Added adguardhome service
This commit is contained in:
parent
52138eecee
commit
af82d2ea59
65
flake.lock
65
flake.lock
|
@ -1,5 +1,29 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"agenix": {
|
||||||
|
"inputs": {
|
||||||
|
"darwin": [],
|
||||||
|
"home-manager": [
|
||||||
|
"home-manager"
|
||||||
|
],
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1684153753,
|
||||||
|
"narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"deploy-rs": {
|
"deploy-rs": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
|
@ -74,15 +98,16 @@
|
||||||
"flake-utils": "flake-utils"
|
"flake-utils": "flake-utils"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1657226504,
|
"lastModified": 1683999906,
|
||||||
"narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=",
|
"narHash": "sha256-LZprVmOTM+3iykh248bajobX9ludnMC/Ai5rOqimtFc=",
|
||||||
"owner": "gytis-ivaskevicius",
|
"owner": "ravensiris",
|
||||||
"repo": "flake-utils-plus",
|
"repo": "flake-utils-plus",
|
||||||
"rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a",
|
"rev": "7a8d789d4d13e45d20e6826d7b2a1757d52f2e13",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "gytis-ivaskevicius",
|
"owner": "ravensiris",
|
||||||
|
"ref": "ravensiris/fix-devshell-legacy-packages",
|
||||||
"repo": "flake-utils-plus",
|
"repo": "flake-utils-plus",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -94,11 +119,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687506590,
|
"lastModified": 1688220547,
|
||||||
"narHash": "sha256-CSou9mrG9h/WVRjCptfTrATVxvhmtdQXElmWV/ZkrAs=",
|
"narHash": "sha256-cNKKLPaEOxd6t22Mt3tHGubyylbKGdoi2A3QkMTKes0=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "d2b6f2d154bf6b27a93ed895392f80c503df7cfa",
|
"rev": "89d10f8adce369a80e046c2fd56d1e7b7507bb5b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -110,11 +135,11 @@
|
||||||
},
|
},
|
||||||
"nixlib": {
|
"nixlib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687049841,
|
"lastModified": 1687654967,
|
||||||
"narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
|
"narHash": "sha256-ki8vItcjn8Z8n+QD9NEoCQbbbG7VzWy71hyOkFFwCkM=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixpkgs.lib",
|
"repo": "nixpkgs.lib",
|
||||||
"rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
|
"rev": "b3ec8fb525fc0c8f08eff5ef93c684b4c6d0e777",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -131,11 +156,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687398392,
|
"lastModified": 1688003049,
|
||||||
"narHash": "sha256-T6kc3NMTpGJk1/dve8PGupeVcxboEb78xtTKhe3LL/A=",
|
"narHash": "sha256-5oSxbv8OVSg2dOvycJ9eisacxF8e52N0PVUFryWWJmE=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixos-generators",
|
"repo": "nixos-generators",
|
||||||
"rev": "649171f56a45af13ba693c156207eafbbbf7edfe",
|
"rev": "bde0bc291c95b710dd63d5e5c422e47f760a1406",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -146,11 +171,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687502512,
|
"lastModified": 1688049487,
|
||||||
"narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
|
"narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
|
"rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -162,7 +187,9 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
|
"flake-utils-plus": "flake-utils-plus",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"nixos-generators": "nixos-generators",
|
"nixos-generators": "nixos-generators",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
@ -172,7 +199,9 @@
|
||||||
"snowfall-lib": {
|
"snowfall-lib": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_2",
|
"flake-compat": "flake-compat_2",
|
||||||
"flake-utils-plus": "flake-utils-plus",
|
"flake-utils-plus": [
|
||||||
|
"flake-utils-plus"
|
||||||
|
],
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
|
|
13
flake.nix
13
flake.nix
|
@ -4,6 +4,10 @@
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
|
# Fixes #133
|
||||||
|
# See: https://github.com/gytis-ivaskevicius/flake-utils-plus/issues/133
|
||||||
|
flake-utils-plus.url = github:ravensiris/flake-utils-plus?ref=ravensiris/fix-devshell-legacy-packages;
|
||||||
|
|
||||||
home-manager.url = "github:nix-community/home-manager/master";
|
home-manager.url = "github:nix-community/home-manager/master";
|
||||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
@ -12,9 +16,15 @@
|
||||||
|
|
||||||
snowfall-lib.url = "github:snowfallorg/lib";
|
snowfall-lib.url = "github:snowfallorg/lib";
|
||||||
snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
|
snowfall-lib.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
snowfall-lib.inputs.flake-utils-plus.follows = "flake-utils-plus";
|
||||||
|
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
deploy-rs.url = "github:serokell/deploy-rs";
|
||||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
agenix.url = "github:ryantm/agenix";
|
||||||
|
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
agenix.inputs.home-manager.follows = "home-manager";
|
||||||
|
agenix.inputs.darwin.follows = "";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs: let
|
outputs = inputs: let
|
||||||
|
@ -30,6 +40,7 @@
|
||||||
|
|
||||||
systems.modules = with inputs; [
|
systems.modules = with inputs; [
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
|
agenix.nixosModules.default
|
||||||
];
|
];
|
||||||
|
|
||||||
deploy.nodes.node = {
|
deploy.nodes.node = {
|
||||||
|
@ -38,7 +49,7 @@
|
||||||
user = "root";
|
user = "root";
|
||||||
sshUser = "alejandro";
|
sshUser = "alejandro";
|
