diff --git a/services/adguard/AdGuardHome.yaml b/services/adguard/AdGuardHome.yaml new file mode 100644 index 0000000..07a7e8a --- /dev/null +++ b/services/adguard/AdGuardHome.yaml @@ -0,0 +1,241 @@ +http: + pprof: + port: 6060 + enabled: false + address: 0.0.0.0:3000 + session_ttl: 720h +users: + - name: admin + password: $2a$10$ab535t6Ac8mJXgGpb4fve.uztgcMxsmKzYe9cSop0oZdkE9ZQyfvO +auth_attempts: 5 +block_auth_min: 15 +http_proxy: "" +language: nl +theme: auto +dns: + bind_hosts: + - 0.0.0.0 + port: 53 + anonymize_client_ip: false + ratelimit: 20 + ratelimit_subnet_len_ipv4: 24 + ratelimit_subnet_len_ipv6: 56 + ratelimit_whitelist: [] + refuse_any: true + upstream_dns: + - https://dns10.quad9.net/dns-query + upstream_dns_file: "" + bootstrap_dns: + - 9.9.9.10 + - 149.112.112.10 + - 2620:fe::10 + - 2620:fe::fe:10 + fallback_dns: [] + upstream_mode: load_balance + fastest_timeout: 1s + allowed_clients: [] + disallowed_clients: [] + blocked_hosts: + - version.bind + - id.server + - hostname.bind + trusted_proxies: + - 127.0.0.0/8 + - ::1/128 + cache_enabled: true + cache_size: 4194304 + cache_ttl_min: 0 + cache_ttl_max: 0 + cache_optimistic: false + bogus_nxdomain: [] + aaaa_disabled: false + enable_dnssec: false + edns_client_subnet: + custom_ip: "" + enabled: false + use_custom: false + max_goroutines: 300 + handle_ddr: true + ipset: [] + ipset_file: "" + bootstrap_prefer_ipv6: false + upstream_timeout: 10s + private_networks: [] + use_private_ptr_resolvers: true + local_ptr_upstreams: [] + use_dns64: false + dns64_prefixes: [] + serve_http3: false + use_http3_upstreams: false + serve_plain_dns: true + hostsfile_enabled: true + pending_requests: + enabled: true +tls: + enabled: false + server_name: goofjes.nl + force_https: false + port_https: 443 + port_dns_over_tls: 784 + port_dns_over_quic: 853 + port_dnscrypt: 0 + dnscrypt_config_file: "" + allow_unencrypted_doh: false + certificate_chain: "" + private_key: "" + certificate_path: "" + private_key_path: "" + strict_sni_check: false +querylog: + dir_path: "" + ignored: [] + interval: 168h + size_memory: 1000 + enabled: true + file_enabled: true +statistics: + dir_path: "" + ignored: [] + interval: 24h + enabled: true +filters: + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt + name: AdGuard DNS filter + id: 1 + - enabled: false + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt + name: AdAway Default Blocklist + id: 2 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_46.txt + name: HaGeZi's Anti-Piracy Blocklist + id: 1742420828 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt + name: HaGeZi's Gambling Blocklist + id: 1742420829 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_54.txt + name: HaGeZi's DynDNS Blocklist + id: 1742420830 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt + name: Phishing Army + id: 1742420831 + - enabled: true + url: https://v.firebog.net/hosts/Prigent-Adult.txt + name: Adult + id: 1742420833 + - enabled: true + url: https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list + name: Porno + id: 1742422101 +whitelist_filters: [] +user_rules: [] +dhcp: + enabled: true + interface_name: eth0 + local_domain_name: lan + dhcpv4: + gateway_ip: 192.168.2.254 + subnet_mask: 255.255.255.0 + range_start: 192.168.2.100 + range_end: 192.168.2.200 + lease_duration: 86400 + icmp_timeout_msec: 1000 + options: [] + dhcpv6: + range_start: "" + lease_duration: 86400 + ra_slaac_only: false + ra_allow_slaac: false +filtering: + blocking_ipv4: "" + blocking_ipv6: "" + blocked_services: + schedule: + time_zone: UTC + ids: + - 4chan + - 500px + - amino + - betano + - bigo_live + - canais_globo + - directvgo + - globoplay + - hbomax + - hulu + - iheartradio + - iqiyi + - kakaotalk + - kook + - lazada + - line + - looke + - mail_ru + - mercado_libre + - ok + - rakuten_viki + - riot_games + - samsung_tv_plus + - tidal + - tiktok + - tinder + - valorant + - vk + - wargaming + - wechat + - weibo + - xiaohongshu + - yy + - zhihu + protection_disabled_until: null + safe_search: + enabled: true + bing: true + duckduckgo: true + ecosia: true + google: true + pixabay: true + yandex: true + youtube: true + blocking_mode: default + parental_block_host: family-block.dns.adguard.com + safebrowsing_block_host: standard-block.dns.adguard.com + rewrites: [] + safe_fs_patterns: + - /opt/adguardhome/work/userfilters/* + safebrowsing_cache_size: 1048576 + safesearch_cache_size: 1048576 + parental_cache_size: 1048576 + cache_time: 30 + filters_update_interval: 24 + blocked_response_ttl: 10 + filtering_enabled: true + parental_enabled: true + safebrowsing_enabled: false + protection_enabled: true +clients: + runtime_sources: + whois: true + arp: true + rdns: true + dhcp: true + hosts: true + persistent: [] +log: + enabled: true + file: "" + max_backups: 0 + max_size: 100 + max_age: 3 + compress: false + local_time: false + verbose: false +os: + group: "" + user: "" + rlimit_nofile: 0 +schema_version: 30 \ No newline at end of file diff --git a/services/adguard/service.toml b/services/adguard/service.toml new file mode 100644 index 0000000..8878137 --- /dev/null +++ b/services/adguard/service.toml @@ -0,0 +1,58 @@ +user = "podman" +capabilities = ["NET_BIND_SERVICE", "NET_RAW", "NET_ADMIN"] + +[service] +name = "adguard" +image = "adguard/adguardhome" + +[[volumes]] +source = "adguard-data" +target = "/opt/adguardhome/work" +create = true + +[[volumes]] +source = "adguard-certs" +target = "/opt/adguardhome/certificates" +create = true + +[[volumes]] +source = "$HOME/adguard" +target = "/opt/adguardhome/conf" + +[[ports]] +host = 8888 +container = 8080 + +# DNS ports +[[ports]] +host = 53 +container = 53 +protocol = "udp" + +[[ports]] +host = 53 +container = 53 +protocol = "tcp" + +# DHCP ports +[[ports]] +host = 67 +container = 67 +protocol = "udp" + +[[ports]] +host = 68 +container = 68 +protocol = "udp" + +# DNS-over-TLS +[[ports]] +host = 853 +container = 853 +protocol = "tcp" + +# DNS-over-QUIC (784/853/8853) +[[ports]] +host = 784 +container = 784 +protocol = "udp" diff --git a/services/adguard/update.sh b/services/adguard/update.sh new file mode 100644 index 0000000..39d8437 --- /dev/null +++ b/services/adguard/update.sh @@ -0,0 +1,3 @@ +#!/bin/sh +mkdir -p /home/podman/adguard +ln -sf ./AdGuardHome.yaml /home/podman/adguard/AdGuardHome.yaml \ No newline at end of file diff --git a/services/caddy/update.sh b/services/caddy/update.sh index 91b164c..be7ed21 100644 --- a/services/caddy/update.sh +++ b/services/caddy/update.sh @@ -1,5 +1,3 @@ #!/bin/sh - -# Symlink config dir mkdir -p /home/podman/caddy ln -sf ./Caddyfile /home/podman/caddy/Caddyfile \ No newline at end of file diff --git a/services/firewall/rules.nft b/services/firewall/rules.nft index aadc775..be0af02 100644 --- a/services/firewall/rules.nft +++ b/services/firewall/rules.nft @@ -70,10 +70,19 @@ table inet firewall { ip saddr $lan_net tcp dport 22 accept # Allow SSH from LAN network + # AdGuard admin access (8888) only from LAN and VPN + ip saddr $lan_net tcp dport 8888 accept + ip saddr $vpn_net tcp dport 8888 accept + + # AdGuard DNS, DHCP, DoT, DoQ ports only from LAN + ip saddr $lan_net udp dport { 53, 67, 68, 784 } accept + ip saddr $lan_net tcp dport { 53, 853 } accept + # Rules for WAN interface only - # iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute from WAN iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN + # iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute from WAN + # Rules for VPN interface only iifname $vpn tcp dport 22 accept # Allow SSH from VPN }