{ config , lib , ... }: with lib; let cfg = config.eboskma.adguard; in { options.eboskma.adguard = { enable = mkEnableOption "adguard"; upstreams = mkOption { description = "Upstream DNS servers"; type = types.listOf types.str; example = [ "http://1.1.1.1" "tls://1.1.1.1" "1.1.1.1" ]; }; }; config = mkIf cfg.enable { services.adguardhome = { enable = true; openFirewall = true; settings = { auth_attempts = 5; block_auth_min = 15; clients = { persistent = [ { name = "xiaomi-fan"; ids = [ "5a:b6:23:35:1c:76" ]; blocked_services = [ "9gag" "amazon" "cloudflare" "dailymotion" "discord" "disneyplus" "ebay" "epic_games" "facebook" "hulu" "imgur" "instagram" "mail_ru" "netflix" "ok" "origin" "pinterest" "qq" "reddit" "skype" "snapchat" "spotify" "steam" "telegram" "tiktok" "tinder" "twitch" "twitter" "viber" "vimeo" "vk" "wechat" "weibo" "whatsapp" "youtube" ]; filtering_enabled = true; ignore_querylog = false; ignore_statistics = false; parental_enabled = true; safe_search = { bing = false; duckduckgo = false; enabled = false; google = false; pixabay = false; yandex = false; youtube = false; }; safebrowsing_enabled = true; tags = [ "device_other" ]; upstreams = [ ]; use_global_blocked_services = false; use_global_settings = true; } ]; runtime_sources = { arp = true; dhcp = true; hosts = true; rdns = true; whois = true; }; }; debug_pprof = false; dhcp = { dhcpv4 = { gateway_ip = "10.0.0.1"; icmp_timeout_msec = 1000; lease_duration = 86400; options = [ ]; range_end = "10.0.0.200"; range_start = "10.0.0.150"; subnet_mask = "255.255.255.0"; }; dhcpv6 = { lease_duration = 86400; ra_allow_slaac = false; ra_slaac_only = false; range_start = ""; }; interface_name = "eth0"; enabled = true; local_domain_name = "lan"; }; dns = { aaaa_disabled = false; all_servers = true; allowed_clients = [ ]; anonymize_client_ip = false; bind_hosts = [ "0.0.0.0" ]; blocked_hosts = [ "version.bind" "id.server" "hostname.bind" ]; blocked_response_ttl = 10; blocked_services = [ "vk" "mail_ru" "pinterest" "tinder" "wechat" "ok" "qq" "snapchat" "weibo" "9gag" ]; blocking_ipv4 = ""; blocking_ipv6 = ""; blocking_mode = "default"; bogus_nxdomain = [ ]; bootstrap_dns = [ ]; bootstrap_prefer_ipv6 = false; cache_optimistic = false; cache_size = 4194304; cache_time = 30; cache_ttl_max = 0; cache_ttl_min = 0; disallowed_clients = [ ]; dns64_prefixes = [ ]; edns_client_subnet = { custom_ip = ""; enabled = true; use_custom = false; }; enable_dnssec = true; fastest_addr = false; fastest_timeout = "1s"; filtering_enabled = true; filters_update_interval = 24; handle_ddr = true; ipset = [ ]; ipset_file = ""; local_ptr_upstreams = [ ]; max_goroutines = 0; parental_block_host = "family-block.dns.adguard.com"; parental_cache_size = 1048576; parental_enabled = false; port = 53; private_networks = [ ]; protection_disabled_until = null; protection_enabled = true; ratelimit = 20; ratelimit_whitelist = [ ]; refuse_any = true; rewrites = [ { answer = "10.0.0.254"; domain = "track.datarift.nl"; } { answer = "10.0.0.2"; domain = "ca.datarift.nl"; } { answer = "10.0.0.252"; domain = "pve.datarift.nl"; } { answer = "10.0.0.251"; domain = "git.datarift.nl"; } { answer = "10.0.0.251"; domain = "minio.datarift.nl"; } { answer = "10.0.0.251"; domain = "home.datarift.nl"; } { answer = "10.0.0.251"; domain = "drone.datarift.nl"; } { answer = "10.0.0.100"; domain = "vidz.datarift.nl"; } { answer = "10.0.0.4"; domain = "loki.datarift.nl"; } { answer = "10.0.0.251"; domain = "minio-admin.datarift.nl"; } { answer = "192.168.4.32"; domain = "vaultserver.horus.nu"; } { answer = "10.0.0.254"; domain = "mqtt.datarift.nl"; } { answer = "10.0.0.251"; domain = "frigate.datarift.nl"; } { answer = "192.168.4.130"; domain = "containers.internal.horus.nu"; } { answer = "192.168.4.121"; domain = "repohost.bedum.horus.nu"; } { answer = "192.168.4.150"; domain = "teamcity.horus.nu"; } { answer = "2a02:a441:c959:1:52ef:4c5d:ffac:25bc"; domain = "frigate.datarift.nl"; } ]; safe_search = { bing = true; duckduckgo = true; enabled = false; google = true; pixabay = true; yandex = true; youtube = true; }; safebrowsing_block_host = "standard-block.dns.adguard.com"; safebrowsing_cache_size = 1048576; safebrowsing_enabled = false; safesearch_cache_size = 1048576; serve_http3 = false; trusted_proxies = [ "127.0.0.0/8" "::1/128" ]; upstream_dns = cfg.upstreams; upstream_dns_file = ""; upstream_timeout = "10s"; use_dns64 = false; use_http3_upstreams = false; use_private_ptr_resolvers = true; }; filters = [ { enabled = true; id = 1; name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; } { enabled = true; id = 2; name = "AdAway"; url = "https://adaway.org/hosts.txt"; } { enabled = true; id = 1586463155; name = "dbl.oisd.nl"; url = "https://dbl.oisd.nl/"; } ]; http_proxy = ""; language = ""; log_compress = false; log_file = ""; log_localtime = false; log_max_age = 3; log_max_backups = 0; log_max_size = 100; os = { group = ""; rlimit_nofile = 0; user = ""; }; querylog = { enabled = true; file_enabled = true; ignored = [ ]; interval = "168h"; size_memory = 1000; }; schema_version = 20; statistics = { enabled = true; ignored = [ ]; interval = "168h"; }; theme = "auto"; tls = { allow_unencrypted_doh = false; certificate_chain = ""; certificate_path = ""; dnscrypt_config_file = ""; enabled = false; force_https = false; port_dns_over_quic = 784; port_dns_over_tls = 853; port_dnscrypt = 0; port_https = 443; private_key = ""; private_key_path = ""; server_name = ""; strict_sni_check = false; }; user_rules = [ "@@||msmetrics.ws.sonos.com^$important" "@@||trafficdeposit.com^$important" "@@||omropfryslan.bbvms.com^$important" "@@||cdn.riverhit.com^$important" "@@||kpngroup.emsecure.net^$important" "@@||chtbl.com^$important" "@@||*^$client='TV'" "||mozilla.cloudflare-dns.com^$important" "||use-application-dns.net^$important" "@@||widget.fitanalytics.com^$important" "@@||cdn.bluebillywig.com^$important" "@@||bert.org^$important" "||prod-pre.fns.tunein.com^$important" "#||mi.com^$dnsrewrite=NOERROR;A;10.0.0.4" "#||xiaomi.com^$dnsrewrite=NOERROR;A;10.0.0.4" "@@||aa.tweakers.nl^$important" "@@||ab.tweakers.nl^$important" "||zip^" ]; users = [ { name = "erwin"; password = "$2b$12$bcE.EzNPhKmtDlgkej83xeAE/ADmAczt.iaElp6v4QT8DBlbVBgb."; } ]; verbose = false; web_session_ttl = 720; whitelist_filters = [ ]; }; }; # This is necessary to bind a raw socket for DHCP systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ]; networking.firewall = { allowedUDPPorts = [ 53 67 ]; }; }; }