agh: restructure and reconfigure
This commit is contained in:
parent
aecd2b2a86
commit
ae475a4d89
7 changed files with 49 additions and 4 deletions
Binary file not shown.
Binary file not shown.
|
@ -32,6 +32,7 @@ in
|
|||
# ../nixos/telegraf.nix
|
||||
|
||||
../nixos/tailscale.nix
|
||||
../nixos/tailscale-argon.nix
|
||||
|
||||
../nixos/unbound.nix
|
||||
|
||||
|
|
|
@ -18,6 +18,11 @@
|
|||
"internal.kempkens.network" = {
|
||||
domain = "*.internal.kempkens.network";
|
||||
};
|
||||
|
||||
"dns.kempkens.network" = {
|
||||
extraDomainNames = [ "*.dns.kempkens.network" ];
|
||||
reloadServices = [ "adguardhome.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -19,6 +19,10 @@
|
|||
domain = "*.internal.kempkens.network";
|
||||
extraDomainNames = [ "jellyfin.home.kempkens.io" ];
|
||||
};
|
||||
|
||||
"dns.kempkens.network" = {
|
||||
extraDomainNames = [ "*.dns.kempkens.network" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,7 +5,29 @@
|
|||
enable = true;
|
||||
|
||||
mutableSettings = true;
|
||||
settings = null;
|
||||
# settings = null;
|
||||
|
||||
settings =
|
||||
let
|
||||
inherit (config.security.acme) certs;
|
||||
in
|
||||
{
|
||||
tls = {
|
||||
enabled = true;
|
||||
|
||||
port_https = 10443;
|
||||
port_dns_over_tls = 1053;
|
||||
port_dns_over_quic = 1053;
|
||||
port_dnscrypt = 0;
|
||||
|
||||
certificate_path = "${certs."dns.kempkens.network".directory}/fullchain.pem";
|
||||
private_key_path = "${certs."dns.kempkens.network".directory}/key.pem";
|
||||
|
||||
server_name = "dns.kempkens.network";
|
||||
allow_unencrypted_doh = true;
|
||||
strict_sni_check = true;
|
||||
};
|
||||
};
|
||||
|
||||
# settings = {
|
||||
# schema_version = 20;
|
||||
|
@ -42,6 +64,10 @@
|
|||
# };
|
||||
};
|
||||
|
||||
systemd.services.adguardhome.serviceConfig = {
|
||||
SupplementaryGroups = [ "nginx" ];
|
||||
};
|
||||
|
||||
networking.firewall.interfaces =
|
||||
let
|
||||
interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
|
||||
|
@ -52,8 +78,8 @@
|
|||
{
|
||||
name = iface;
|
||||
value = {
|
||||
allowedTCPPorts = [ 53 9053 ];
|
||||
allowedUDPPorts = [ 53 9053 ];
|
||||
allowedTCPPorts = [ 53 1053 9053 10443 ];
|
||||
allowedUDPPorts = [ 53 1053 9053 10443 ];
|
||||
};
|
||||
})
|
||||
(builtins.filter builtins.isString interfaces));
|
||||
|
@ -74,7 +100,10 @@
|
|||
};
|
||||
|
||||
virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = {
|
||||
serverAliases = [ "dns.internal.kempkens.network" ];
|
||||
serverAliases = [
|
||||
"${secret.adguardhome.domain_prefix}-direct.internal.kempkens.network"
|
||||
"dns.internal.kempkens.network"
|
||||
];
|
||||
|
||||
listen = [
|
||||
{
|
||||
|
|
6
system/nixos/tailscale-argon.nix
Normal file
6
system/nixos/tailscale-argon.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
services.tailscale.extraUpFlags = [
|
||||
"--accept-dns"
|
||||
"false"
|
||||
];
|
||||
}
|
Loading…
Reference in a new issue