blob: 7172d845eebbba32adf9697b22fc246a43527526 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
{config, ...}:
/*
This module defines the VPN server using tailscale and a DNS-level filtering
service with AdGuard. It's fairly restrictive, but blocks lots of malicious and
inappropriate sites, as well as a ton of ads.
*/
let
ports = import ../Cloud/Ports.nix;
domain = "headscale.simatime.com";
in {
services.headscale = {
enable = false; # don't use headscale rn, just use tailscale.com
address = "0.0.0.0";
port = ports.headscale;
settings = {dns.base_domain = "simatime.com";};
};
environment.systemPackages = [config.services.headscale.package];
services.tailscale = {
enable = true;
extraUpFlags = [
"--accept-dns=true"
"--advertise-exit-node"
];
};
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = ["tailscale0"];
allowedUDPPorts = [config.services.tailscale.port];
};
services.adguardhome = {
enable = true;
openFirewall = true;
settings = {
dns = {
bind_host = "0.0.0.0";
port = 53;
bootstrap_dns = [
"1.1.1.1"
"8.8.8.8"
];
upstream_dns = [
"https://dns.cloudflare.com/dns-query"
"https://dns.google/dns-query"
];
timeout = "10s";
all_servers = true;
filtering_enabled = true;
parental_enabled = true;
safesearch_enabled = true;
safe_search = {
enabled = true;
bing = true;
duckduckgo = true;
google = true;
youtube = true;
};
};
filters = [
{
enabled = true;
name = "AdGuard NSFW Filter";
url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
}
{
enabled = true;
name = "oisd nsfw";
url = "https://nsfw.oisd.nl/";
}
{
enabled = true;
name = "oisd big";
url = "https://big.oisd.nl/";
}
];
};
};
}
|