From dffd0593a7213de6a7badd90ad09bac21a68e988 Mon Sep 17 00:00:00 2001
From: Avery <aveeryy@protonmail.com>
Date: Sat, 23 Aug 2025 23:25:18 +0000
Subject: [PATCH] feat(adguardhome): Enable encrypted DNS

---
 hosts/greatyamada/services/_port-definitions.nix |  3 +++
 hosts/greatyamada/services/adguardhome.nix       | 16 +++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/hosts/greatyamada/services/_port-definitions.nix b/hosts/greatyamada/services/_port-definitions.nix
index 67957e5..a35dc49 100644
--- a/hosts/greatyamada/services/_port-definitions.nix
+++ b/hosts/greatyamada/services/_port-definitions.nix
@@ -3,6 +3,8 @@
     adguardhome = {
       dns = 53;
       http = 3001;
+      https = 4430;
+      dns_over_tls = 853;
     };
     forgejo = 3000;
     jellyfin = 8096;
@@ -24,6 +26,7 @@
     adguardhome = {
       dns = 53;
       dhcp = 67;
+      dns_over_quic = 853;
     };
     wireguard = 51820;
   };
diff --git a/hosts/greatyamada/services/adguardhome.nix b/hosts/greatyamada/services/adguardhome.nix
index f5c0fe8..f729822 100644
--- a/hosts/greatyamada/services/adguardhome.nix
+++ b/hosts/greatyamada/services/adguardhome.nix
@@ -4,8 +4,8 @@ let
   nginxLocalServiceConfig = import ./nginx-local-config.nix;
 in {
   networking.firewall = {
-    allowedTCPPorts = with ports.tcp.adguardhome; [ dns ];
-    allowedUDPPorts = with ports.udp.adguardhome; [ dns dhcp ];
+    allowedTCPPorts = with ports.tcp.adguardhome; [ dns dns_over_tls ];
+    allowedUDPPorts = with ports.udp.adguardhome; [ dns dhcp dns_over_quic ];
   };
   services = {
     adguardhome = {
@@ -27,6 +27,15 @@ in {
           bootstrap_dns =
             [ "9.9.9.10" "149.112.112.10" "2620:fe::10" "2620:fe::fe:10" ];
         };
+        tls = {
+          enabled = true;
+          server_name = "dns.rcia.dev";
+          port_https = ports.tcp.adguardhome.https;
+          port_dns_over_tls = ports.tcp.adguardhome.dns_over_tls;
+          port_dns_over_quic = ports.udp.adguardhome.dns_over_quic;
+          certificate_path = "/var/lib/acme/rcia.dev/fullchain.pem";
+          private_key_path = "/var/lib/acme/rcia.dev/key.pem";
+        };
         dhcp = {
           enabled = true;
           interface_name = "enp5s0";
@@ -266,9 +275,10 @@ in {
     nginx.virtualHosts."dns.rcia.dev" = {
       forceSSL = true;
       locations."/".proxyPass =
-        "http://127.0.0.1:${toString ports.tcp.adguardhome.http}";
+        "https://127.0.0.1:${toString ports.tcp.adguardhome.https}";
       extraConfig = nginxLocalServiceConfig;
       useACMEHost = "rcia.dev";
     };
   };
+  users.groups.nginx.members = [ "adguardhome" ];
 }