From cfdb0d1714494ff363a71d89c7dda7482a2f859c Mon Sep 17 00:00:00 2001
From: Ben Sima <ben@bsima.me>
Date: Tue, 25 Feb 2025 10:31:25 -0500
Subject: DNS filtering with AdGuard

This was actually really easy to setup (with the help of Claude) and now I can
block bad sites on my tailnet. And no more ads either, haha the web is readable
again.
---
 Omni/Dev/Vpn.nix | 76 +++++++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 64 insertions(+), 12 deletions(-)

(limited to 'Omni')

diff --git a/Omni/Dev/Vpn.nix b/Omni/Dev/Vpn.nix
index a8a1f3c..7172d84 100644
--- a/Omni/Dev/Vpn.nix
+++ b/Omni/Dev/Vpn.nix
@@ -1,30 +1,82 @@
-{config, ...}: let
+{config, ...}:
+/*
+This module defines the VPN server using tailscale and a DNS-level filtering
+service with AdGuard. It's fairly restrictive, but blocks lots of malicious and
+inappropriate sites, as well as a ton of ads.
+*/
+let
   ports = import ../Cloud/Ports.nix;
   domain = "headscale.simatime.com";
 in {
   services.headscale = {
-    enable = true;
+    enable = false; # don't use headscale rn, just use tailscale.com
     address = "0.0.0.0";
     port = ports.headscale;
     settings = {dns.base_domain = "simatime.com";};
   };
 
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    enableAcme = true;
-    locations."/" = {
-      proxyPass = "http://localhost:${toString ports.headscale}";
-      proxyWebsockets = true;
-    };
-  };
-
   environment.systemPackages = [config.services.headscale.package];
 
-  services.tailscale.enable = true;
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [
+      "--accept-dns=true"
+      "--advertise-exit-node"
+    ];
+  };
 
   networking.firewall = {
     checkReversePath = "loose";
     trustedInterfaces = ["tailscale0"];
     allowedUDPPorts = [config.services.tailscale.port];
   };
+
+  services.adguardhome = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      dns = {
+        bind_host = "0.0.0.0";
+        port = 53;
+        bootstrap_dns = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        upstream_dns = [
+          "https://dns.cloudflare.com/dns-query"
+          "https://dns.google/dns-query"
+        ];
+        timeout = "10s";
+        all_servers = true;
+        filtering_enabled = true;
+        parental_enabled = true;
+        safesearch_enabled = true;
+        safe_search = {
+          enabled = true;
+          bing = true;
+          duckduckgo = true;
+          google = true;
+          youtube = true;
+        };
+      };
+
+      filters = [
+        {
+          enabled = true;
+          name = "AdGuard NSFW Filter";
+          url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
+        }
+        {
+          enabled = true;
+          name = "oisd nsfw";
+          url = "https://nsfw.oisd.nl/";
+        }
+        {
+          enabled = true;
+          name = "oisd big";
+          url = "https://big.oisd.nl/";
+        }
+      ];
+    };
+  };
 }
-- 
cgit v1.2.3