1
0
Fork 0

agh: restructure and reconfigure

This commit is contained in:
Daniel Kempkens 2024-05-22 22:57:56 +02:00
parent aecd2b2a86
commit ae475a4d89
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
7 changed files with 49 additions and 4 deletions

Binary file not shown.

View file

@ -32,6 +32,7 @@ in
# ../nixos/telegraf.nix
../nixos/tailscale.nix
../nixos/tailscale-argon.nix
../nixos/unbound.nix

View file

@ -18,6 +18,11 @@
"internal.kempkens.network" = {
domain = "*.internal.kempkens.network";
};
"dns.kempkens.network" = {
extraDomainNames = [ "*.dns.kempkens.network" ];
reloadServices = [ "adguardhome.service" ];
};
};
};
}

View file

@ -19,6 +19,10 @@
domain = "*.internal.kempkens.network";
extraDomainNames = [ "jellyfin.home.kempkens.io" ];
};
"dns.kempkens.network" = {
extraDomainNames = [ "*.dns.kempkens.network" ];
};
};
};
}

View file

@ -5,7 +5,29 @@
enable = true;
mutableSettings = true;
settings = null;
# settings = null;
settings =
let
inherit (config.security.acme) certs;
in
{
tls = {
enabled = true;
port_https = 10443;
port_dns_over_tls = 1053;
port_dns_over_quic = 1053;
port_dnscrypt = 0;
certificate_path = "${certs."dns.kempkens.network".directory}/fullchain.pem";
private_key_path = "${certs."dns.kempkens.network".directory}/key.pem";
server_name = "dns.kempkens.network";
allow_unencrypted_doh = true;
strict_sni_check = true;
};
};
# settings = {
# schema_version = 20;
@ -42,6 +64,10 @@
# };
};
systemd.services.adguardhome.serviceConfig = {
SupplementaryGroups = [ "nginx" ];
};
networking.firewall.interfaces =
let
interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
@ -52,8 +78,8 @@
{
name = iface;
value = {
allowedTCPPorts = [ 53 9053 ];
allowedUDPPorts = [ 53 9053 ];
allowedTCPPorts = [ 53 1053 9053 10443 ];
allowedUDPPorts = [ 53 1053 9053 10443 ];
};
})
(builtins.filter builtins.isString interfaces));
@ -74,7 +100,10 @@
};
virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = {
serverAliases = [ "dns.internal.kempkens.network" ];
serverAliases = [
"${secret.adguardhome.domain_prefix}-direct.internal.kempkens.network"
"dns.internal.kempkens.network"
];
listen = [
{

View file

@ -0,0 +1,6 @@
{
services.tailscale.extraUpFlags = [
"--accept-dns"
"false"
];
}