{ config , lib , ... }: with lib; let cfg = config.eboskma.adguard; in { options.eboskma.adguard = { enable = mkEnableOption "adguard"; upstreams = mkOption { description = "Upstream DNS servers"; type = types.listOf types.str; example = [ "http://1.1.1.1" "tls://1.1.1.1" "1.1.1.1" ]; }; }; config = mkIf cfg.enable { services.adguardhome = { enable = true; openFirewall = true; settings = { }; # settings = { # auth_attempts = 5; # block_auth_min = 15; # clients = { # persistent = [ # { # name = "xiaomi-fan"; # ids = [ "5a:b6:23:35:1c:76" ]; # blocked_services = [ # "9gag" # "amazon" # "cloudflare" # "dailymotion" # "discord" # "disneyplus" # "ebay" # "epic_games" # "facebook" # "hulu" # "imgur" # "instagram" # "mail_ru" # "netflix" # "ok" # "origin" # "pinterest" # "qq" # "reddit" # "skype" # "snapchat" # "spotify" # "steam" # "telegram" # "tiktok" # "tinder" # "twitch" # "twitter" # "viber" # "vimeo" # "vk" # "wechat" # "weibo" # "whatsapp" # "youtube" # ]; # filtering_enabled = true; # ignore_querylog = false; # ignore_statistics = false; # parental_enabled = true; # safe_search = { # bing = false; # duckduckgo = false; # enabled = false; # google = false; # pixabay = false; # yandex = false; # youtube = false; # }; # safebrowsing_enabled = true; # tags = [ "device_other" ]; # upstreams = [ ]; # use_global_blocked_services = false; # use_global_settings = true; # } # ]; # runtime_sources = { # arp = true; # dhcp = true; # hosts = true; # rdns = true; # whois = true; # }; # }; # debug_pprof = false; # dhcp = { # dhcpv4 = { # gateway_ip = "10.0.0.1"; # icmp_timeout_msec = 1000; # lease_duration = 86400; # options = [ ]; # range_end = "10.0.0.200"; # range_start = "10.0.0.150"; # subnet_mask = "255.255.255.0"; # }; # dhcpv6 = { # lease_duration = 86400; # ra_allow_slaac = false; # ra_slaac_only = false; # range_start = ""; # }; # interface_name = "eth0"; # enabled = true; # local_domain_name = "lan"; # }; # dns = { # aaaa_disabled = false; # all_servers = true; # allowed_clients = [ ]; # anonymize_client_ip = false; # bind_hosts = [ "0.0.0.0" ]; # blocked_hosts = [ "version.bind" "id.server" "hostname.bind" ]; # blocked_response_ttl = 10; # blocked_services = [ "vk" "mail_ru" "pinterest" "tinder" "wechat" "ok" "qq" "snapchat" "weibo" "9gag" ]; # blocking_ipv4 = ""; # blocking_ipv6 = ""; # blocking_mode = "default"; # bogus_nxdomain = [ ]; # bootstrap_dns = [ ]; # bootstrap_prefer_ipv6 = false; # cache_optimistic = false; # cache_size = null; # cache_time = 30; # cache_ttl_max = 0; # cache_ttl_min = 0; # disallowed_clients = [ ]; # dns64_prefixes = [ ]; # edns_client_subnet = { # custom_ip = ""; # enabled = true; # use_custom = false; # }; # enable_dnssec = true; # fastest_addr = false; # fastest_timeout = "1s"; # filtering_enabled = true; # filters_update_interval = 24; # handle_ddr = true; # ipset = [ ]; # ipset_file = ""; # local_ptr_upstreams = [ ]; # max_goroutines = 0; # parental_block_host = "family-block.dns.adguard.com"; # parental_cache_size = 1048576; # parental_enabled = false; # port = 53; # private_networks = [ ]; # protection_disabled_until = null; # protection_enabled = true; # ratelimit = 20; # ratelimit_whitelist = [ ]; # refuse_any = true; # rewrites = [ # { # answer = "10.0.0.254"; # domain = "track.datarift.nl"; # } # { # answer = "10.0.0.2"; # domain = "ca.datarift.nl"; # } # { # answer = "10.0.0.252"; # domain = "pve.datarift.nl"; # } # { # answer = "10.0.0.251"; # domain = "git.datarift.nl"; # } # { # answer = "10.0.0.251"; # domain = "minio.datarift.nl"; # } # { # answer = "10.0.0.251"; # domain = "home.datarift.nl"; # } # { # answer = "10.0.0.251"; # domain = "drone.datarift.nl"; # } # { # answer = "10.0.0.100"; # domain = "vidz.datarift.nl"; # } # { # answer = "10.0.0.4"; # domain = "loki.datarift.nl"; # } # { # answer = "10.0.0.251"; # domain = "minio-admin.datarift.nl"; # } # { # answer = "192.168.4.32"; # domain = "vaultserver.horus.nu"; # } # { # answer = "10.0.0.254"; # domain = "mqtt.datarift.nl"; # } # { # answer = "10.0.0.251"; # domain = "frigate.datarift.nl"; # } # { # answer = "192.168.4.130"; # domain = "containers.internal.horus.nu"; # } # { # answer = "192.168.4.121"; # domain = "repohost.bedum.horus.nu"; # } # { # answer = "192.168.4.150"; # domain = "teamcity.horus.nu"; # } # { # answer = "2a02:a441:c959:1:52ef:4c5d:ffac:25bc"; # domain = "frigate.datarift.nl"; # } # ]; # safe_search = { # bing = true; # duckduckgo = true; # enabled = false; # google = true; # pixabay = true; # yandex = true; # youtube = true; # }; # safebrowsing_block_host = "standard-block.dns.adguard.com"; # safebrowsing_cache_size = 1048576; # safebrowsing_enabled = false; # safesearch_cache_size = 1048576; # serve_http3 = false; # trusted_proxies = [ "127.0.0.0/8" "::1/128" ]; # upstream_dns = cfg.upstreams; # upstream_dns_file = ""; # upstream_timeout = "10s"; # use_dns64 = false; # use_http3_upstreams = false; # use_private_ptr_resolvers = true; # }; # filters = [ # { # enabled = true; # id = 1; # name = "AdGuard DNS filter"; # url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; # } # { # enabled = true; # id = 2; # name = "AdAway"; # url = "https://adaway.org/hosts.txt"; # } # { # enabled = true; # id = 1586463155; # name = "dbl.oisd.nl"; # url = "https://dbl.oisd.nl/"; # } # ]; # http_proxy = ""; # language = ""; # log_compress = false; # log_file = ""; # log_localtime = false; # log_max_age = 3; # log_max_backups = 0; # log_max_size = 100; # os = { # group = ""; # rlimit_nofile = 0; # user = ""; # }; # querylog = { # enabled = true; # file_enabled = true; # ignored = [ ]; # interval = "168h"; # size_memory = 1000; # }; # schema_version = 20; # statistics = { # enabled = true; # ignored = [ ]; # interval = "168h"; # }; # theme = "auto"; # tls = { # allow_unencrypted_doh = false; # certificate_chain = ""; # certificate_path = ""; # dnscrypt_config_file = ""; # enabled = false; # force_https = false; # port_dns_over_quic = 784; # port_dns_over_tls = 853; # port_dnscrypt = 0; # port_https = 443; # private_key = ""; # private_key_path = ""; # server_name = ""; # strict_sni_check = false; # }; # user_rules = [ # "@@||msmetrics.ws.sonos.com^$important" # "@@||trafficdeposit.com^$important" # "@@||omropfryslan.bbvms.com^$important" # "@@||cdn.riverhit.com^$important" # "@@||kpngroup.emsecure.net^$important" # "@@||chtbl.com^$important" # "@@||*^$client='TV'" # "||mozilla.cloudflare-dns.com^$important" # "||use-application-dns.net^$important" # "@@||widget.fitanalytics.com^$important" # "@@||cdn.bluebillywig.com^$important" # "@@||bert.org^$important" # "||prod-pre.fns.tunein.com^$important" # "#||mi.com^$dnsrewrite=NOERROR;A;10.0.0.4" # "#||xiaomi.com^$dnsrewrite=NOERROR;A;10.0.0.4" # "@@||aa.tweakers.nl^$important" # "@@||ab.tweakers.nl^$important" # "||zip^" # ]; # users = [ # { # name = "erwin"; # password = "$2b$12$bcE.EzNPhKmtDlgkej83xeAE/ADmAczt.iaElp6v4QT8DBlbVBgb."; # } # ]; # verbose = false; # web_session_ttl = 720; # whitelist_filters = [ ]; # }; }; # This is necessary to bind a raw socket for DHCP systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ]; networking.firewall = { allowedUDPPorts = [ 53 67 ]; }; }; }