ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleanup

Browse source
This commit is contained in:
ashisgreat22 2026-03-18 21:27:41 +01:00
parent ac36befbd7
commit e9652aaaa6
2 changed files with 3 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

6
configuration.nix
View file

@ -87,14 +87,10 @@
}; };
}; };
# === AdGuard Home (DoH) === # === AdGuard Home (DoT) ===
myModules.adguard = { myModules.adguard = {
enable = true; enable = true;
domain = "dns.ashisgreat.xyz"; domain = "dns.ashisgreat.xyz";
clients = [
{ name = "phone"; idSecret = "adguard_client_phone"; }
{ name = "laptop"; idSecret = "adguard_client_laptop"; }
];
}; };
# === OpenClaw === # === OpenClaw ===

46
modules/adguard.nix
View file

@ -47,38 +47,9 @@ in
default = [ "194.242.2.2" "2a07:e340::2" ]; default = [ "194.242.2.2" "2a07:e340::2" ];
description = "Bootstrap DNS servers for resolving DoH upstream"; description = "Bootstrap DNS servers for resolving DoH upstream";
}; };
clients = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
options = {
name = lib.mkOption {
type = lib.types.str;
description = "Friendly name for client device";
};
idSecret = lib.mkOption {
type = lib.types.str;
description = "SOPS secret name containing the ClientID";
};
};
});
default = [ ];
description = "List of clients with their ClientID secrets";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Provide an adguard clients partial config for injection
sops.templates."adguard_clients.yaml" = {
content = builtins.toJSON {
clients = {
persistent = map (client: {
name = client.name;
ids = [ config.sops.placeholder.${client.idSecret} ];
}) cfg.clients;
};
};
};
services.adguardhome = { services.adguardhome = {
enable = true; enable = true;
host = "127.0.0.1"; host = "127.0.0.1";
@ -132,30 +103,17 @@ in
}; };
}; };
# Merge the clients configuration with the generated AdGuardHome.yaml before it starts # Give AdGuardHome access to ACME certificates
systemd.services.adguardhome = { systemd.services.adguardhome = {
requires = [ "acme-${cfg.domain}.service" ]; requires = [ "acme-${cfg.domain}.service" ];
after = [ "acme-${cfg.domain}.service" ]; after = [ "acme-${cfg.domain}.service" ];
serviceConfig.SupplementaryGroups = [ "acme" "keys" ]; serviceConfig.SupplementaryGroups = [ "acme" ];
serviceConfig.SystemCallFilter = lib.mkForce [];
preStart = lib.mkAfter ''
if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then
${pkgs.yq-go}/bin/yq -i '.clients.persistent = load("${config.sops.templates."adguard_clients.yaml".path}").clients.persistent' /var/lib/private/AdGuardHome/AdGuardHome.yaml
fi
'';
}; };
# Open firewall for DoT # Open firewall for DoT
networking.firewall.allowedTCPPorts = [ 853 ]; networking.firewall.allowedTCPPorts = [ 853 ];
networking.firewall.allowedUDPPorts = [ 853 ]; networking.firewall.allowedUDPPorts = [ 853 ];
# Auto-declare SOPS secrets for each client
sops.secrets = lib.mkMerge (
map (client: {
${client.idSecret} = { };
}) cfg.clients
);
# Nginx configuration (kept to satisfy ACME challenges for DoT certificates) # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
services.nginx.virtualHosts."${cfg.domain}" = { services.nginx.virtualHosts."${cfg.domain}" = {
enableACME = true; enableACME = true;