agh: restructure and reconfigure

2024-05-22 22:57:56 +02:00 · 2024-05-22 22:57:56 +02:00 · ae475a4d89
commit ae475a4d89
parent aecd2b2a86
7 changed files with 49 additions and 4 deletions
--- a/agenix/hosts/argon/adguardhome-sync/environment.age
+++ b/agenix/hosts/argon/adguardhome-sync/environment.age
--- a/secret/hosts/Styx.nix
+++ b/secret/hosts/Styx.nix
--- a/system/hosts/argon.nix
+++ b/system/hosts/argon.nix
@ -32,6 +32,7 @@ in
    # ../nixos/telegraf.nix

    ../nixos/tailscale.nix
+    ../nixos/tailscale-argon.nix

    ../nixos/unbound.nix

--- a/system/nixos/acme-argon.nix
+++ b/system/nixos/acme-argon.nix
@ -18,6 +18,11 @@
      "internal.kempkens.network" = {
        domain = "*.internal.kempkens.network";
      };
+
+      "dns.kempkens.network" = {
+        extraDomainNames = [ "*.dns.kempkens.network" ];
+        reloadServices = [ "adguardhome.service" ];
+      };
    };
  };
 }
--- a/system/nixos/acme-mediaserver.nix
+++ b/system/nixos/acme-mediaserver.nix
@ -19,6 +19,10 @@
        domain = "*.internal.kempkens.network";
        extraDomainNames = [ "jellyfin.home.kempkens.io" ];
      };
+
+      "dns.kempkens.network" = {
+        extraDomainNames = [ "*.dns.kempkens.network" ];
+      };
    };
  };
 }
--- a/system/nixos/adguardhome.nix
+++ b/system/nixos/adguardhome.nix
@ -5,7 +5,29 @@
    enable = true;

    mutableSettings = true;
-    settings = null;
+    # settings = null;
+
+    settings =
+      let
+        inherit (config.security.acme) certs;
+      in
+      {
+        tls = {
+          enabled = true;
+
+          port_https = 10443;
+          port_dns_over_tls = 1053;
+          port_dns_over_quic = 1053;
+          port_dnscrypt = 0;
+
+          certificate_path = "${certs."dns.kempkens.network".directory}/fullchain.pem";
+          private_key_path = "${certs."dns.kempkens.network".directory}/key.pem";
+
+          server_name = "dns.kempkens.network";
+          allow_unencrypted_doh = true;
+          strict_sni_check = true;
+        };
+      };

    # settings = {
    #   schema_version = 20;
@ -42,6 +64,10 @@
    # };
  };

+  systemd.services.adguardhome.serviceConfig = {
+    SupplementaryGroups = [ "nginx" ];
+  };
+
  networking.firewall.interfaces =
    let
      interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
@ -52,8 +78,8 @@
          {
            name = iface;
            value = {
-              allowedTCPPorts = [ 53 9053 ];
-              allowedUDPPorts = [ 53 9053 ];
+              allowedTCPPorts = [ 53 1053 9053 10443 ];
+              allowedUDPPorts = [ 53 1053 9053 10443 ];
            };
          })
        (builtins.filter builtins.isString interfaces));
@ -74,7 +100,10 @@
    };

    virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = {
-      serverAliases = [ "dns.internal.kempkens.network" ];
+      serverAliases = [
+        "${secret.adguardhome.domain_prefix}-direct.internal.kempkens.network"
+        "dns.internal.kempkens.network"
+      ];

      listen = [
        {
--- a/system/nixos/tailscale-argon.nix
+++ b/system/nixos/tailscale-argon.nix
@ -0,0 +1,6 @@
+{
+  services.tailscale.extraUpFlags = [
+    "--accept-dns"
+    "false"
+  ];
+}