feat(network): rewrite internal dns and expose adguard ui
- Add DNS rewrites in AdGuard Home for `*.ashisgreat.xyz` to route to the Tailscale IP (`100.64.0.3`). - Securely expose the AdGuard Home Web UI to the Tailscale network instead of blocking it completely.
This commit is contained in:
parent
f31ec2ce65
commit
5d177a0d5c
1 changed files with 15 additions and 9 deletions
|
|
@ -96,6 +96,16 @@ in
|
||||||
querylog_enabled = true;
|
querylog_enabled = true;
|
||||||
querylog_file_enabled = true;
|
querylog_file_enabled = true;
|
||||||
statistics_enabled = true;
|
statistics_enabled = true;
|
||||||
|
rewrites = [
|
||||||
|
{
|
||||||
|
domain = "*.ashisgreat.xyz";
|
||||||
|
answer = "100.64.0.3";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "ashisgreat.xyz";
|
||||||
|
answer = "100.64.0.3";
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
tls = {
|
tls = {
|
||||||
|
|
@ -175,15 +185,11 @@ in
|
||||||
iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
|
iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Nginx configuration (kept to satisfy ACME challenges for DoT certificates)
|
# Nginx reverse proxy for AdGuard Home Web UI (restricted to Tailscale)
|
||||||
services.nginx.virtualHosts."${cfg.domain}" = {
|
myModules.nginx.domains."${cfg.domain}" = {
|
||||||
enableACME = true;
|
port = cfg.port;
|
||||||
forceSSL = true;
|
internalOnly = true;
|
||||||
|
contentSecurityPolicy = null; # AdGuard Home handles its own CSP
|
||||||
# Block all paths (no DoH or UI exposed via Nginx)
|
|
||||||
locations."/" = {
|
|
||||||
return = "404";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Ensure nginx user can access ACME certs
|
# Ensure nginx user can access ACME certs
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue