CRTified/adguard.nix

## adguard.nix
{ config, pkgs, lib, ... }:
let
  # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file
  baseconf = {
    bind_host = "0.0.0.0";
    bind_port = 3000;
    users = [{
      name = "dnsadmin";
      password =
        "$2a$10$.pGOj.bhC1PmGvIs1z8MVuRibYFMh5JzWeArJWKSfpFPkWhv8zL6G"; # TODO: secret
    }];
    dns = {
      # bind_hosts on next version
      bind_host = "0.0.0.0";
      port = 53;
      bootstrap_dns = "1.1.1.1";
      # List won't work here somehow
      # [
      #   "1.1.1.1"
      #   "9.9.9.10"
      #   "149.112.112.10"
      #   "2620:fe::10"
      #   "2620:fe::fe:10"
      # ];
      upstream_dns = [
        "8.8.8.8"
        "tls://1.1.1.1"
        "https://dns.cloudflare.com/dns-query"
        "https://dns10.quad9.net/dns-query"
      ];
    };
  };

  baseconfFile = pkgs.writeTextFile {
    name = "baseconf.yaml";
    text = builtins.toJSON baseconf;
    checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config";
  };
in {
  networking.firewall = {
    allowedUDPPorts = [ baseconf.dns.port ];
    allowedTCPPorts = [ baseconf.dns.port baseconf.bind_port ];
  };

  systemd.services.adguard = {
    description = "AdGuard Home";
    wantedBy = [ "multi-user.target" ];

    preStart = ''
      if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ]; then
        ${pkgs.yaml-merge}/bin/yaml-merge "$STATE_DIRECTORY/AdGuardHome.yaml" "${baseconfFile}" > "$STATE_DIRECTORY/AdGuardH
        mv "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" "$STATE_DIRECTORY/AdGuardHome.yaml"
      else
        cp "${baseconfFile}" "$STATE_DIRECTORY/AdGuardHome.yaml"
        chmod 600 "$STATE_DIRECTORY/AdGuardHome.yaml"
      fi
    '';

    serviceConfig = {
      ExecStart = "${pkgs.adguardhome}/bin/adguardhome -w $STATE_DIRECTORY";
      DynamicUser = true;
      StateDirectory = "adguard";

      # allow binding to ports below 1024
      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    };
  };
}
	{ config, pkgs, lib, ... }:
	let
	# https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file
	baseconf = {
	bind_host = "0.0.0.0";
	bind_port = 3000;
	users = [{
	name = "dnsadmin";
	password =
	"$2a$10$.pGOj.bhC1PmGvIs1z8MVuRibYFMh5JzWeArJWKSfpFPkWhv8zL6G"; # TODO: secret
	}];
	dns = {
	# bind_hosts on next version
	bind_host = "0.0.0.0";
	port = 53;
	bootstrap_dns = "1.1.1.1";
	# List won't work here somehow
	# [
	# "1.1.1.1"
	# "9.9.9.10"
	# "149.112.112.10"
	# "2620:fe::10"
	# "2620:fe::fe:10"
	# ];
	upstream_dns = [
	"8.8.8.8"
	"tls://1.1.1.1"
	"https://dns.cloudflare.com/dns-query"
	"https://dns10.quad9.net/dns-query"
	];
	};
	};

	baseconfFile = pkgs.writeTextFile {
	name = "baseconf.yaml";
	text = builtins.toJSON baseconf;
	checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config";
	};
	in {
	networking.firewall = {
	allowedUDPPorts = [ baseconf.dns.port ];
	allowedTCPPorts = [ baseconf.dns.port baseconf.bind_port ];
	};

	systemd.services.adguard = {
	description = "AdGuard Home";
	wantedBy = [ "multi-user.target" ];

	preStart = ''
	if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ]; then
	${pkgs.yaml-merge}/bin/yaml-merge "$STATE_DIRECTORY/AdGuardHome.yaml" "${baseconfFile}" > "$STATE_DIRECTORY/AdGuardH
	mv "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" "$STATE_DIRECTORY/AdGuardHome.yaml"
	else
	cp "${baseconfFile}" "$STATE_DIRECTORY/AdGuardHome.yaml"
	chmod 600 "$STATE_DIRECTORY/AdGuardHome.yaml"
	fi
	'';

	serviceConfig = {
	ExecStart = "${pkgs.adguardhome}/bin/adguardhome -w $STATE_DIRECTORY";
	DynamicUser = true;
	StateDirectory = "adguard";

	# allow binding to ports below 1024
	AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
	};
	};
	}