From 194242560543752a96d3364b81788cf85df94dc2 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Wed, 18 Mar 2026 21:12:31 +0100
Subject: [PATCH] feat(adguard): enable DoT and fix ClientID injection

- Enable DNS-over-TLS (DoT) on port 853 using Nginx's ACME certificates
- Fix an issue where the native NixOS module dropped SOPS client IDs
- Use sops.templates and yq to inject ClientIDs dynamically before start
- Enable allow_unencrypted_doh to fix Nginx proxying DoH correctly
---
 modules/adguard.nix | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/modules/adguard.nix b/modules/adguard.nix
index 3b517e9..e4e39da 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -67,6 +67,18 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Provide an adguard clients partial config for injection
+    sops.templates."adguard_clients.yaml" = {
+      content = builtins.toJSON {
+        clients = {
+          persistent = map (client: {
+            name = client.name;
+            ids = [ config.sops.placeholder.${client.idSecret} ];
+          }) cfg.clients;
+        };
+      };
+    };
+
     services.adguardhome = {
       enable = true;
       host = "127.0.0.1";
@@ -82,6 +94,16 @@ in
           statistics_enabled = true;
         };
 
+        tls = {
+          enabled = true;
+          server_name = cfg.domain;
+          certificate_path = "/var/lib/acme/${cfg.domain}/fullchain.pem";
+          private_key_path = "/var/lib/acme/${cfg.domain}/key.pem";
+          port_dns_over_tls = 853;
+          port_dns_over_quic = 0;
+          allow_unencrypted_doh = true;
+        };
+
         filtering = {
           protection_enabled = true;
           filtering_enabled = true;
@@ -107,13 +129,25 @@ in
           local_time = false;
           verbose = false;
         };
-      } // lib.optionalAttrs (lib.length cfg.clients == 0) {
-        clients = {
-          persistent = [ ];
-        };
       };
     };
 
+    # Merge the clients configuration with the generated AdGuardHome.yaml before it starts
+    systemd.services.adguardhome = {
+      requires = [ "acme-${cfg.domain}.service" ];
+      after = [ "acme-${cfg.domain}.service" ];
+      serviceConfig.SupplementaryGroups = [ "acme" ];
+      preStart = lib.mkAfter ''
+        if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then
+          ${pkgs.yq-go}/bin/yq -i '.clients.persistent = load("${config.sops.templates."adguard_clients.yaml".path}").clients.persistent' /var/lib/private/AdGuardHome/AdGuardHome.yaml
+        fi
+      '';
+    };
+
+    # Open firewall for DoT
+    networking.firewall.allowedTCPPorts = [ 853 ];
+    networking.firewall.allowedUDPPorts = [ 853 ];
+
     # Auto-declare SOPS secrets for each client
     sops.secrets = lib.mkMerge (
       map (client: {