feat: adguard home + powerdns plz (#100)

* hack

* feat: adguard + powerdns

---------

Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>

README.md

@@ -10,6 +10,8 @@
 
 Leveraging nix, nix-os and other funny magic man words to apply machine and home configurations
 
+[Repository Documentation](https://truxnell.github.io/nix-config/)
+
 ## Background
 
 Having used a variety of infracture as code solutions - and having found them lacking in some areas, it is time to give nix a go.

docs/monitoring/zed.md

@@ -0,0 +1,6 @@
+Zed monitoring can also send to pushover!
+
+<figure markdown="span">
+![Alt text](../includes/assets/zed_alert.png)
+  <figcaption>Come on these drives are hardly 12months old</figcaption>
+</figure>

docs/motd.md

@@ -11,7 +11,7 @@ Code TLDR
 
 :simple-github:[/nixos/modules/nixos/system/motd](https://github.com/truxnell/nix-config/blob/462144babe7e7b2a49a985afe87c4b2f1fa8c3f9/nixos/modules/nixos/system/motd/default.nix])
 
-Write a shell script using nix with a bash motd
+Write a shell script using nix with a bash motd of your choosing.
 
 ```nix
 let

nixos/hosts/dns01/default.nix

@@ -14,13 +14,22 @@
   mySystem.services = {
 
     openssh.enable = true;
-    maddy.enable = true;
-    dnscrypt-proxy.enable = true;
     cfDdns.enable = true;
-    bind.enable = true;
-
+    powerdns = {
+      enable = true;
+      admin-ui = false;
+    };
+    adguardhome.enable = true;
   };
 
+  # no mutable state I care about
+  mySystem.system.resticBackup =
+    {
+      local.enable = false;
+      remote.enable = false;
+    };
+
+
   networking.hostName = "dns01"; # Define your hostname.
   networking.useDHCP = lib.mkDefault true;
 

nixos/hosts/dns02/default.nix

@@ -14,11 +14,22 @@
   mySystem.services = {
 
     openssh.enable = true;
-    dnscrypt-proxy.enable = true;
     cfDdns.enable = true;
-    bind.enable = true;
+    powerdns = {
+      enable = true;
+      admin-ui = false;
+    };
+    adguardhome.enable = true;
   };
 
+  # no mutable state I care about
+  mySystem.system.resticBackup =
+    {
+      local.enable = false;
+      remote.enable = false;
+    };
+
+
   networking.hostName = "dns02"; # Define your hostname.
   networking.useDHCP = lib.mkDefault true;
 

nixos/hosts/durandal/default.nix

@@ -14,14 +14,15 @@
 
     gatus.enable = true;
     homepage.enable = true;
-    backrest.enable = true;
+    # backrest.enable = true;
 
     plex.enable = true;
     tautulli.enable = true;
     syncthing.enable = true;
 
 
   };
+  mySystem.system.systemd.pushover-alerts.enable = false;
 
   mySystem.nfs.nas.enable = true;
   mySystem.persistentFolder = "/persistent";

nixos/modules/nixos/services/adguardhome/default.nix

@@ -0,0 +1,90 @@
+{ lib
+, config
+, pkgs
+, ...
+}:
+with lib;
+let
+  cfg = config.mySystem.services.adguardhome;
+  port = 53;
+  port_webui = 3000;
+in
+{
+  options.mySystem.services.adguardhome = {
+    enable = mkEnableOption "Adguard Home";
+    openFirewall = mkEnableOption "Open firewall for ${app}" // {
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    services.adguardhome = {
+      enable = true;
+
+      mutableSettings = false;
+      settings = {
+        bind_host = "0.0.0.0";
+        bind_port = port_webui;
+        auth_attempts = 3;
+        block_auth_min = 3600;
+        dns = {
+          bind_host = "127.0.0.1";
+          port = port;
+          upstream_dns = [
+            "https://dns10.quad9.net/dns-query"
+            "https://doh.mullvad.net/dns-query"
+          ];
+          fallback_dns = [ "https://dns.cloudflare.com/dns-query" ];
+          bootstrap_dns = [
+            # quad9
+            "9.9.9.10"
+            "149.112.112.10"
+            "2620:fe::10"
+            "2620:fe::fe:10"
+            # cloudflare
+            "1.1.1.1"
+            "2606:4700:4700::1111"
+          ];
+          upstream_mode = "load_balance";
+          cache_size = 4194304;
+          cache_ttl_min = 60;
+          cache_optimistic = true;
+          use_private_ptr_resolvers = true;
+          local_ptr_upstreams = [ "localhost:5353" ];
+
+          rewrites = [{
+            domain = "*.${config.networking.domain}";
+            answer = "10.8.10.1"; # UDMP router
+          }];
+
+          filters = [
+            {
+              name = "AdGuard DNS filter";
+              url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
+              enabled = true;
+            }
+            {
+              name = "AdAway Default Blocklist";
+              url = "https://adaway.org/hosts.txt";
+              enabled = true;
+            }
+            {
+              name = "OISD (Big)";
+              url = "https://big.oisd.nl";
+              enabled = true;
+            }
+          ];
+        };
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+
+      allowedTCPPorts = [ port port_webui ];
+      allowedUDPPorts = [ port port_webui ];
+
+    };
+
+  };
+}

nixos/modules/nixos/services/bind/default.nix

@@ -88,19 +88,14 @@ in
           10.5.0.0/24;    # CONTAINERS
         };
 
-        key "tsig-key" {
-                algorithm hmac-sha512;
-                secret "iZhi4kaPJBvqxyW73aKYRnNy5e7N2A+7WczxAMcCvDl8QpAc0HFjfI1Q+0g1SBUQBZXqAvGFViegPsK9lZ3bkA==";
-        };
-
         zone "trux.dev." {
           type master;
           file "${config.sops.secrets."system/networking/bind/trux.dev".path}";
           allow-transfer {
-          tsig-key;
+
         };
           update-policy {
-            grant tsig-key zonesub ANY;
+
           };
           allow-query { any; };