feat(network): rewrite internal dns and expose adguard ui

- Add DNS rewrites in AdGuard Home for `*.ashisgreat.xyz` to route to the Tailscale IP (`100.64.0.3`). - Securely expose the AdGuard Home Web UI to the Tailscale network instead of blocking it completely.
2026-03-19 22:43:45 +01:00 · 2026-03-19 22:43:45 +01:00 · 5d177a0d5c
commit 5d177a0d5c
parent f31ec2ce65
1 changed files with 15 additions and 9 deletions
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@ -96,6 +96,16 @@ in
          querylog_enabled = true;
          querylog_file_enabled = true;
          statistics_enabled = true;
+          rewrites = [
+            {
+              domain = "*.ashisgreat.xyz";
+              answer = "100.64.0.3";
+            }
+            {
+              domain = "ashisgreat.xyz";
+              answer = "100.64.0.3";
+            }
+          ];
        };

        tls = {
@ -175,15 +185,11 @@ in
      iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
    '';

-    # Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
-    services.nginx.virtualHosts."${cfg.domain}" = {
-      enableACME = true;
-      forceSSL = true;
-
-      # Block all paths (no DoH or UI exposed via Nginx)
-      locations."/" = {
-        return = "404";
-      };
+    # Nginx reverse proxy for AdGuard Home Web UI (restricted to Tailscale)
+    myModules.nginx.domains."${cfg.domain}" = {
+      port = cfg.port;
+      internalOnly = true;
+      contentSecurityPolicy = null; # AdGuard Home handles its own CSP
    };

    # Ensure nginx user can access ACME certs