feat(adguard): enable DoT and fix ClientID injection
- Enable DNS-over-TLS (DoT) on port 853 using Nginx's ACME certificates - Fix an issue where the native NixOS module dropped SOPS client IDs - Use sops.templates and yq to inject ClientIDs dynamically before start - Enable allow_unencrypted_doh to fix Nginx proxying DoH correctly
This commit is contained in:
parent
5dd91f74b1
commit
1942425605
1 changed files with 38 additions and 4 deletions
|
|
@ -67,6 +67,18 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
# Provide an adguard clients partial config for injection
|
||||||
|
sops.templates."adguard_clients.yaml" = {
|
||||||
|
content = builtins.toJSON {
|
||||||
|
clients = {
|
||||||
|
persistent = map (client: {
|
||||||
|
name = client.name;
|
||||||
|
ids = [ config.sops.placeholder.${client.idSecret} ];
|
||||||
|
}) cfg.clients;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.adguardhome = {
|
services.adguardhome = {
|
||||||
enable = true;
|
enable = true;
|
||||||
host = "127.0.0.1";
|
host = "127.0.0.1";
|
||||||
|
|
@ -82,6 +94,16 @@ in
|
||||||
statistics_enabled = true;
|
statistics_enabled = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
tls = {
|
||||||
|
enabled = true;
|
||||||
|
server_name = cfg.domain;
|
||||||
|
certificate_path = "/var/lib/acme/${cfg.domain}/fullchain.pem";
|
||||||
|
private_key_path = "/var/lib/acme/${cfg.domain}/key.pem";
|
||||||
|
port_dns_over_tls = 853;
|
||||||
|
port_dns_over_quic = 0;
|
||||||
|
allow_unencrypted_doh = true;
|
||||||
|
};
|
||||||
|
|
||||||
filtering = {
|
filtering = {
|
||||||
protection_enabled = true;
|
protection_enabled = true;
|
||||||
filtering_enabled = true;
|
filtering_enabled = true;
|
||||||
|
|
@ -107,13 +129,25 @@ in
|
||||||
local_time = false;
|
local_time = false;
|
||||||
verbose = false;
|
verbose = false;
|
||||||
};
|
};
|
||||||
} // lib.optionalAttrs (lib.length cfg.clients == 0) {
|
|
||||||
clients = {
|
|
||||||
persistent = [ ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Merge the clients configuration with the generated AdGuardHome.yaml before it starts
|
||||||
|
systemd.services.adguardhome = {
|
||||||
|
requires = [ "acme-${cfg.domain}.service" ];
|
||||||
|
after = [ "acme-${cfg.domain}.service" ];
|
||||||
|
serviceConfig.SupplementaryGroups = [ "acme" ];
|
||||||
|
preStart = lib.mkAfter ''
|
||||||
|
if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then
|
||||||
|
${pkgs.yq-go}/bin/yq -i '.clients.persistent = load("${config.sops.templates."adguard_clients.yaml".path}").clients.persistent' /var/lib/private/AdGuardHome/AdGuardHome.yaml
|
||||||
|
fi
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Open firewall for DoT
|
||||||
|
networking.firewall.allowedTCPPorts = [ 853 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 853 ];
|
||||||
|
|
||||||
# Auto-declare SOPS secrets for each client
|
# Auto-declare SOPS secrets for each client
|
||||||
sops.secrets = lib.mkMerge (
|
sops.secrets = lib.mkMerge (
|
||||||
map (client: {
|
map (client: {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue