agenix: modify Caddyfile

Signed-off-by: Myned <dev@bjork.tech>
containers: add adguardhome
2025-02-06 09:17:59 -06:00 · 2025-02-06 09:17:36 -06:00 · 2025-02-06 09:17:21 -06:00 · 2025-02-06 09:16:48 -06:00
9 changed files with 99 additions and 24 deletions
--- a/options/custom/containers/actualbudget.nix
+++ b/options/custom/containers/actualbudget.nix
@ -15,11 +15,10 @@ in {
    virtualisation.arion.projects.actualbudget.settings.services = {
      actualbudget.service = {
        container_name = "actualbudget";
-        image = "actualbudget/actual-server:24.9.0";
-        ports = ["5006:5006"];
+        image = "actualbudget/actual-server:25.2.0";
+        ports = ["127.0.0.1:5006:5006"];
        restart = "unless-stopped";
        volumes = ["${config.custom.containers.directory}/actualbudget/data:/data"];
-        # TODO: Set up trusted proxies
      };
    };
  };
--- a/options/custom/containers/adguardhome.nix
+++ b/options/custom/containers/adguardhome.nix
@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.custom.containers.adguardhome;
+in {
+  options = {
+    custom.containers.adguardhome.enable = mkOption {default = false;};
+  };
+
+  config = mkIf cfg.enable {
+    #?? arion-adguardhome pull
+    environment.shellAliases.arion-adguardhome = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.adguardhome.settings.out.dockerComposeYaml}";
+
+    virtualisation.arion.projects.adguardhome.settings.services = {
+      # https://github.com/AdguardTeam/AdGuardHome
+      # https://adguard-dns.io/kb/adguard-home/overview/
+      adguardhome.service = {
+        container_name = "adguardhome";
+        image = "adguard/adguardhome:v0.107.56";
+
+        ports = [
+          "53:53" # DNS
+          "853:853" # DNS-over-TLS
+          "3003:80" # Admin panel
+          "8443:443" # DNS-over-HTTPS
+        ];
+
+        restart = "unless-stopped";
+
+        volumes = [
+          "${config.custom.containers.directory}/adguardhome/config:/opt/adguardhome/conf"
+          "${config.custom.containers.directory}/adguardhome/data:/opt/adguardhome/data"
+        ];
+      };
+    };
+
+    # https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption
+    networking.firewall = {
+      allowedTCPPorts = [
+        853 # DNS-over-TLS
+      ];
+
+      allowedUDPPorts = [
+        53 # DNS
+      ];
+    };
+
+    # https://adguard-dns.io/kb/adguard-home/faq/#bindinuse
+    services.resolved.extraConfig = ''
+      DNSStubListener=false
+    '';
+  };
+}
--- a/options/custom/containers/coturn.nix
+++ b/options/custom/containers/coturn.nix
@ -46,5 +46,25 @@ in {
        };
      };
    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        3478 # TURN
+        5349 # TURN
+      ];
+
+      allowedUDPPorts = [
+        3478 # TURN
+        5349 # TURN
+      ];
+
+      allowedUDPPortRanges = [
+        {
+          # TURN
+          from = 49152;
+          to = 65535;
+        }
+      ];
+    };
  };
 }
--- a/options/custom/containers/oryx.nix
+++ b/options/custom/containers/oryx.nix
@ -38,5 +38,16 @@ in {
        volumes = ["${config.custom.containers.directory}/oryx/data:/data"];
      };
    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        1935 # RTMP
+      ];
+
+      allowedUDPPorts = [
+        8000 # WebRTC
+        10080 # SRT
+      ];
+    };
  };
 }
--- a/options/custom/containers/owncast.nix
+++ b/options/custom/containers/owncast.nix
@ -25,5 +25,11 @@ in {
        ];
      };
    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        1935 # RTMP
+      ];
+    };
  };
 }
--- a/options/custom/services/caddy.nix
+++ b/options/custom/services/caddy.nix
@ -54,29 +54,9 @@ in {
    # https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
    # https://element-hq.github.io/synapse/latest/turn-howto.html
    networking.firewall = {
-      enable = true;
-
      allowedTCPPorts = [
        80 # HTTP
        443 # HTTPS
-        1935 # RTMP
-        3478 # TURN
-        5349 # TURN
-      ];
-
-      allowedUDPPorts = [
-        3478 # TURN
-        5349 # TURN
-        8000 # WebRTC
-        10080 # SRT
-      ];
-
-      allowedUDPPortRanges = [
-        {
-          # TURN
-          from = 49152;
-          to = 65535;
-        }
      ];
    };
  };
--- a/options/custom/settings/networking.nix
+++ b/options/custom/settings/networking.nix
@ -9,6 +9,7 @@ in {
  options.custom.settings.networking = {
    enable = mkOption {default = false;};
    dns = mkOption {default = config.custom.default;};
+    firewall = mkOption {default = config.custom.default;};
    ipv4 = mkOption {default = null;};
    ipv6 = mkOption {default = null;};
    networkd = mkOption {default = !cfg.networkmanager;};
@ -30,6 +31,7 @@ in {
    # https://wiki.nixos.org/wiki/Networking
    networking = {
      hostName = config.custom.hostname;
+      firewall.enable = cfg.firewall;
      useNetworkd = cfg.networkd;
      wireless.iwd.enable = cfg.wifi;

--- a/profiles/server/default.nix
+++ b/profiles/server/default.nix
@ -10,7 +10,8 @@
    containers = {
      enable = true;
      boot = true;
-      #// actualbudget.enable = true;
+      actualbudget.enable = true;
+      adguardhome.enable = true;
      conduwuit.enable = true;
      coturn.enable = true;
      forgejo.enable = true;
--- a/secrets/server/caddy/Caddyfile
+++ b/secrets/server/caddy/Caddyfile
Author	SHA1	Message	Date
Myned	2e55702e49	agenix: modify Caddyfile Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 09:17:59 -06:00
Myned	6ecc998463	containers: add adguardhome Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 09:17:36 -06:00
Myned	c001a1df24	firewall: separate into module requirements Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 09:17:21 -06:00
Myned	748a167200	containers: enable actualbudget Signed-off-by: Myned <dev@bjork.tech>	2025-02-06 09:16:48 -06:00