Alternative to Pi-hole in NixOS

Now that my son has some internet access, I decided to make internet a bit safer at home.

I try to use NixOS in most of my devices. I have an old computer serving borrazas.org. I have another old computer serving as a “media center” where we watch the News for kids in Dutch. NixOS allows me to have all system configuration in one file: /etc/nixos/configuration.nix. If for some reason I have to reinstall the computer, I only have to backup that one file.

I have seen Pi-Hole recommended in Hacker News a couple times, and I checked myself and it looked like the right tool to make internet a bit more child-friendly.

My goal:

• Block ads, trackers, malware, adult, and gambling sites on my wifi
• Use DNS over HTTPS base.dns.mullvad.net
• If a website is broken because of DNS blocks, have a web UI to easily check logs and tweak the DNS configuration

I searched for instructions how to install Pi-Hole in NixOS, but seems that nobody has packaged it yet 12. One of the comments in the thread requesting Pi-Hole for NixOS mentioned that AdGuard Home and blocky are packaged for NixOS.

I prefer to avoid for-profit companies for blocking stuff because there are several bad examples such as Adblock Plus, and free VPN companies with fishy terms of service.

Anyway, I checked the AdGuard Home Github repo looks like a nice project in Go, with a GNUv3 license. It looks trustworthy enough for me.

Changes in /etc/nixos/configuration.nix:

(1). Add adguardhome to the list of packages

packages = with pkgs; [
    neovim  
    wget
    curl  
    # ...
    go
    tmux
    adguardhome
    ];
};

(2). Open up Firewall ports

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 3000 80 ];
  networking.firewall.allowedUDPPorts = [ 53 ];

(3). Enable the service (I had to search for available options on NixOS Option Search). I used the following

  # Adguard home
  services.adguardhome = {
    enable = true;
    openFirewall = true;
    settings = {
      bind_port = 3000;
    };
  };

I tried to add a password but currently it’s not possible with the current options.

Assuming the IP of your machine is 192.168.1.123, go to http://192.168.1.123:3000/ and you should see the AdGuard Home Dashboard.

In Settings, DNS Settings I added “https://base.dns.mullvad.net/dns-query” which blocks ads, malware and phishing. Here is a list of more DNS options. I personally trust Mullvad. I wanted something like all.dns.mullvad.net, so I looked up Mullvad block lists in https://github.com/mullvad/dns-blocklists and added the lists in Filters, DNS blocklists.

I had to follow Pi-Hole guide to setup my Fritzbox internet router. The trick was to use the same IP in preferred and alternative, and to disable “Fallback to public DNS servers when DNS disrupted”.

https://docs.Pi-Hole.net/routers/fritzbox/#optional-increasing-the-priority-of-dns-requests

I have been using it for around a week and it works fine.