nixos-vps

Author	SHA1	Message	Date
ashisgreat22	8f6f196aeb	fix(adguard): bind to 0.0.0.0 for direct Tailscale access Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-22 01:45:51 +00:00
ashisgreat22	aa18a6f494	feat(security): restrict AdGuard Home to Tailscale network - Add internalOnly to AdGuard nginx config - Add ts-input firewall rule for direct Tailscale access - Update Netdata to use ts-input chain for consistency Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-22 01:45:51 +00:00
ashisgreat22	6b64254eab	.	2026-03-22 01:45:51 +00:00
ashisgreat22	adb8ddb611	feat(security): expose internal services and DoH to public - Remove `internalOnly = true` flag from Vaultwarden, Forgejo, and AdGuard Home to make them publicly accessible again. - This also re-exposes the DNS-over-HTTPS (DoH) endpoint on the AdGuard Home domain.	2026-03-19 22:48:14 +01:00
ashisgreat22	5d177a0d5c	feat(network): rewrite internal dns and expose adguard ui - Add DNS rewrites in AdGuard Home for `*.ashisgreat.xyz` to route to the Tailscale IP (`100.64.0.3`). - Securely expose the AdGuard Home Web UI to the Tailscale network instead of blocking it completely.	2026-03-19 22:43:45 +01:00
ashisgreat22	1c76661538	feat(network): route tailscale dns through adguard - Configure Headscale to use the VPS Tailscale IP (100.64.0.3) as the global DNS server instead of external providers. - Add firewall rules to allow DNS requests over the `tailscale0` interface. - Add iptables PREROUTING rules to redirect standard DNS (port 53) from Tailscale clients to AdGuard Home (port 5353) to resolve port conflicts with `aardvark-dns`.	2026-03-19 22:14:18 +01:00
ashisgreat22	c51c7183c1	Allow AdGuard Home to read ACME certificates via ReadOnlyPaths	2026-03-18 22:12:28 +01:00
ashisgreat22	deedd00762	Automate certificate path injection in AdGuard Home config	2026-03-18 22:11:08 +01:00
ashisgreat22	223f716b85	Remove explicit filter IDs from AdGuard config to avoid unmarshalling errors	2026-03-18 22:06:47 +01:00
ashisgreat22	8a9c513fde	Fix AdGuard filter ID type (string to integer)	2026-03-18 22:02:44 +01:00
ashisgreat22	7ea9246d74	Manage AdGuard Home blocklists via NixOS using yq-go injection	2026-03-18 22:01:38 +01:00
ashisgreat22	8f44273faf	Cleanup	2026-03-18 21:33:42 +01:00
ashisgreat22	01b19c9fa0	Cleanup	2026-03-18 21:31:19 +01:00
ashisgreat22	ecf4fe59af	Cleanup	2026-03-18 21:29:58 +01:00
ashisgreat22	e9652aaaa6	Cleanup	2026-03-18 21:27:41 +01:00
ashisgreat22	ac36befbd7	Cleanup	2026-03-18 21:26:19 +01:00
ashisgreat22	e82bbec626	Cleanup	2026-03-18 21:23:53 +01:00
ashisgreat22	1c56d477fa	Cleanup	2026-03-18 21:23:37 +01:00
ashisgreat22	e1d18c18be	Cleanup	2026-03-18 21:22:19 +01:00
ashisgreat22	1792180144	Cleanup	2026-03-18 21:20:42 +01:00
ashisgreat22	1942425605	feat(adguard): enable DoT and fix ClientID injection - Enable DNS-over-TLS (DoT) on port 853 using Nginx's ACME certificates - Fix an issue where the native NixOS module dropped SOPS client IDs - Use sops.templates and yq to inject ClientIDs dynamically before start - Enable allow_unencrypted_doh to fix Nginx proxying DoH correctly	2026-03-18 21:12:31 +01:00
ashisgreat22	5dd91f74b1	fix(adguard): resolve port 53 conflict Change AdGuard Home DNS listener to bind to 127.0.0.1:5353 to avoid conflicting with existing services on port 53, since we only expose DoH via Nginx.	2026-03-18 20:58:07 +01:00
ashisgreat22	219391bc85	refactor(adguard): migrate to native nixos service Replace the Podman container and manual YAML templating with the native NixOS module for better system integration and simpler declarative configuration.	2026-03-18 20:56:30 +01:00
ashisgreat22	7a505055f8	fix(adguard): fix string interpolation syntax error Fix a broken string concatenation that was causing a syntax error during NixOS evaluation. Co-Authored-By: Gemini CLI <noreply@google.com>	2026-03-18 20:49:31 +01:00
ashisgreat22	93bef3b301	fix(adguard): rewrite with correct lib.length syntax Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:51:53 +01:00
ashisgreat22	7bdbe767b6	fix(adguard): use lib.length instead of == for empty check Nix doesn't support == operator. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:27:47 +01:00
ashisgreat22	51e937c02f	fix(adguard): add empty clients list when no clients configured AdGuard Home fails with empty persistent list. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:27:21 +01:00
ashisgreat22	7b9b1e1909	fix(adguard): add newline before filtering section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:26:40 +01:00
ashisgreat22	a5d1f3e136	fix(adguard): fix YAML structure - clients at correct level Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:24:37 +01:00
ashisgreat22	ce152ba2b3	fix(adguard): fix template string concatenation Properly concatenate optionalString with content. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:23:51 +01:00
ashisgreat22	294b556542	fix(adguard): handle empty clients list Only render clients section when clients are configured. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:22:58 +01:00
ashisgreat22	23696e7e79	fix(adguard): remove --cap-drop=ALL flag AdGuard Home needs capabilities to run. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:20:41 +01:00
ashisgreat22	9b1d5ede54	fix(adguard): remove --read-only flag AdGuard Home needs write access to working directory. Config file remains read-only via :ro mount. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:19:30 +01:00
ashisgreat22	1ed9acdcda	feat(modules): add AdGuard Home module with DoH and ClientID support Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:07:59 +01:00

34 commits