Added adguardhome service

2023-07-09 08:24:54 -07:00 · 2023-07-09 08:24:54 -07:00 · af82d2ea59
commit af82d2ea59
parent 52138eecee
10 changed files with 186 additions and 21 deletions
--- a/modules/apps/yubikey/default.nix
+++ b/modules/apps/yubikey/default.nix
@ -17,6 +17,8 @@ in {
      yubikey-manager
      yubikey-agent
      yubico-pam
+      age-plugin-yubikey
+      rage
    ];

    services.pcscd.enable = true;
--- a/modules/services/adguardhome/default.nix
+++ b/modules/services/adguardhome/default.nix
@ -0,0 +1,89 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  format,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.openssh;
+in {
+  options.aa.services.adguardhome = with types; {
+    enable = mkEnableOption "adguardhome";
+  };
+
+  config = mkIf cfg.enable {
+    services.adguardhome = {
+      enable = true;
+      mutableSettings = true;
+      settings = {
+        bind_host = "0.0.0.0";
+        bind_port = 3000;
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts."adguardhome.kilonull.com" = {
+        forceSSL = true;
+        useACMEHost = "kilonull.com";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3000";
+        };
+      };
+    };
+
+    # So that nginx has access to the ACME certs
+    users.users.nginx.extraGroups = ["acme"];
+
+    age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
+
+    security.acme = {
+      # NOTE: Uncomment line below when testing changes
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      acceptTerms = true;
+      defaults.email = "iam@alejandr0angul0.dev";
+
+      # Wildcard cert
+      certs."kilonull.com" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        credentialsFile = config.age.secrets.cf_dns_kilonull.path;
+        extraDomainNames = ["*.kilonull.com"];
+      };
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        # Plain DNS
+        53
+        # DHCP
+        68
+        # HTTP
+        80
+        # HTTPS
+        443
+        # DNS over TLS
+        853
+        # DNSCrypt
+        5443
+      ];
+      allowedUDPPorts = [
+        # Plain DNS
+        53
+        # DHCP
+        67
+        68
+        # DNS over QUIC
+        784
+        853
+        8853
+        # DNSCrypt
+        5443
+      ];
+    };
+  };
+}
--- a/modules/suites/utils/default.nix
+++ b/modules/suites/utils/default.nix
@ -3,6 +3,7 @@
  config,
  lib,
  pkgs,
+  inputs,
  ...
 }:
 with lib; let
@ -15,6 +16,7 @@ in {
  config = mkIf cfg.enable {
    aa.apps.bat.enable = true;
    environment.systemPackages = with pkgs; [
+      inputs.agenix.packages.x86_64-linux.default
      alejandra
      curl
      deploy-rs
@ -28,6 +30,9 @@ in {
      ripgrep
      usbutils
      wget
+      lsof
+      bind # for dig
+      tcpdump
    ];
  };
 }