feat(adguardhome): Enable encrypted DNS

hosts/greatyamada/services/_port-definitions.nix

@@ -3,6 +3,8 @@
     adguardhome = {
       dns = 53;
       http = 3001;
+      https = 4430;
+      dns_over_tls = 853;
     };
     forgejo = 3000;
     jellyfin = 8096;
@@ -24,6 +26,7 @@
     adguardhome = {
       dns = 53;
       dhcp = 67;
+      dns_over_quic = 853;
     };
     wireguard = 51820;
   };

hosts/greatyamada/services/adguardhome.nix

@@ -4,8 +4,8 @@ let
   nginxLocalServiceConfig = import ./nginx-local-config.nix;
 in {
   networking.firewall = {
-    allowedTCPPorts = with ports.tcp.adguardhome; [ dns ];
+    allowedTCPPorts = with ports.tcp.adguardhome; [ dns dns_over_tls ];
-    allowedUDPPorts = with ports.udp.adguardhome; [ dns dhcp ];
+    allowedUDPPorts = with ports.udp.adguardhome; [ dns dhcp dns_over_quic ];
   };
   services = {
     adguardhome = {
@@ -27,6 +27,15 @@ in {
           bootstrap_dns =
             [ "9.9.9.10" "149.112.112.10" "2620:fe::10" "2620:fe::fe:10" ];
         };
+        tls = {
+          enabled = true;
+          server_name = "dns.rcia.dev";
+          port_https = ports.tcp.adguardhome.https;
+          port_dns_over_tls = ports.tcp.adguardhome.dns_over_tls;
+          port_dns_over_quic = ports.udp.adguardhome.dns_over_quic;
+          certificate_path = "/var/lib/acme/rcia.dev/fullchain.pem";
+          private_key_path = "/var/lib/acme/rcia.dev/key.pem";
+        };
         dhcp = {
           enabled = true;
           interface_name = "enp5s0";
@@ -266,9 +275,10 @@ in {
     nginx.virtualHosts."dns.rcia.dev" = {
       forceSSL = true;
       locations."/".proxyPass =
-        "http://127.0.0.1:${toString ports.tcp.adguardhome.http}";
+        "https://127.0.0.1:${toString ports.tcp.adguardhome.https}";
       extraConfig = nginxLocalServiceConfig;
       useACMEHost = "rcia.dev";
     };
   };
+  users.groups.nginx.members = [ "adguardhome" ];
 }