adguard: Manages an Adguard Home installation
adguard::params: Private class for managing some of the more complex default parameters
adguard::validate_tls_options: This function ensures that the TLS config is valid before applying it.
Adguard::Blocked_service: A list of services that AdGuard Home is able to block out of the box.Adguard::Client: Provides a structure for defining client overrides.Adguard::Config_file: Simple regex check for the AdGuard config fileAdguard::Dhcp_option: Ensures correct input for DHCP optionsAdguard::Dhcp_v4_options: A structured hash used to supply DHCP options for IPV4Adguard::Dhcp_v6_options: A structured hash for sepcifying DHCP options for IPV6Adguard::Dns_server: Valid DNS server typesAdguard::Filter: Used to manage filters in AdguardAdguard::Http_proxy: Very basic validation to ensure the proxy type is sensibleAdguard::Ipv4_port: Accepts an IPV4 address with a port (eg 192.168.1.1:8080)Adguard::Log_file: Supported log file typesAdguard::Rewrite: Stuctured hash for managing rewritesAdguard::Tls_options: Configures TLS options in AdGuard HomeAdguard::User: A structed hash for providing users for the adguard web UI.
Manages an Adguard Home installation
class {'adguard':
users => [{
username => 'user',
password => '$2a$10$DBX2KdCRP6JKS8TqvkVWTOjUgUQLtlWGkxkZAuiUZGTURhorjlX6K'
}],
}The following parameters are available in the adguard class:
webui_interfacewebui_portusershttp_proxyrlimit_nofiledebug_pprofweb_session_ttldns_interfacedns_portstatistics_intervalquerylog_enabledquerylog_file_enabledquerylog_intervalquerylog_size_memoryanonymize_client_ipprotection_enabledblocking_modeblocking_ipv4blocking_ipv6blocked_response_ttlparental_block_hostsafebrowsing_block_hostratelimitratelimit_whitelistrefuse_anyupstream_dnsupstream_dns_filebootstrap_dnsall_serversfastest_addrallowed_clientsdisallowed_clientsblocked_hostsdns_cache_sizedns_cache_ttl_mindns_cache_ttl_maxbogus_nxdomainaaaa_disabledenable_dnssecedns_client_subnetmax_goroutinesipset_rulesfiltering_enabledfilters_update_intervalparental_enabledsafesearch_enabledsafebrowsing_enabledsafebrowsing_cache_sizesafesearch_cache_sizeparental_cache_sizecache_timerewritesblocked_servicesenable_tlstls_optionsfilterswhitelist_filtersuser_rulesenable_dhcpdhcp_interfacedhcp_v4_optionsdhcp_v6_optionsclientslog_compresslog_localtimelog_max_backupslog_max_sizelog_max_agelog_fileverbose_loggingadguard_pathmanage_configconfiguration_fileservice_nameversion
Data type: Stdlib::IP::Address::V4::Nosubnet
The interface to bind the WebUI to.
Default value: '0.0.0.0'
Data type: Stdlib::Port
The port to bind the WebUI to.
Default value: 80
Data type: Array[Adguard::User]
The users to add to allow access to the WebUI. Note: the password needs to be in BCrypt-encrypted format.
Data type: Optional[Adguard::Http_proxy]
Define an optional http_proxy. While adguard supports SOCKS5 alongside HTTP/S, this is not supported in the Puppet module at this time.
Default value: undef
Data type: Integer
Limit on the maximum number of open files for server process (Linux).
Default value: 0
Data type: Boolean
Enable pprof HTTP server listening on port 6060 for debugging.
Default value: false
Data type: Integer
Web session TTL (in hours) a web user will stay signed in for this amount of time.
Default value: 8
Data type: Stdlib::IP::Address::V4::Nosubnet
The interface to bind to for DNS.
Default value: '0.0.0.0'
Data type: Stdlib::Port
The port to bind dns to
Default value: 53
Data type: Integer
Time interval for statistics (in days).
Default value: 1
Data type: Boolean
Query logging (also used to calculate top 50 clients, blocked domains and requested domains for statistical purposes).
Default value: true
Data type: Boolean
Write query logs to a file.
Default value: true
Data type: Integer
Time interval for query log (in days).
Default value: 90
Data type: Integer
Number of entries kept in memory before they are flushed to disk.
Default value: 1000
Data type: Boolean
If true, anonymize clients' IP addresses in logs and stats.
Default value: false
Data type: Boolean
Whether any kind of filtering and protection should be done, when off it works as a plain dns forwarder.
Default value: true
Data type: Enum['default','null_ip','custom_ip']
Specifies how to block DNS requests. Valid options:
- default (respond with NXDOMAIN status)
- null_ip (respond with the unspecified IP address (0.0.0.0))
- custom_ip (respond with blocking_ipv4 or blocking_ipv6 address)
Default value: 'default'
Data type: Optional[Stdlib::IP::Address::V4::Nosubnet]
IP address to be returned for a blocked A request if blocking_mode is set to custom_ip.
Default value: undef
Data type: Optional[Stdlib::IP::Address::V6]
IP address to be returned for a blocked AAAA request if blocking_mode is set to custom_ip.
Default value: undef
Data type: Integer
For how many seconds the clients should cache a filtered response. Low values are useful on LAN if you change filters very often, high values are useful to increase performance and save traffic.
Default value: 10
Data type: Variant[Stdlib::Fqdn,Stdlib::IP::Address]
IP (or domain name) which is used to respond to DNS requests blocked by parental control.
Default value: 'family-block.dns.adguard.com'
Data type: Variant[Stdlib::Fqdn,Stdlib::IP::Address]
IP (or domain name) which is used to respond to DNS requests blocked by safe-browsing.
Default value: 'standard-block.dns.adguard.com'
Data type: Integer
DDoS protection, specifies in how many packets per second a client should receive. Anything above that is silently dropped. To disable set 0, default is 20. Safe to disable if DNS server is not available from internet.
Default value: 20
Data type: Optional[Array[Stdlib::IP::Address]]
An array of ip addresses to whitelist from ratelimiting.
Default value: undef
Data type: Boolean
Another DDoS protection mechanism. Requests of type ANY are rarely needed, so refusing to serve them mitigates against attackers trying to use your DNS as a reflection. Safe to disable if DNS server is not available from internet.
Default value: true
Data type: Array[Adguard::Dns_server]
An array of upstream DNS servers. Can be a URL or IP.
Default value: ['https://dns10.quad9.net/dns-query']
Data type: Optional[Stdlib::Unixpath]
Path to a file with the list of upstream DNS servers. If it is configured, the value of upstream_dns is ignored. Defaults to undef
Default value: undef
Data type: Array[Stdlib::IP::Address]
List of DNS servers used for initial hostname resolution in case an upstream server name is a hostname.
Default value: [ '9.9.9.10', '149.112.112.10', '2620:fe::10', '2620:fe::fe:10' ]
Data type: Boolean
Enables parallel queries to all configured upstream servers to speed up resolving. If disabled, the queries are sent to each upstream server one-by-one and then sorted by RTT.
Default value: false
Data type: Boolean
Use Fastest Address algorithm. It finds an IP address with the lowest latency and returns this IP address in DNS response.
Default value: false
Data type: Optional[Array[Stdlib::IP::Address]]
IP addresses of allowed clients.
Default value: undef
Data type: Optional[Array[Stdlib::IP::Address]]
IP addresses of disallowed clients.
Default value: undef
Data type: Array
An array of hosts to block.
Default value: [ 'version.bind', 'id.server', 'hostname.bind' ]
Data type: Integer
DNS cache size (in bytes).
Default value: 4194304
Data type: Integer[default,3600]
Override TTL value (minimum) received from upstream server. This value can't larger than 3600 (1 hour).
Default value: 0
Data type: Integer[default,3600]
Override TTL value (maximum) received from upstream server.
Default value: 0
Data type: Optional[Array[Adguard::Dns_server]]
Transform responses with these IP addresses to NXDOMAIN
Default value: undef
Data type: Boolean
Respond with an empty answer to all AAAA requests
Default value: false
Data type: Boolean
Set DNSSEC flag in the outgoing DNS requests and check the result. Note if running an additional DNS server (such as Unbound or BIND) that uses DNSSEC you do not want DNSSEC on both as you will get erroes with legitimate DNS requests.
Default value: false
Data type: Boolean
Enable EDNS Client Subnet option. If enabled, AdGuard Home will be sending ECS extension to the upstream DNS servers. Please note, that this will be done for clients with public IP addresses only.
Default value: false
Data type: Integer
Max. number of parallel goroutines for processing incoming requests
Default value: 300
Data type: Optional[Array]
Set ipset rules
Default value: undef
Data type: Boolean
Filtering of DNS requests based on filter lists.
Default value: true
Data type: Integer
How often the filters update (in hours).
Default value: 24
Data type: Boolean
Parental control-based DNS requests filtering
Default value: false
Data type: Boolean
Enforcing "Safe search" option for search engines, when possible.
Default value: false
Data type: Boolean
Filtering of DNS requests based on safebrowsing
Default value: false
Data type: Integer
Safe Browsing cache size (in bytes).
Default value: 1048576
Data type: Integer
Safe Search cache size (in bytes).
Default value: 1048576
Data type: Integer
Parental Control cache size (in bytes).
Default value: 1048576
Data type: Integer
Safe Browsing, Safe Search, Parental Control cache TTL.
Default value: 30
Data type: Optional[Array[Adguard::Rewrite]]
An array of custom rewrite rules Format:
- domain: the domain to perform the rewrite on
- answer: the ip address to point to
Default value: undef
Data type: Optional[Array[Adguard::Blocked_service]]
An array of any services you wish to block.
Default value: undef
Data type: Boolean
EXPERIMENTAL: enable TLS. This workflow is largely untested, use with caution.
Default value: false
Data type: Optional[Adguard::Tls_options]
The TLS configuration options.
Default value: undef
Data type: Array[Adguard::Filter]
An array of block filters to add. Will default to the standard list provided by AdGuard Format:
- name: the name for the filter (eg AdGuard Default)
- enabled: true/false
- url: the URL to point to
Default value: $adguard::params::filters
Data type: Optional[Array[Adguard::Filter]]
An array of whitelist filters to add. Format:
- name: the name for the filter (eg AdGuard Default)
- enabled: true/false
- url: the URL to point to
Default value: undef
Data type: Optional[Array]
Any custom rules you'd like to define, optional.
Default value: undef
Data type: Boolean
EXPERIMENTAL: Enables the DHCP options within AdGuard.
Default value: false
Data type: Optional[String]
The network interface to enabled DHCP on (eg 'eth0')
Default value: undef
Data type: Optional[Adguard::Dhcp_v4_options]
The configuration options for IPV4 DHCP
Default value: undef
Data type: Optional[Adguard::Dhcp_v6_options]
The configuration options for IPV6 DHCP
Default value: undef
Data type: Optional[Array[Adguard::Client]]
EXPERIMENTAL: Override global defaults for a given list of clients. See: https://github.com/AdguardTeam/AdGuardHome/wiki/Clients for details Not extensively tested, please report any issues on the project repo.
Default value: undef
Data type: Boolean
Whether or not to compress the logs.
Default value: false
Data type: Boolean
Whether to format timestamps using computer's local time.
Default value: false
Data type: Integer
Maximum number of old log files to retain (MaxAge may still cause them to get deleted) (default: 0, which retains all old log files)
Default value: 0
Data type: Integer
Maximum size in megabytes of the log file before it gets rotated.
Default value: 100
Data type: Integer
MaxAge is the maximum number of days to retain old log files.
Default value: 3
Data type: Adguard::Log_file
Path to the log file. If empty, writes to stdout, if syslog -- system log (or eventlog on Windows). Valid options are:
- unixpath
- undef
- syslog
Default value: undef
Data type: Boolean
Enable or disable verbose logging. Defaults to false
Default value: false
Data type: Stdlib::Unixpath
The path to where you'd like AdGuard installed, defaults to /opt/AdGuardHome
Default value: '/opt/AdGuardHome'
Data type: Boolean
Whether or not to manage the AdGuardHome.yaml file
Default value: true
Data type: Adguard::Config_file
The path to where you want to store the configuration file, must be the full path to AdGuardHome.yaml.
Default value: "${adguard_path}/AdGuardHome.yaml"
Data type: String
The name of the service to manage, defaults to AdGuardHome
Default value: 'AdGuardHome'
Data type: String
The version to install from the GitHub release
Default value: 'latest'
Type: Puppet Language
This function ensures that the TLS config is valid before applying it.
The adguard::validate_tls_options function.
Returns: Boolean Returns true if the configuration is valid
Data type: Adguard::Tls_options
Accepts a hash of tls_options
A list of services that AdGuard Home is able to block out of the box.
Alias of
Enum['9gag', 'amazon', 'cloudflare', 'dailymotion', 'discord', 'disneyplus', 'ebay', 'epic_games', 'facebook', 'hulu', 'imgur', 'instagram', 'mail_ru', 'netflix', 'ok', 'origin', 'pinterest', 'qq', 'reddit', 'skype', 'snapchat', 'spotify', 'steam', 'telegram', 'tiktok', 'tinder', 'twitch', 'twitter', 'viber', 'vimeo', 'vk', 'wechat', 'weibo', 'whatsapp', 'youtube']Provides a structure for defining client overrides.
Alias of
Struct[{
name => String,
tags => Optional[Array],
ids => Array,
use_global_settings => Boolean,
filtering_enabled => Optional[Boolean],
parental_enabled => Optional[Boolean],
safesearch_enabled => Optional[Boolean],
use_global_blocked_services => Boolean,
blocked_services => Optional[Array[Adguard::Blocked_service]],
upstreams => Optional[Array]
}]Simple regex check for the AdGuard config file
Alias of
Pattern[/(.*\/)(.*)(AdGuardHome.yaml$)/]Ensures correct input for DHCP options
Alias of
Variant[Pattern[/^(\d)* hex ([\da-fA-F]{2})([\da-fA-F]{2})([\da-fA-F]{2})*$/], Stdlib::IP::Address::V4::Nosubnet]A structured hash used to supply DHCP options for IPV4
Alias of
Struct[{
gateway_ip => Stdlib::IP::Address::V4::Nosubnet,
subnet_mask => Stdlib::IP::Address::V4::Nosubnet,
range_start => Stdlib::IP::Address::V4::Nosubnet,
range_end => Stdlib::IP::Address::V4::Nosubnet,
lease_duration => Integer,
options => Optional[Array[Adguard::Dhcp_option]],
}]A structured hash for sepcifying DHCP options for IPV6
Alias of
Struct[{
range_start => Stdlib::IP::Address::V6,
lease_duration => Integer,
ra_slaac_only => Boolean,
ra_allow_slaac => Boolean,
}]Valid DNS server types
Alias of
Variant[Stdlib::IP::Address, Stdlib::HTTPUrl, Adguard::Ipv4_port]Used to manage filters in Adguard
Alias of
Struct[{
name => String,
enabled => Boolean,
url => Stdlib::HTTPUrl,
}]Very basic validation to ensure the proxy type is sensible
Alias of
Pattern[/^(http|https|socks5)\:\/\//]Accepts an IPV4 address with a port (eg 192.168.1.1:8080)
Alias of
Pattern[/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}:[0-9]{1,5}/]Supported log file types
Alias of
Variant[Stdlib::Unixpath, Enum['syslog'], Undef]Stuctured hash for managing rewrites
Alias of
Struct[{
domain => String,
answer => String,
}]Configures TLS options in AdGuard Home
Alias of
Struct[{
server_name => Stdlib::Host,
force_https => Boolean,
port_https => Stdlib::Port,
port_dns_over_tls => Stdlib::Port,
port_dns_over_quic => Stdlib::Port,
port_dnscrypt => Stdlib::Port,
dnscrypt_config_file => Optional[Stdlib::Unixpath],
allow_unencrypted_doh => Boolean,
strict_sni_check => Boolean,
certificate_chain => Optional[String],
private_key => Optional[String],
certificate_path => Optional[Stdlib::Unixpath],
private_key_path => Optional[Stdlib::Unixpath]
}]A structed hash for providing users for the adguard web UI.
Alias of
Struct[{
username => String,
password => String
}]