diff --git a/agenix/hosts/argon/adguardhome-sync/environment.age b/agenix/hosts/argon/adguardhome-sync/environment.age index 8d6555b..47dffa0 100644 Binary files a/agenix/hosts/argon/adguardhome-sync/environment.age and b/agenix/hosts/argon/adguardhome-sync/environment.age differ diff --git a/secret/hosts/Styx.nix b/secret/hosts/Styx.nix index 0822301..8e0d6a3 100644 Binary files a/secret/hosts/Styx.nix and b/secret/hosts/Styx.nix differ diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix index e6b475f..2c92012 100644 --- a/system/hosts/argon.nix +++ b/system/hosts/argon.nix @@ -32,6 +32,7 @@ in # ../nixos/telegraf.nix ../nixos/tailscale.nix + ../nixos/tailscale-argon.nix ../nixos/unbound.nix diff --git a/system/nixos/acme-argon.nix b/system/nixos/acme-argon.nix index d224cc9..004e4eb 100644 --- a/system/nixos/acme-argon.nix +++ b/system/nixos/acme-argon.nix @@ -18,6 +18,11 @@ "internal.kempkens.network" = { domain = "*.internal.kempkens.network"; }; + + "dns.kempkens.network" = { + extraDomainNames = [ "*.dns.kempkens.network" ]; + reloadServices = [ "adguardhome.service" ]; + }; }; }; } diff --git a/system/nixos/acme-mediaserver.nix b/system/nixos/acme-mediaserver.nix index 760b635..58f35ff 100644 --- a/system/nixos/acme-mediaserver.nix +++ b/system/nixos/acme-mediaserver.nix @@ -19,6 +19,10 @@ domain = "*.internal.kempkens.network"; extraDomainNames = [ "jellyfin.home.kempkens.io" ]; }; + + "dns.kempkens.network" = { + extraDomainNames = [ "*.dns.kempkens.network" ]; + }; }; }; } diff --git a/system/nixos/adguardhome.nix b/system/nixos/adguardhome.nix index b3ea7f7..f2a8d3b 100644 --- a/system/nixos/adguardhome.nix +++ b/system/nixos/adguardhome.nix @@ -5,7 +5,29 @@ enable = true; mutableSettings = true; - settings = null; + # settings = null; + + settings = + let + inherit (config.security.acme) certs; + in + { + tls = { + enabled = true; + + port_https = 10443; + port_dns_over_tls = 1053; + port_dns_over_quic = 1053; + port_dnscrypt = 0; + + certificate_path = "${certs."dns.kempkens.network".directory}/fullchain.pem"; + private_key_path = "${certs."dns.kempkens.network".directory}/key.pem"; + + server_name = "dns.kempkens.network"; + allow_unencrypted_doh = true; + strict_sni_check = true; + }; + }; # settings = { # schema_version = 20; @@ -42,6 +64,10 @@ # }; }; + systemd.services.adguardhome.serviceConfig = { + SupplementaryGroups = [ "nginx" ]; + }; + networking.firewall.interfaces = let interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ]; @@ -52,8 +78,8 @@ { name = iface; value = { - allowedTCPPorts = [ 53 9053 ]; - allowedUDPPorts = [ 53 9053 ]; + allowedTCPPorts = [ 53 1053 9053 10443 ]; + allowedUDPPorts = [ 53 1053 9053 10443 ]; }; }) (builtins.filter builtins.isString interfaces)); @@ -74,7 +100,10 @@ }; virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = { - serverAliases = [ "dns.internal.kempkens.network" ]; + serverAliases = [ + "${secret.adguardhome.domain_prefix}-direct.internal.kempkens.network" + "dns.internal.kempkens.network" + ]; listen = [ { diff --git a/system/nixos/tailscale-argon.nix b/system/nixos/tailscale-argon.nix new file mode 100644 index 0000000..e2141a5 --- /dev/null +++ b/system/nixos/tailscale-argon.nix @@ -0,0 +1,6 @@ +{ + services.tailscale.extraUpFlags = [ + "--accept-dns" + "false" + ]; +}