dots/modules/services/adguardhome.nix

{ config, ... }:

{
  services.adguardhome = {
    enable = true;
    mutableSettings = false;
    extraArgs = [ "--web-addr" "0.0.0.0:3003" ];

    settings = {
      http = {
        # You can select any ip and port, just make sure to open firewalls where needed
        address = "0.0.0.0:3003";
      };

      dns = {
        bootstrap_dns = [ "1.1.1.1" ];

        upstream_dns = [
          "1.1.1.1"         # cloudflare
          "9.9.9.9"         # dns.quad9.net
          "149.112.112.112" # dns.quad9.net
        ];
      };

      querylog.enabled = false;

      filtering = {
        protection_enabled = true;
        filtering_enabled = true;

        rewrites = [
          {
            domain = "nijika.astolfo.org";
            answer = "100.105.94.30";
          }
          {
            domain = "*.nijika.astolfo.org";
            answer = "100.105.94.30";
          }
        ];
      };

      # The following notation uses map
      # to not have to manually create {enabled = true; url = "";} for every filter
      # This is, however, fully optional
      filters = map(url: { enabled = true; url = url; }) [
        "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt"  # The Big List of Hacked Malware Web Sites
        "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt"  # malicious url blocklist

        # advertising
        "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
        "https://v.firebog.net/hosts/Admiral.txt"
        "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
        "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"

        # privacy
        "https://v.firebog.net/hosts/Easyprivacy.txt"
        "https://v.firebog.net/hosts/Prigent-Ads.txt"

        # phishing
        "https://v.firebog.net/hosts/Prigent-Crypto.txt"
        "https://phishing.army/download/phishing_army_blocklist_extended.txt"

        # malware
        "https://v.firebog.net/hosts/RPiList-Malware.txt"
        "https://lists.cyberhost.uk/malware.txt"
      ];
    };
  };

  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];

  services.caddy.virtualHosts."dns.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http:/localhost:3003
    '';
  };
}