erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions
nixos-config/modules/adguard/default.nix

393 lines
11 KiB
Nix
Raw Blame History

{ config
, lib
, ...
}:
with lib; let
cfg = config.eboskma.adguard;
in
{
options.eboskma.adguard = {
enable = mkEnableOption "adguard";
upstreams = mkOption {
description = "Upstream DNS servers";
type = types.listOf types.str;
example = [
"http://1.1.1.1"
"tls://1.1.1.1"
"1.1.1.1"
];
};
};
config = mkIf cfg.enable {
services.adguardhome = {
enable = true;
openFirewall = true;
settings = {
auth_attempts = 5;
block_auth_min = 15;
clients = {
persistent = [
{
blocked_services = [ ];
filtering_enabled = false;
ids = [ "10.0.0.81" ];
ignore_querylog = false;
ignore_statistics = false;
name = "TV";
parental_enabled = false;
safe_search = {
bing = false;
duckduckgo = false;
enabled = false;
google = false;
pixabay = false;
yandex = false;
youtube = false;
};
safebrowsing_enabled = false;
tags = [ "device_tv" ];
upstreams = [ "1.1.1.1" ];
use_global_blocked_services = true;
use_global_settings = true;
}
{
blocked_services = [
"9gag"
"amazon"
"cloudflare"
"dailymotion"
"discord"
"disneyplus"
"ebay"
"epic_games"
"facebook"
"hulu"
"imgur"
"instagram"
"mail_ru"
"netflix"
"ok"
"origin"
"pinterest"
"qq"
"reddit"
"skype"
"snapchat"
"spotify"
"steam"
"telegram"
"tiktok"
"tinder"
"twitch"
"twitter"
"viber"
"vimeo"
"vk"
"wechat"
"weibo"
"whatsapp"
"youtube"
];
filtering_enabled = true;
ids = [ "5a:b6:23:35:1c:76" ];
ignore_querylog = false;
ignore_statistics = false;
name = "xiaomi-fan";
parental_enabled = true;
safe_search = {
bing = false;
duckduckgo = false;
enabled = false;
google = false;
pixabay = false;
yandex = false;
youtube = false;
};
safebrowsing_enabled = true;
tags = [ "device_other" ];
upstreams = [ ];
use_global_blocked_services = false;
use_global_settings = true;
}
];
runtime_sources = {
arp = true;
dhcp = true;
hosts = true;
rdns = true;
whois = true;
};
};
debug_pprof = false;
dhcp = {
dhcpv4 = {
gateway_ip = "10.0.0.1";
icmp_timeout_msec = 1000;
lease_duration = 86400;
options = [ ];
range_end = "10.0.0.200";
range_start = "10.0.0.150";
subnet_mask = "255.255.255.0";
};
dhcpv6 = {
lease_duration = 86400;
ra_allow_slaac = false;
ra_slaac_only = false;
range_start = "";
};
interface_name = "eth0";
enabled = true;
local_domain_name = "lan";
};
dns = {
aaaa_disabled = false;
all_servers = true;
allowed_clients = [ ];
anonymize_client_ip = false;
bind_hosts = [ "0.0.0.0" ];
blocked_hosts = [ "version.bind" "id.server" "hostname.bind" ];
blocked_response_ttl = 10;
blocked_services = [ "vk" "mail_ru" "pinterest" "tinder" "wechat" "ok" "qq" "snapchat" "weibo" "9gag" ];
blocking_ipv4 = "";
blocking_ipv6 = "";
blocking_mode = "default";
bogus_nxdomain = [ ];
bootstrap_dns = [ ];
bootstrap_prefer_ipv6 = false;
cache_optimistic = false;
cache_size = 4194304;
cache_time = 30;
cache_ttl_max = 0;
cache_ttl_min = 0;
disallowed_clients = [ ];
dns64_prefixes = [ ];
edns_client_subnet = {
custom_ip = "";
enabled = true;
use_custom = false;
};
enable_dnssec = true;
fastest_addr = false;
fastest_timeout = "1s";
filtering_enabled = true;
filters_update_interval = 24;
handle_ddr = true;
ipset = [ ];
ipset_file = "";
local_ptr_upstreams = [ ];
max_goroutines = 0;
parental_block_host = "family-block.dns.adguard.com";
parental_cache_size = 1048576;
parental_enabled = false;
port = 53;
private_networks = [ ];
protection_disabled_until = null;
protection_enabled = true;
ratelimit = 20;
ratelimit_whitelist = [ ];
refuse_any = true;
rewrites = [
{
answer = "10.0.0.254";
domain = "track.datarift.nl";
}
{
answer = "10.0.0.2";
domain = "ca.datarift.nl";
}
{
answer = "10.0.0.252";
