nixos/adguardhome: init

[lunik1]

Motivation for this change

Adds a system service for AdGuard Home.

The service definition is largely based on the one generated by AdGuard Home itself when passed adguardhome --service install (this won't work on NixOS, as it will try to write to a read-only filesystem), with an additional choice of config, work, and pid file locations that should follow the FHS.

May provide some relief for followers of #61617 while they wait for #108055 & the following PRs (but won't actually work on a pi without overriding the adguardhome package because of #113900)

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[dotlambda]

Please follow NixOS/rfcs#42.

[lunik1]

I think having a non-mutable config file will not work well for this service. Management via the webui does not work and the config file is migrated automatically between schema versions on some application updates.

Maybe it would be better, as it is mutable, to store the config file in the work dir by default? Anyone who really wants to try for a stateless config can then override confFile and use environment.etc.

[lunik1]

The application also fails the initial set-up if the config file is not writable.

[lunik1]

I think it might make sense to introduce an openFirewall option to this module, although I am not exactly sure what it should cover. The port the webUI is served on is specified by port, but not the port the DNS server is served on (which is specified in the config file / on initial setup). However, ports 53 will be used in the vast majority of cases.

[SuperSandro2000]

Suggested change

	default = "/run/AdGuardHome.pid";
	default = "/run/AdGuardHome/AdGuardHome.pid";

[lunik1]

This fails with a "no such file or directory error", looks like the directory must exist. Is leaving it in /run ok or should there be some mechanism to ensure /run/AdGuardHome exists?

[SuperSandro2000]

I am not sure what the correct way is to create the directory but otherwise it isn't easily mountable in containers.

[dotlambda]

The correct way is using https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RuntimeDirectory=.

[aanderse]

Please default to stdout.

[aanderse]

Under what scenario does this need to be configurable?

[lunik1]

pidFile can't be specified in the config file and if it wasn't configurable (e.g. fixed to /run/AdGuardHome/AdGuardHome.pid) it would be inconvenient to override. A few other modules (mongodb, bitcoind) do allow pidFile to be configured, but I admit I can't think of a use case.

Alternatively, the pid file could be disabled by default and enabled when needed through an extraArgs option. Could probably at least remove verbose in that case too.

[aanderse]

Is this intended to be mutable? Who manages this file?

[lunik1]

The config file should be managed by AdGuard Home, see my response to dotlambda's review for my rationale. If this is the case should it be placed in stateDir?

[aanderse]

I have briefly read some documentation from upstream and I understand now. This application is definitely an example of an application that should manage its own configuration... not NixOS, as you mention.

I would recommend not including this as an option so. You could probably do something really slick with DynamicUser, RuntimeDirectory (for the pid file and reloads) and StateDirectory as well...

[lunik1]

DynamicUser works! What do you think should remain configurable when using it? In my view host and port are the essentials, pidFile could just be set to /run/AdGuardHome/AdGuardHome.pid (I can't see a strong case as to the need to disable it), and logs could always be to stdout?

There could be an extraArgs flag, allowing verbose logs if a user needs it and supplying an escape hatch for future command-line options.

[aanderse]

That sounds good 👍 Whatever you think is needed.

[aanderse]

Usually we call this stateDir, depending on what it is for...

[lunik1]

This is where AdGuard Home stores filter lists / it's internal database. I was just copying AdGuard Home's terminology for workDir (which I saw used in a few other modules). But stateDir is more appropriate, I'll change it (in the morning 😴).

[lunik1]

Marking as draft while I look into DynamicUser

[lunik1]

Pushed a commit that uses DynamicUser, remove options with no clear use case, and adds an openFirewall option for the webui.

Probably should all be squashed on merge.

[aanderse]

After the pending changes you are about to push I approve this module 👍 Great work 🎉

[dotlambda]

LGTM, but I didn't test it.

[lunik1]

Thanks everybody for the help and feedback!