nixos/services/adguard.nix

# services/adguard.nix — AdGuard Home network-wide DNS ad blocker
{ config, lib, pkgs, ... }:
{
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.adguardhome = {
      enable = true;
      # Web UI bound to localhost; nginx reverse-proxies at adguard.nordhammer.it
      host = "127.0.0.1";
      port = 3000;
      # Nix is authoritative: settings below overwrite UI-made changes on rebuild
      mutableSettings = false;
      settings = {
        dns = {
          bind_hosts = [ "0.0.0.0" ];
          port = 53;
          # Query all upstreams in parallel; take the fastest response
          upstream_mode = "parallel";
          # Mix of DoH (encrypted) and plain UDP (low-latency) upstreams
          upstream_dns = [
            "https://dns.cloudflare.com/dns-query"
            "https://dns.quad9.net/dns-query"
            "1.1.1.1"
            "9.9.9.9"
          ];
          bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
          cache_size = 4194304;
          cache_ttl_min = 60;
        };
        filters = [
          { enabled = true; id = 1; name = "AdGuard DNS filter";
            url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; }
          { enabled = true; id = 2; name = "AdAway Default Blocklist";
            url = "https://adaway.org/hosts.txt"; }
          { enabled = true; id = 3; name = "OISD Big";
            url = "https://big.oisd.nl/"; }
        ];
        # Resolve our own hostnames to the router's LAN IP so LAN clients
        # bypass any NAT reflection. `enabled` was added in AdGuard's recent
        # schema and defaults to false — must be set explicitly.
        filtering.rewrites = [
          { domain = "nordhammer.it";   answer = "10.0.0.1"; enabled = true; }
          { domain = "*.nordhammer.it"; answer = "10.0.0.1"; enabled = true; }
        ];
      };
    };

    # LAN DNS — router blocks WAN:53 so this is effectively LAN-only
    networking.firewall.allowedTCPPorts = [ 53 ];
    networking.firewall.allowedUDPPorts = [ 53 ];
  };
}
Add AdGuard Home for network-wide DNS ad blocking New services/adguard.nix runs AdGuard Home on the mediaserver with DoH upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 13:40:30 +01:00			`# services/adguard.nix — AdGuard Home network-wide DNS ad blocker`
			`{ config, lib, pkgs, ... }:`
			`{`
			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`

			`services.adguardhome = {`
			`enable = true;`
			`# Web UI bound to localhost; nginx reverse-proxies at adguard.nordhammer.it`
			`host = "127.0.0.1";`
			`port = 3000;`
Make AdGuard settings authoritative; add busybox; drop fallback DNS - services/adguard.nix: mutableSettings = false so Nix config overrides UI-made changes on rebuild (settings are the source of truth) - common.nix: add busybox for its collection of handy utilities - common.nix: remove networking.nameservers — DNS now comes purely from per-host NetworkManager config (AdGuard as the only resolver, no leaks) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 19:57:55 +01:00			`# Nix is authoritative: settings below overwrite UI-made changes on rebuild`
			`mutableSettings = false;`
Add AdGuard Home for network-wide DNS ad blocking New services/adguard.nix runs AdGuard Home on the mediaserver with DoH upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 13:40:30 +01:00			`settings = {`
			`dns = {`
			`bind_hosts = [ "0.0.0.0" ];`
			`port = 53;`
adguard: parallel upstreams + plain UDP fallbacks for speed DoH-only sequential upstreams made first-time lookups slow. Add plain UDP 1.1.1.1/9.9.9.9 alongside DoH and set upstream_mode=parallel so AdGuard queries all four simultaneously and uses the fastest response. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 14:04:24 +01:00			`# Query all upstreams in parallel; take the fastest response`
			`upstream_mode = "parallel";`
			`# Mix of DoH (encrypted) and plain UDP (low-latency) upstreams`
Add AdGuard Home for network-wide DNS ad blocking New services/adguard.nix runs AdGuard Home on the mediaserver with DoH upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 13:40:30 +01:00			`upstream_dns = [`
			`"https://dns.cloudflare.com/dns-query"`
			`"https://dns.quad9.net/dns-query"`
adguard: parallel upstreams + plain UDP fallbacks for speed DoH-only sequential upstreams made first-time lookups slow. Add plain UDP 1.1.1.1/9.9.9.9 alongside DoH and set upstream_mode=parallel so AdGuard queries all four simultaneously and uses the fastest response. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 14:04:24 +01:00			`"1.1.1.1"`
			`"9.9.9.9"`
Add AdGuard Home for network-wide DNS ad blocking New services/adguard.nix runs AdGuard Home on the mediaserver with DoH upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 13:40:30 +01:00			`];`
			`bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];`
			`cache_size = 4194304;`
			`cache_ttl_min = 60;`
			`};`
			`filters = [`
			`{ enabled = true; id = 1; name = "AdGuard DNS filter";`
			`url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; }`
			`{ enabled = true; id = 2; name = "AdAway Default Blocklist";`
			`url = "https://adaway.org/hosts.txt"; }`
			`{ enabled = true; id = 3; name = "OISD Big";`
			`url = "https://big.oisd.nl/"; }`
			`];`
router: phase-2 cleanup + camera DHCP reservation - trustedLegacyCidrs now empty; eno1 is strictly WAN - AdGuard rewrite retargets nordhammer.it → 10.0.0.1 (the new router IP) - dnsmasq pins the bedroom camera (f0:a7:31:6c:50:4b) to 10.0.0.39 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 10:52:11 +01:00			`# Resolve our own hostnames to the router's LAN IP so LAN clients`
adguard: explicitly enable LAN rewrites (schema change on stable) AdGuard's recent config schema added an enabled flag on each rewrite that defaults to false. Without it, the *.nordhammer.it -> 10.0.0.1 rules were silently disabled, so LAN clients resolved their own domains to the public DDNS IP and tripped over NAT loopback. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-29 18:56:11 +01:00			# bypass any NAT reflection. `enabled` was added in AdGuard's recent
			`# schema and defaults to false — must be set explicitly.`
router: expose forwarded ports on eno1; AdGuard rewrite for LAN hostname - Input chain now accepts WAN traffic for every port in ports.toml so external access (SSH, HTTP, HTTPS, game ports) works through the eero's upstream port forwards during phase 1, and via our own DNAT in phase 2. - Add AdGuard DNS rewrite nordhammer.it → 192.168.4.25 so LAN clients hit the mediaserver directly instead of relying on eero hairpin NAT. Target changes to 10.0.0.1 at phase 2 cutover. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 10:22:56 +01:00			`filtering.rewrites = [`
adguard: explicitly enable LAN rewrites (schema change on stable) AdGuard's recent config schema added an enabled flag on each rewrite that defaults to false. Without it, the *.nordhammer.it -> 10.0.0.1 rules were silently disabled, so LAN clients resolved their own domains to the public DDNS IP and tripped over NAT loopback. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-29 18:56:11 +01:00			`{ domain = "nordhammer.it"; answer = "10.0.0.1"; enabled = true; }`
			`{ domain = "*.nordhammer.it"; answer = "10.0.0.1"; enabled = true; }`
router: expose forwarded ports on eno1; AdGuard rewrite for LAN hostname - Input chain now accepts WAN traffic for every port in ports.toml so external access (SSH, HTTP, HTTPS, game ports) works through the eero's upstream port forwards during phase 1, and via our own DNAT in phase 2. - Add AdGuard DNS rewrite nordhammer.it → 192.168.4.25 so LAN clients hit the mediaserver directly instead of relying on eero hairpin NAT. Target changes to 10.0.0.1 at phase 2 cutover. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 10:22:56 +01:00			`];`
Add AdGuard Home for network-wide DNS ad blocking New services/adguard.nix runs AdGuard Home on the mediaserver with DoH upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 13:40:30 +01:00			`};`
			`};`

			`# LAN DNS — router blocks WAN:53 so this is effectively LAN-only`
			`networking.firewall.allowedTCPPorts = [ 53 ];`
			`networking.firewall.allowedUDPPorts = [ 53 ];`
			`};`
			`}`