||||||
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
|
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
|
||||||
sshOpts = [ "-A" ];
|
sshOpts = ["-A"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,8 @@ in {
|
||||||
yubikey-manager
|
yubikey-manager
|
||||||
yubikey-agent
|
yubikey-agent
|
||||||
yubico-pam
|
yubico-pam
|
||||||
|
age-plugin-yubikey
|
||||||
|
rage
|
||||||
];
|
];
|
||||||
|
|
||||||
services.pcscd.enable = true;
|
services.pcscd.enable = true;
|
||||||
|
|
89
modules/services/adguardhome/default.nix
Normal file
89
modules/services/adguardhome/default.nix
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
{
|
||||||
|
options,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
format,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
cfg = config.aa.services.openssh;
|
||||||
|
in {
|
||||||
|
options.aa.services.adguardhome = with types; {
|
||||||
|
enable = mkEnableOption "adguardhome";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.adguardhome = {
|
||||||
|
enable = true;
|
||||||
|
mutableSettings = true;
|
||||||
|
settings = {
|
||||||
|
bind_host = "0.0.0.0";
|
||||||
|
bind_port = 3000;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
virtualHosts."adguardhome.kilonull.com" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "kilonull.com";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:3000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# So that nginx has access to the ACME certs
|
||||||
|
users.users.nginx.extraGroups = ["acme"];
|
||||||
|
|
||||||
|
age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
# NOTE: Uncomment line below when testing changes
|
||||||
|
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "iam@alejandr0angul0.dev";
|
||||||
|
|
||||||
|
# Wildcard cert
|
||||||
|
certs."kilonull.com" = {
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
dnsResolver = "1.1.1.1:53";
|
||||||
|
credentialsFile = config.age.secrets.cf_dns_kilonull.path;
|
||||||
|
extraDomainNames = ["*.kilonull.com"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [
|
||||||
|
# Plain DNS
|
||||||
|
53
|
||||||
|
# DHCP
|
||||||
|
68
|
||||||
|
# HTTP
|
||||||
|
80
|
||||||
|
# HTTPS
|
||||||
|
443
|
||||||
|
# DNS over TLS
|
||||||
|
853
|
||||||
|
# DNSCrypt
|
||||||
|
5443
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
# Plain DNS
|
||||||
|
53
|
||||||
|
# DHCP
|
||||||
|
67
|
||||||
|
68
|
||||||
|
# DNS over QUIC
|
||||||
|
784
|
||||||
|
853
|
||||||
|
8853
|
||||||
|
# DNSCrypt
|
||||||
|
5443
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -3,6 +3,7 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
inputs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
|
@ -15,6 +16,7 @@ in {
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
aa.apps.bat.enable = true;
|
aa.apps.bat.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
inputs.agenix.packages.x86_64-linux.default
|
||||||
alejandra
|
alejandra
|
||||||
curl
|
curl
|
||||||
deploy-rs
|
deploy-rs
|
||||||
|
@ -28,6 +30,9 @@ in {
|
||||||
ripgrep
|
ripgrep
|
||||||
usbutils
|
usbutils
|
||||||
wget
|
wget
|
||||||
|
lsof
|
||||||
|
bind # for dig
|
||||||
|
tcpdump
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
BIN
secrets/cf_dns_kilonull.age
Normal file
BIN
secrets/cf_dns_kilonull.age
Normal file
Binary file not shown.
1
secrets/identities/me.txt
Normal file
1
secrets/identities/me.txt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
AGE-PLUGIN-YUBIKEY-18E3RSQVZ2ZQSDNS67QTTC
|
8
secrets/secrets.nix
Normal file
8
secrets/secrets.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
let
|
||||||
|
# Remember to pass '--identity identities/me.txt` when using this key
|
||||||
|
users.me = "age1yubikey1qdwgvfqrcqmyw56ux7azuvqr6f8nanszu27nztvxmn4utmplgxctzt90g25";
|
||||||
|
|
||||||
|
machines.node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
|
||||||
|
in {
|
||||||
|
"cf_dns_kilonull.age".publicKeys = [users.me machines.node];
|
||||||
|
}
|
|
@ -51,7 +51,7 @@
|
||||||
hostName = "gospel";
|
hostName = "gospel";
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
defaultGateway = "192.168.113.1";
|
defaultGateway = "192.168.113.1";
|
||||||
nameservers = ["1.1.1.1"];
|
nameservers = ["192.168.113.13"];
|
||||||
interfaces.eno1.ipv4.addresses = [
|
interfaces.eno1.ipv4.addresses = [
|
||||||
{
|
{
|
||||||
address = "192.168.113.69"; # nice
|
address = "192.168.113.69"; # nice
|
||||||
|
|
|
@ -9,10 +9,17 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
aa = {
|
aa = {
|
||||||
nix.enable = true;
|
nix.enable = true;
|
||||||
nix.useSelfhostedCache = true;
|
nix.useSelfhostedCache = true;
|
||||||
|
|
||||||
|
services.tailscale = {
|
||||||
|
enable = true;
|
||||||
|
configureClientRouting = true;
|
||||||
|
configureServerRouting = true;
|
||||||
|
};
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
services.adguardhome.enable = true;
|
||||||
|
|
||||||
system.zfs.enable = true;
|
system.zfs.enable = true;
|
||||||
system.monitoring.enable = true;
|
system.monitoring.enable = true;
|
||||||
|
|
||||||
|
@ -33,6 +40,19 @@
|
||||||
execWheelOnly = true;
|
execWheelOnly = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
hostName = "node";
|
||||||
|
useDHCP = false;
|
||||||
|
defaultGateway = "192.168.113.1";
|
||||||
|
nameservers = ["127.0.0.1" "1.1.1.1"];
|
||||||
|
interfaces.enp7s0.ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "192.168.113.13";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
Loading…
Reference in a new issue