From 5d177a0d5c4d18e7daa2d6a44bb5fc0383ae40d3 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Thu, 19 Mar 2026 22:43:45 +0100
Subject: [PATCH] feat(network): rewrite internal dns and expose adguard ui

- Add DNS rewrites in AdGuard Home for `*.ashisgreat.xyz` to route to the Tailscale IP (`100.64.0.3`).

- Securely expose the AdGuard Home Web UI to the Tailscale network instead of blocking it completely.
---
 modules/adguard.nix | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/modules/adguard.nix b/modules/adguard.nix
index 0e3aacb..a9c7e20 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -96,6 +96,16 @@ in
           querylog_enabled = true;
           querylog_file_enabled = true;
           statistics_enabled = true;
+          rewrites = [
+            {
+              domain = "*.ashisgreat.xyz";
+              answer = "100.64.0.3";
+            }
+            {
+              domain = "ashisgreat.xyz";
+              answer = "100.64.0.3";
+            }
+          ];
         };
 
         tls = {
@@ -175,15 +185,11 @@ in
       iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
     '';
 
-    # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
-    services.nginx.virtualHosts."${cfg.domain}" = {
-      enableACME = true;
-      forceSSL = true;
-
-      # Block all paths (no DoH or UI exposed via Nginx)
-      locations."/" = {
-        return = "404";
-      };
+    # Nginx reverse proxy for AdGuard Home Web UI (restricted to Tailscale)
+    myModules.nginx.domains."${cfg.domain}" = {
+      port = cfg.port;
+      internalOnly = true;
+      contentSecurityPolicy = null; # AdGuard Home handles its own CSP
     };
 
     # Ensure nginx user can access ACME certs