refactor(adguard): migrate to native nixos service
Replace the Podman container and manual YAML templating with the native NixOS module for better system integration and simpler declarative configuration.
This commit is contained in:
parent
7a505055f8
commit
219391bc85
1 changed files with 39 additions and 53 deletions
|
|
@ -67,63 +67,49 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
# Ensure Podman is enabled
|
services.adguardhome = {
|
||||||
myModules.podman.enable = true;
|
enable = true;
|
||||||
|
host = "127.0.0.1";
|
||||||
|
port = cfg.port;
|
||||||
|
settings = {
|
||||||
|
dns = {
|
||||||
|
upstream_dns = [ cfg.upstreamDoh ];
|
||||||
|
bootstrap_dns = cfg.bootstrapDns;
|
||||||
|
querylog_enabled = true;
|
||||||
|
querylog_file_enabled = true;
|
||||||
|
statistics_enabled = true;
|
||||||
|
};
|
||||||
|
|
||||||
# AdGuard Home Container
|
filtering = {
|
||||||
virtualisation.oci-containers.containers."adguard" = {
|
protection_enabled = true;
|
||||||
image = "docker.io/adguard/adguardhome:latest";
|
filtering_enabled = true;
|
||||||
ports = [ "127.0.0.1:${toString cfg.port}:3000/tcp" ];
|
};
|
||||||
extraOptions = [
|
|
||||||
"--tmpfs=/tmp"
|
|
||||||
];
|
|
||||||
volumes = [
|
|
||||||
"${config.sops.templates."adguardhome.yaml".path}:/opt/adguardhome/conf/AdGuardHome.yaml:ro"
|
|
||||||
"adguard-data:/opt/adguardhome/work"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# SOPS template for AdGuard configuration
|
safebrowsing = {
|
||||||
sops.templates."adguardhome.yaml" = {
|
enabled = false;
|
||||||
content = ''
|
};
|
||||||
http:
|
|
||||||
address: 0.0.0.0:3000
|
|
||||||
|
|
||||||
dns:
|
parental = {
|
||||||
upstream_dns:
|
enabled = false;
|
||||||
- ${cfg.upstreamDoh}
|
};
|
||||||
bootstrap_dns:
|
|
||||||
${lib.concatStringsSep "\n " (map (d: "- ${d}") cfg.bootstrapDns)}
|
|
||||||
querylog_enabled: true
|
|
||||||
querylog_file_enabled: true
|
|
||||||
statistics_enabled: true
|
|
||||||
|
|
||||||
${lib.optionalString (lib.length cfg.clients == 0) ''
|
safesearch = {
|
||||||
clients:
|
enabled = false;
|
||||||
persistent: []
|
};
|
||||||
''}
|
|
||||||
|
|
||||||
filtering:
|
log = {
|
||||||
protection_enabled: true
|
file = "";
|
||||||
filtering_enabled: true
|
max_backups = 0;
|
||||||
|
max_size = 100;
|
||||||
safebrowsing:
|
compress = false;
|
||||||
enabled: false
|
local_time = false;
|
||||||
|
verbose = false;
|
||||||
parental:
|
};
|
||||||
enabled: false
|
} // lib.optionalAttrs (lib.length cfg.clients == 0) {
|
||||||
|
clients = {
|
||||||
safesearch:
|
persistent = [ ];
|
||||||
enabled: false
|
};
|
||||||
|
};
|
||||||
log:
|
|
||||||
file: ""
|
|
||||||
max_backups: 0
|
|
||||||
max_size: 100
|
|
||||||
compress: false
|
|
||||||
local_time: false
|
|
||||||
verbose: false
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Auto-declare SOPS secrets for each client
|
# Auto-declare SOPS secrets for each client
|
||||||
|
|
@ -167,4 +153,4 @@ in
|
||||||
# Ensure nginx user can access ACME certs
|
# Ensure nginx user can access ACME certs
|
||||||
users.users.nginx.extraGroups = [ "acme" ];
|
users.users.nginx.extraGroups = [ "acme" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue