daniel/dotfiles
1
0
Fork 0
Code Activity Actions

agh: restructure and reconfigure

Browse source
This commit is contained in:
Daniel Kempkens 2024-05-22 22:57:56 +02:00
parent aecd2b2a86
commit ae475a4d89
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
7 changed files with 49 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
agenix/hosts/argon/adguardhome-sync/environment.age
View file

Binary file not shown.

BIN
secret/hosts/Styx.nix
View file

Binary file not shown.

1
system/hosts/argon.nix
View file

@ -32,6 +32,7 @@ in
# ../nixos/telegraf.nix # ../nixos/telegraf.nix
../nixos/tailscale.nix ../nixos/tailscale.nix
../nixos/tailscale-argon.nix
../nixos/unbound.nix ../nixos/unbound.nix

5
system/nixos/acme-argon.nix
View file

@ -18,6 +18,11 @@
"internal.kempkens.network" = { "internal.kempkens.network" = {
domain = "*.internal.kempkens.network"; domain = "*.internal.kempkens.network";
}; };
"dns.kempkens.network" = {
extraDomainNames = [ "*.dns.kempkens.network" ];
reloadServices = [ "adguardhome.service" ];
};
}; };
}; };
} }

4
system/nixos/acme-mediaserver.nix
View file

@ -19,6 +19,10 @@
domain = "*.internal.kempkens.network"; domain = "*.internal.kempkens.network";
extraDomainNames = [ "jellyfin.home.kempkens.io" ]; extraDomainNames = [ "jellyfin.home.kempkens.io" ];
}; };
"dns.kempkens.network" = {
extraDomainNames = [ "*.dns.kempkens.network" ];
};
}; };
}; };
} }

37
system/nixos/adguardhome.nix
View file

@ -5,7 +5,29 @@
enable = true; enable = true;
mutableSettings = true; mutableSettings = true;
settings = null; # settings = null;
settings =
let
inherit (config.security.acme) certs;
in
{
tls = {
enabled = true;
port_https = 10443;
port_dns_over_tls = 1053;
port_dns_over_quic = 1053;
port_dnscrypt = 0;
certificate_path = "${certs."dns.kempkens.network".directory}/fullchain.pem";
private_key_path = "${certs."dns.kempkens.network".directory}/key.pem";
server_name = "dns.kempkens.network";
allow_unencrypted_doh = true;
strict_sni_check = true;
};
};
# settings = { # settings = {
# schema_version = 20; # schema_version = 20;
@ -42,6 +64,10 @@
# }; # };
}; };
systemd.services.adguardhome.serviceConfig = {
SupplementaryGroups = [ "nginx" ];
};
networking.firewall.interfaces = networking.firewall.interfaces =
let let
interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ]; interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
@ -52,8 +78,8 @@
{ {
name = iface; name = iface;
value = { value = {
allowedTCPPorts = [ 53 9053 ]; allowedTCPPorts = [ 53 1053 9053 10443 ];
allowedUDPPorts = [ 53 9053 ]; allowedUDPPorts = [ 53 1053 9053 10443 ];
}; };
}) })
(builtins.filter builtins.isString interfaces)); (builtins.filter builtins.isString interfaces));
@ -74,7 +100,10 @@
}; };
virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = { virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = {
serverAliases = [ "dns.internal.kempkens.network" ]; serverAliases = [
"${secret.adguardhome.domain_prefix}-direct.internal.kempkens.network"
"dns.internal.kempkens.network"
];
listen = [ listen = [
{ {

6
system/nixos/tailscale-argon.nix Normal file
View file

@ -0,0 +1,6 @@
{
services.tailscale.extraUpFlags = [
"--accept-dns"
"false"
];
}