Manage AdGuard Home blocklists via NixOS using yq-go injection

2026-03-18 22:01:38 +01:00 · 2026-03-18 22:01:38 +01:00 · 7ea9246d74
commit 7ea9246d74
parent 4790078ff9
1 changed files with 41 additions and 2 deletions
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@ -47,9 +47,42 @@ in
      default = [ "194.242.2.2" "2a07:e340::2" ];
      description = "Bootstrap DNS servers for resolving DoH upstream";
    };
+
+    filters = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          name = lib.mkOption {
+            type = lib.types.str;
+            description = "Friendly name for the filter list";
+          };
+          url = lib.mkOption {
+            type = lib.types.str;
+            description = "URL of the filter list (txt format)";
+          };
+          enabled = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = "Whether the filter is enabled";
+          };
+        };
+      });
+      default = [
+        { name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; }
+        { name = "AdAway Default Blocklist"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt"; }
+        { name = "HaGeZi Multi Light"; url = "https://hagezi.github.io/dns-blocklists/wildcard/light.txt"; }
+        { name = "OISD Basic"; url = "https://small.oisd.nl/"; }
+        { name = "Peter Lowe's List"; url = "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adguard&showintro=0&mimetype=plaintext"; }
+      ];
+      description = "DNS blocklists to maintain in AdGuard Home";
+    };
  };

  config = lib.mkIf cfg.enable {
+    # Generate a temporary JSON file containing the filters for yq to inject
+    systemd.tmpfiles.rules = [
+      "f /run/adguardhome_filters.json 0644 root root - ${builtins.toJSON { filters = map (f: { inherit (f) name url enabled; id = (builtins.hashString "sha256" f.url); }) cfg.filters; }}"
+    ];
+
    services.adguardhome = {
      enable = true;
      host = "127.0.0.1";
@ -104,11 +137,17 @@ in
      };
    };

-    # Give AdGuardHome access to ACME certificates
+    # Inject filters into AdGuardHome.yaml before starting
    systemd.services.adguardhome = {
      requires = [ "acme-${cfg.domain}.service" ];
      after = [ "acme-${cfg.domain}.service" ];
-      serviceConfig.SupplementaryGroups = [ "acme" "nginx" ];
+      serviceConfig.SupplementaryGroups = [ "acme" ];
+      serviceConfig.SystemCallFilter = lib.mkForce []; # Allow yq-go to run its syscalls
+      preStart = lib.mkAfter ''
+        if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then
+          ${pkgs.yq-go}/bin/yq -i '.filters = load("/run/adguardhome_filters.json").filters' /var/lib/private/AdGuardHome/AdGuardHome.yaml
+        fi
+      '';
    };

    # Open firewall for DoT