configurations/nixos/defiant/configuration.nix

@@ -109,6 +109,13 @@
         };
       };
     };
+    # home-assistant = {
+    #   enable = false;
+    #   subdomain = "home";
+    # };
+    adguardhome = {
+      enable = false;
+    };
   };
 
   systemd.network = {

modules/nixos-modules/server/adguardhome.nix

@@ -0,0 +1,72 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  dnsPort = 53;
+in {
+  options.host.adguardhome = {
+    enable = lib.mkEnableOption "should ad guard home be enabled on this computer";
+    directory = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/AdGuardHome/";
+    };
+  };
+  config = lib.mkIf config.host.adguardhome.enable (lib.mkMerge [
+    {
+      services.adguardhome = {
+        enable = true;
+        mutableSettings = false;
+        settings = {
+          dns = {
+            bootstrap_dns = [
+              "1.1.1.1"
+              "9.9.9.9"
+            ];
+            upstream_dns = [
+              "dns.quad9.net"
+            ];
+          };
+          filtering = {
+            protection_enabled = true;
+            filtering_enabled = true;
+
+            parental_enabled = false; # Parental control-based DNS requests filtering.
+            safe_search = {
+              enabled = false; # Enforcing "Safe search" option for search engines, when possible.
+            };
+          };
+          # The following notation uses map
+          # to not have to manually create {enabled = true; url = "";} for every filter
+          # This is, however, fully optional
+          filters =
+            map (url: {
+              enabled = true;
+              url = url;
+            }) [
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
+            ];
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        dnsPort
+      ];
+    }
+    (lib.mkIf config.host.impermanence.enable {
+      environment.persistence."/persist/system/root" = {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = config.host.adguardhome.directory;
+            user = "adguardhome";
+            group = "adguardhome";
+          }
+        ];
+      };
+    })
+  ]);
+}

modules/nixos-modules/server/default.nix

@@ -9,6 +9,7 @@
     ./forgejo.nix
     ./searx.nix
     ./home-assistant.nix
+    ./adguardhome.nix
     ./immich.nix
     ./qbittorent.nix
   ];

modules/nixos-modules/server/fail2ban.nix

@@ -61,16 +61,16 @@ in {
             bantime = 600;
             maxretry = 5;
           };
-          home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
+          # home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
-            enabled = true;
+          #   enabled = true;
-            filter = "hass";
+          #   filter = "hass";
-            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+          #   action = ''iptables-multiport[name=HTTP, port="http,https"]'';
-            logpath = "${config.services.home-assistant.configDir}/*.log";
+          #   logpath = "${config.services.home-assistant.configDir}/*.log";
-            backend = "auto";
+          #   backend = "auto";
-            findtime = 600;
+          #   findtime = 600;
-            bantime = 600;
+          #   bantime = 600;
-            maxretry = 5;
+          #   maxretry = 5;
-          };
+          # };
           # TODO; figure out if there is any fail2ban things we can do on searx
           # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
         };