domain = "pve.datarift.nl";
}
{
answer = "10.0.0.251";
domain = "git.datarift.nl";
}
{
answer = "10.0.0.251";
domain = "minio.datarift.nl";
}
{
answer = "10.0.0.251";
domain = "home.datarift.nl";
}
{
answer = "10.0.0.251";
domain = "drone.datarift.nl";
}
{
answer = "10.0.0.100";
domain = "vidz.datarift.nl";
}
{
answer = "10.0.0.4";
domain = "loki.datarift.nl";
}
{
answer = "10.0.0.251";
domain = "minio-admin.datarift.nl";
}
{
answer = "192.168.4.32";
domain = "vaultserver.horus.nu";
}
{
answer = "10.0.0.254";
domain = "mqtt.datarift.nl";
}
{
answer = "10.0.0.251";
domain = "frigate.datarift.nl";
}
{
answer = "192.168.4.130";
domain = "containers.internal.horus.nu";
}
{
answer = "192.168.4.121";
domain = "repohost.bedum.horus.nu";
}
{
answer = "192.168.4.150";
domain = "teamcity.horus.nu";
}
{
answer = "2a02:a441:c959:1:52ef:4c5d:ffac:25bc";
domain = "frigate.datarift.nl";
}
];
safe_search = {
bing = true;
duckduckgo = true;
enabled = false;
google = true;
pixabay = true;
yandex = true;
youtube = true;
};
safebrowsing_block_host = "standard-block.dns.adguard.com";
safebrowsing_cache_size = 1048576;
safebrowsing_enabled = false;
safesearch_cache_size = 1048576;
serve_http3 = false;
trusted_proxies = [ "127.0.0.0/8" "::1/128" ];
upstream_dns = cfg.upstreams;
upstream_dns_file = "";
upstream_timeout = "10s";
use_dns64 = false;
use_http3_upstreams = false;
use_private_ptr_resolvers = true;
};
filters = [
{
enabled = true;
id = 1;
name = "AdGuard DNS filter";
url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
}
{
enabled = true;
id = 2;
name = "AdAway";
url = "https://adaway.org/hosts.txt";
}
{
enabled = true;
id = 3;
name = "hpHosts - Ad and Tracking servers only";
url = "https://hosts-file.net/ad_servers.txt";
}
{
enabled = true;
id = 4;
name = "MalwareDomainList.com Hosts List";
url = "https://www.malwaredomainlist.com/hostslist/hosts.txt";
}
{
enabled = true;
id = 1586463155;
name = "dbl.oisd.nl";
url = "https://dbl.oisd.nl/";
}
];
http_proxy = "";
language = "";
log_compress = false;
log_file = "";
log_localtime = false;
log_max_age = 3;
log_max_backups = 0;
log_max_size = 100;
os = {
group = "";
rlimit_nofile = 0;
user = "";
};
querylog = {
enabled = true;
file_enabled = true;
ignored = [ ];
interval = "168h";
size_memory = 1000;
};
schema_version = 20;
statistics = {
enabled = true;
ignored = [ ];
interval = "168h";
};
theme = "auto";
tls = {
allow_unencrypted_doh = false;
certificate_chain = "";
certificate_path = "";
dnscrypt_config_file = "";
enabled = false;
force_https = false;
port_dns_over_quic = 784;
port_dns_over_tls = 853;
port_dnscrypt = 0;
port_https = 443;
private_key = "";
private_key_path = "";
server_name = "";
strict_sni_check = false;
};
user_rules = [
"@@||msmetrics.ws.sonos.com^$important"
"@@||trafficdeposit.com^$important"
"@@||omropfryslan.bbvms.com^$important"
"@@||cdn.riverhit.com^$important"
"@@||kpngroup.emsecure.net^$important"
"@@||chtbl.com^$important"
"@@||*^$client='TV'"
"||mozilla.cloudflare-dns.com^$important"
"||use-application-dns.net^$important"
"@@||widget.fitanalytics.com^$important"
"@@||cdn.bluebillywig.com^$important"
"@@||bert.org^$important"
"||prod-pre.fns.tunein.com^$important"
"#||mi.com^$dnsrewrite=NOERROR;A;10.0.0.4"
"#||xiaomi.com^$dnsrewrite=NOERROR;A;10.0.0.4"
"@@||aa.tweakers.nl^$important"
"@@||ab.tweakers.nl^$important"
"||zip^"
];
users = [ ];
verbose = false;
web_session_ttl = 720;
whitelist_filters = [ ];
};
};
# This is necessary to bind a raw socket for DHCP
systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ];
networking.firewall = {
allowedUDPPorts = [ 53 67 ];
};
};
}
Reference in a new issue View git blame Copy permalink