Alejandro Angulo
d5969ca923
Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
83 lines
1.5 KiB
Nix
83 lines
1.5 KiB
Nix
{
|
|
options,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
format,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.aa.services.adguardhome;
|
|
in {
|
|
options.aa.services.adguardhome = with types; {
|
|
enable = mkEnableOption "adguardhome";
|
|
acmeCertName = mkOption {
|
|
type = str;
|
|
default = "";
|
|
description = ''
|
|
If set to a non-empty string, forces SSL with the supplied acme
|
|
certificate.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.adguardhome = {
|
|
enable = true;
|
|
mutableSettings = true;
|
|
settings = {
|
|
bind_host = "0.0.0.0";
|
|
bind_port = 3000;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts."adguardhome.kilonull.com" =
|
|
{
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3000";
|
|
};
|
|
}
|
|
// lib.optionalAttrs (cfg.acmeCertName != "") {
|
|
forceSSL = true;
|
|
useACMEHost = cfg.acmeCertName;
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
# TODO: Remove this here and leave it up to systems to decide to enable
|
|
# the firewall
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
# Plain DNS
|
|
53
|
|
# DHCP
|
|
68
|
|
# HTTP
|
|
80
|
|
# HTTPS
|
|
443
|
|
# DNS over TLS
|
|
853
|
|
# DNSCrypt
|
|
5443
|
|
];
|
|
allowedUDPPorts = [
|
|
# Plain DNS
|
|
53
|
|
# DHCP
|
|
67
|
|
68
|
|
# DNS over QUIC
|
|
784
|
|
853
|
|
8853
|
|
# DNSCrypt
|
|
5443
|
|
];
|
|
};
|
|
};
|
|
}
|