nixos-config/modules/adguard/default.nix

364 lines
12 KiB
Nix

{ config
, lib
, ...
}:
with lib; let
cfg = config.eboskma.adguard;
in
{
options.eboskma.adguard = {
enable = mkEnableOption "adguard";
upstreams = mkOption {
description = "Upstream DNS servers";
type = types.listOf types.str;
example = [
"http://1.1.1.1"
"tls://1.1.1.1"
"1.1.1.1"
];
};
};
config = mkIf cfg.enable {
services.adguardhome = {
enable = true;
openFirewall = true;
settings = { };
# settings = {
# auth_attempts = 5;
# block_auth_min = 15;
# clients = {
# persistent = [
# {
# name = "xiaomi-fan";
# ids = [ "5a:b6:23:35:1c:76" ];
# blocked_services = [
# "9gag"
# "amazon"
# "cloudflare"
# "dailymotion"
# "discord"
# "disneyplus"
# "ebay"
# "epic_games"
# "facebook"
# "hulu"
# "imgur"
# "instagram"
# "mail_ru"
# "netflix"
# "ok"
# "origin"
# "pinterest"
# "qq"
# "reddit"
# "skype"
# "snapchat"
# "spotify"
# "steam"
# "telegram"
# "tiktok"
# "tinder"
# "twitch"
# "twitter"
# "viber"
# "vimeo"
# "vk"
# "wechat"
# "weibo"
# "whatsapp"
# "youtube"
# ];
# filtering_enabled = true;
# ignore_querylog = false;
# ignore_statistics = false;
# parental_enabled = true;
# safe_search = {
# bing = false;
# duckduckgo = false;
# enabled = false;
# google = false;
# pixabay = false;
# yandex = false;
# youtube = false;
# };
# safebrowsing_enabled = true;
# tags = [ "device_other" ];
# upstreams = [ ];
# use_global_blocked_services = false;
# use_global_settings = true;
# }
# ];
# runtime_sources = {
# arp = true;
# dhcp = true;
# hosts = true;
# rdns = true;
# whois = true;
# };
# };
# debug_pprof = false;
# dhcp = {
# dhcpv4 = {
# gateway_ip = "10.0.0.1";
# icmp_timeout_msec = 1000;
# lease_duration = 86400;
# options = [ ];
# range_end = "10.0.0.200";
# range_start = "10.0.0.150";
# subnet_mask = "255.255.255.0";
# };
# dhcpv6 = {
# lease_duration = 86400;
# ra_allow_slaac = false;
# ra_slaac_only = false;
# range_start = "";
# };
# interface_name = "eth0";
# enabled = true;
# local_domain_name = "lan";
# };
# dns = {
# aaaa_disabled = false;
# all_servers = true;
# allowed_clients = [ ];
# anonymize_client_ip = false;
# bind_hosts = [ "0.0.0.0" ];
# blocked_hosts = [ "version.bind" "id.server" "hostname.bind" ];
# blocked_response_ttl = 10;
# blocked_services = [ "vk" "mail_ru" "pinterest" "tinder" "wechat" "ok" "qq" "snapchat" "weibo" "9gag" ];
# blocking_ipv4 = "";
# blocking_ipv6 = "";
# blocking_mode = "default";
# bogus_nxdomain = [ ];
# bootstrap_dns = [ ];
# bootstrap_prefer_ipv6 = false;
# cache_optimistic = false;
# cache_size = null;
# cache_time = 30;
# cache_ttl_max = 0;
# cache_ttl_min = 0;
# disallowed_clients = [ ];
# dns64_prefixes = [ ];
# edns_client_subnet = {
# custom_ip = "";
# enabled = true;
# use_custom = false;
# };
# enable_dnssec = true;
# fastest_addr = false;
# fastest_timeout = "1s";
# filtering_enabled = true;
# filters_update_interval = 24;
# handle_ddr = true;
# ipset = [ ];
# ipset_file = "";
# local_ptr_upstreams = [ ];
# max_goroutines = 0;
# parental_block_host = "family-block.dns.adguard.com";
# parental_cache_size = 1048576;
# parental_enabled = false;
# port = 53;
# private_networks = [ ];
# protection_disabled_until = null;
# protection_enabled = true;
# ratelimit = 20;
# ratelimit_whitelist = [ ];
# refuse_any = true;
# rewrites = [
# {
# answer = "10.0.0.254";
# domain = "track.datarift.nl";
# }
# {
# answer = "10.0.0.2";
# domain = "ca.datarift.nl";
# }
# {
# answer = "10.0.0.252";
# domain = "pve.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "git.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "minio.