.nix create mode 100644 secrets/cf_dns_kilonull.age create mode 100644 secrets/identities/me.txt create mode 100644 secrets/secrets.nix diff --git a/flake.lock b/flake.lock index 3d363a1..b1d044c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,29 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684153753, + "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -74,15 +98,16 @@ "flake-utils": "flake-utils" }, "locked": { - "lastModified": 1657226504, - "narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=", - "owner": "gytis-ivaskevicius", + "lastModified": 1683999906, + "narHash": "sha256-LZprVmOTM+3iykh248bajobX9ludnMC/Ai5rOqimtFc=", + "owner": "ravensiris", "repo": "flake-utils-plus", - "rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a", + "rev": "7a8d789d4d13e45d20e6826d7b2a1757d52f2e13", "type": "github" }, "original": { - "owner": "gytis-ivaskevicius", + "owner": "ravensiris", + "ref": "ravensiris/fix-devshell-legacy-packages", "repo": "flake-utils-plus", "type": "github" } @@ -94,11 +119,11 @@ ] }, "locked": { - "lastModified": 1687506590, - "narHash": "sha256-CSou9mrG9h/WVRjCptfTrATVxvhmtdQXElmWV/ZkrAs=", + "lastModified": 1688220547, + "narHash": "sha256-cNKKLPaEOxd6t22Mt3tHGubyylbKGdoi2A3QkMTKes0=", "owner": "nix-community", "repo": "home-manager", - "rev": "d2b6f2d154bf6b27a93ed895392f80c503df7cfa", + "rev": "89d10f8adce369a80e046c2fd56d1e7b7507bb5b", "type": "github" }, "original": { @@ -110,11 +135,11 @@ }, "nixlib": { "locked": { - "lastModified": 1687049841, - "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=", + "lastModified": 1687654967, + "narHash": "sha256-ki8vItcjn8Z8n+QD9NEoCQbbbG7VzWy71hyOkFFwCkM=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5", + "rev": "b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777", "type": "github" }, "original": { @@ -131,11 +156,11 @@ ] }, "locked": { - "lastModified": 1687398392, - "narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=", + "lastModified": 1688003049, + "narHash": "sha256-5oSxbv8OVSg2dOvycJ9eisacxF8e52N0PVUFryWWJmE=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "649171f56a45af13ba693c156207eafbbbf7edfe", + "rev": "bde0bc291c95b710dd63d5e5c422e47f760a1406", "type": "github" }, "original": { @@ -146,11 +171,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1687502512, - "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=", + "lastModified": 1688049487, + "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f", + "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", "type": "github" }, "original": { @@ -162,7 +187,9 @@ }, "root": { "inputs": { + "agenix": "agenix", "deploy-rs": "deploy-rs", + "flake-utils-plus": "flake-utils-plus", "home-manager": "home-manager", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", @@ -172,7 +199,9 @@ "snowfall-lib": { "inputs": { "flake-compat": "flake-compat_2", - "flake-utils-plus": "flake-utils-plus", + "flake-utils-plus": [ + "flake-utils-plus" + ], "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index 1056826..ae657b2 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,10 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + # Fixes #133 + # See: https://github.com/gytis-ivaskevicius/flake-utils-plus/issues/133 + flake-utils-plus.url = github:ravensiris/flake-utils-plus?ref=ravensiris/fix-devshell-legacy-packages; + home-manager.url = "github:nix-community/home-manager/master"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; @@ -12,9 +16,15 @@ snowfall-lib.url = "github:snowfallorg/lib"; snowfall-lib.inputs.nixpkgs.follows = "nixpkgs"; + snowfall-lib.inputs.flake-utils-plus.follows = "flake-utils-plus"; deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + agenix.inputs.home-manager.follows = "home-manager"; + agenix.inputs.darwin.follows = ""; }; outputs = inputs: let @@ -30,6 +40,7 @@ systems.modules = with inputs; [ home-manager.nixosModules.home-manager + agenix.nixosModules.default ]; deploy.nodes.node = { @@ -38,7 +49,7 @@ user = "root"; sshUser = "alejandro"; path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node; - sshOpts = [ "-A" ]; + sshOpts = ["-A"]; }; }; diff --git a/modules/apps/yubikey/default.nix b/modules/apps/yubikey/default.nix index 62c0228..f8af252 100644 --- a/modules/apps/yubikey/default.nix +++ b/modules/apps/yubikey/default.nix @@ -17,6 +17,8 @@ in { yubikey-manager yubikey-agent yubico-pam + age-plugin-yubikey + rage ]; services.pcscd.enable = true; diff --git a/modules/services/adguardhome/default.nix b/modules/services/adguardhome/default.nix new file mode 100644 index 0000000..72592d1 --- /dev/null +++ b/modules/services/adguardhome/default.nix @@ -0,0 +1,89 @@ +{ + options, + config, + lib, + pkgs, + format, + ... +}: +with lib; let + cfg = config.aa.services.openssh; +in { + options.aa.services.adguardhome = with types; { + enable = mkEnableOption "adguardhome"; + }; + + config = mkIf cfg.enable { + services.adguardhome = { + enable = true; + mutableSettings = true; + settings = { + bind_host = "0.0.0.0"; + bind_port = 3000; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."adguardhome.kilonull.com" = { + forceSSL = true; + useACMEHost = "kilonull.com"; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + }; + }; + }; + + # So that nginx has access to the ACME certs + users.users.nginx.extraGroups = ["acme"]; + + age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age; + + security.acme = { + # NOTE: Uncomment line below when testing changes + # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + acceptTerms = true; + defaults.email = "iam@alejandr0angul0.dev"; + + # Wildcard cert + certs."kilonull.com" = { + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1:53"; + credentialsFile = config.age.secrets.cf_dns_kilonull.path; + extraDomainNames = ["*.kilonull.com"]; + }; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + # Plain DNS + 53 + # DHCP + 68 + # HTTP + 80 + # HTTPS + 443 + # DNS over TLS + 853 + # DNSCrypt + 5443 + ]; + allowedUDPPorts = [ + # Plain DNS + 53 + # DHCP + 67 + 68 + # DNS over QUIC + 784 + 853 + 8853 + # DNSCrypt + 5443 + ]; + }; + }; +} diff --git a/modules/suites/utils/default.nix b/modules/suites/utils/default.nix index d249ad8..d0931d2 100644 --- a/modules/suites/utils/default.nix +++ b/modules/suites/utils/default.nix @@ -3,6 +3,7 @@ config, lib, pkgs, + inputs, ... }: with lib; let @@ -15,6 +16,7 @@ in { config = mkIf cfg.enable { aa.apps.bat.enable = true; environment.systemPackages = with pkgs; [ + inputs.agenix.packages.x86_64-linux.default alejandra curl deploy-rs @@ -28,6 +30,9 @@ in { ripgrep usbutils wget + lsof + bind # for dig + tcpdump ]; }; } diff --git a/secrets/cf_dns_kilonull.age b/secrets/cf_dns_kilonull.age new file mode 100644 index 0000000000000000000000000000000000000000..315f0911b0d13d15b1f27c8532176ef4643213d9 GIT binary patch literal 566 zcmWm9%WKnc007`ADALKMZU~}|z(CQGrH^H4!3jy5=0VqFkLFQ_qxt2RM_cn~)8|D* zhvF1GDS~?1!HW!Jdf7oQ^Pop@inxPJWZ*ytL-DQq3qHQ02~p^PYTFBJ*BNrFCf10C z(9=k*W}#4z;dnHOsAU3LCZd8|M#5QBOh{Nef{}uut6Css%=je1*0m@u(GgsgwBZOD zVqHngV@=>BGlE`GiMY=DPN9rb+=O0tVJjiqI#&>tFhg%^p4~vb7(RmJIhyI12-&gh zjxRcL;HImIY?GIO-wJpM`l{HNG)bjA#nQ2)0&|fN+_m86*Bb zhoT7Zmra?~A8jfY-$KcAhs^LYC3r!Q&Z zFIa__;o91U_U6I-@e}>rM?2cHdTHg|^($Kg_aAm0J-e{;_qW}fyWWqEG6#0-*+0iC z@@zMnnme@qec)