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "home.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "drone.datarift.nl";
# }
# {
# answer = "10.0.0.100";
# domain = "vidz.datarift.nl";
# }
# {
# answer = "10.0.0.4";
# domain = "loki.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "minio-admin.datarift.nl";
# }
# {
# answer = "192.168.4.32";
# domain = "vaultserver.horus.nu";
# }
# {
# answer = "10.0.0.254";
# domain = "mqtt.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "frigate.datarift.nl";
# }
# {
# answer = "192.168.4.130";
# domain = "containers.internal.horus.nu";
# }
# {
# answer = "192.168.4.121";
# domain = "repohost.bedum.horus.nu";
# }
# {
# answer = "192.168.4.150";
# domain = "teamcity.horus.nu";
# }
# {
# answer = "2a02:a441:c959:1:52ef:4c5d:ffac:25bc";
# domain = "frigate.datarift.nl";
# }
# ];
# safe_search = {
# bing = true;
# duckduckgo = true;
# enabled = false;
# google = true;
# pixabay = true;
# yandex = true;
# youtube = true;
# };
# safebrowsing_block_host = "standard-block.dns.adguard.com";
# safebrowsing_cache_size = 1048576;
# safebrowsing_enabled = false;
# safesearch_cache_size = 1048576;
# serve_http3 = false;
# trusted_proxies = [ "127.0.0.0/8" "::1/128" ];
# upstream_dns = cfg.upstreams;
# upstream_dns_file = "";
# upstream_timeout = "10s";
# use_dns64 = false;
# use_http3_upstreams = false;
# use_private_ptr_resolvers = true;
# };
# filters = [
# {
# enabled = true;
# id = 1;
# name = "AdGuard DNS filter";
# url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
# }
# {
# enabled = true;
# id = 2;
# name = "AdAway";
# url = "https://adaway.org/hosts.txt";
# }
# {
# enabled = true;
# id = 1586463155;
# name = "dbl.oisd.nl";
# url = "https://dbl.oisd.nl/";
# }
# ];
# http_proxy = "";
# language = "";
# log_compress = false;
# log_file = "";
# log_localtime = false;
# log_max_age = 3;
# log_max_backups = 0;
# log_max_size = 100;
# os = {
# group = "";
# rlimit_nofile = 0;
# user = "";
# };
# querylog = {
# enabled = true;
# file_enabled = true;
# ignored = [ ];
# interval = "168h";
# size_memory = 1000;
# };
# schema_version = 20;
# statistics = {
# enabled = true;
# ignored = [ ];
# interval = "168h";
# };
# theme = "auto";
# tls = {
# allow_unencrypted_doh = false;
# certificate_chain = "";
# certificate_path = "";
# dnscrypt_config_file = "";
# enabled = false;
# force_https = false;
# port_dns_over_quic = 784;
# port_dns_over_tls = 853;
# port_dnscrypt = 0;
# port_https = 443;
# private_key = "";
# private_key_path = "";
# server_name = "";
# strict_sni_check = false;
# };
# user_rules = [
# "@@||msmetrics.ws.sonos.com^$important"
# "@@||trafficdeposit.com^$important"
# "@@||omropfryslan.bbvms.com^$important"
# "@@||cdn.riverhit.com^$important"
# "@@||kpngroup.emsecure.net^$important"
# "@@||chtbl.com^$important"
# "@@||*^$client='TV'"
# "||mozilla.cloudflare-dns.com^$important"
# "||use-application-dns.net^$important"
# "@@||widget.fitanalytics.com^$important"
# "@@||cdn.bluebillywig.com^$important"
# "@@||bert.org^$important"
# "||prod-pre.fns.tunein.com^$important"
# "#||mi.com^$dnsrewrite=NOERROR;A;10.0.0.4"
# "#||xiaomi.com^$dnsrewrite=NOERROR;A;10.0.0.4"
# "@@||aa.tweakers.nl^$important"
# "@@||ab.tweakers.nl^$important"
# "||zip^"
# ];
# users = [
# {
# name = "erwin";
# password = "$2b$12$bcE.EzNPhKmtDlgkej83xeAE/ADmAczt.iaElp6v4QT8DBlbVBgb.";
# }
# ];
# verbose = false;
# web_session_ttl = 720;
# whitelist_filters = [ ];
# };
};
# This is necessary to bind a raw socket for DHCP
systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ];
networking.firewall = {
allowedUDPPorts = [ 53 67 ];
};
};
}