Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

fixed pihole config

Browse source
This commit is contained in:
Leyla Becker 2025-02-24 22:56:32 -06:00
parent ac580d8e51
commit 53301d0e45
3 changed files with 91 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

88
modules/nixos-modules/server/pihole.nix
View file

@ -5,6 +5,7 @@
...
}: let
dnsPort = 53;
webPort = 8090;
in {
options.host.pihole = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
@ -14,9 +15,27 @@ in {
};
image = lib.mkOption {
type = lib.types.str;
default = "pihole/pihole:2024.07.0";
default = "pihole/pihole:latest";
description = "container image to use for pi-hole";
};
# piholeStateDirectory = {
# type = lib.types.str;
# default = "${config.host.pihole.directory}/pihole";
# };
# tailscaleStateDirectory = {
# type = lib.types.str;
# default = "${config.host.pihole.directory}/tailscale";
# };
# piholeImage = lib.mkOption {
# type = lib.types.str;
# default = "pihole/pihole:2024.07.0";
# description = "container image to use for pi-hole";
# };
# tailscaleImage = lib.mkOption {
# type = lib.types.str;
# default = "tailscale/tailscale:latest";
# description = "container image to use for pi-holes tail scale";
# };
ip = lib.mkOption {
type = lib.types.str;
description = "ip address to use for pi-hole";
@ -25,14 +44,24 @@ in {
config = lib.mkIf config.host.pihole.enable (lib.mkMerge [
{
host.podman.enable = true;
sops.secrets = {
"services/pi-hole" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
sops = {
secrets = {
"services/pi-hole" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
};
# "wireguard-keys/tailscale-authkey/pihole" = {
# sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
# };
};
templates."pihole.env".content = ''
FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"}
'';
};
systemd = {
tmpfiles.rules = [
"d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system
# "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -"
# "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -"
];
services = {
@ -40,12 +69,12 @@ in {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-macvlan.service"
];
requires = [
"podman-network-macvlan.service"
];
# after = [
# "podman-network-macvlan.service"
# ];
# requires = [
# "podman-network-macvlan.service"
# ];
partOf = [
"podman-compose-root.target"
];
@ -56,13 +85,8 @@ in {
};
};
# TODO: we need to have a tailscale container here and use that to define the network_mode of pihole container
# TS_ACCEPT_DNS = "false";
# TS_AUTHKEY = ${something from a secrets file???}
# TS_HOSTNAME = "pihole";
# TS_USERSPACE = "false";
# TODO: volumes for tailnet container with impermanence config
# https://tailscale.com/kb/1282/docker
services.resolved.enable = false;
virtualisation = {
oci-containers = {
containers = {
@ -76,16 +100,40 @@ in {
];
environment = {
TZ = "America/Chicago";
WEBPASSWORD_FILE = passwordFileLocation;
FTLCONF_webserver_port = toString webPort;
PIHOLE_UID = toString config.users.users.pihole.uid;
PIHOLE_GID = toString config.users.groups.pihole.gid;
};
environmentFiles = [
config.sops.templates."pihole.env".path
];
log-driver = "journald";
extraOptions = [
"--ip=${config.host.pihole.ip}"
"--network=macvlan"
"--network=host"
# "--network=container:${tailscale container id}"
];
};
# ts-pihole = {
# image = config.host.pihole.tailscaleImage;
# volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale";
# environment = {
# TS_ACCEPT_DNS = "false";
# TS_HOSTNAME = "pihole";
# TS_STATE_DIR = "/var/lib/tailscale";
# TS_USERSPACE = "false";
# TS_EXTRA_ARGS = "--advertise-tags=tag:container";
# };
# environmentFiles = [
# config.sops.templates."tailscale-pihole.env".path
# ];
# devices = [
# "/dev/net/tun:/dev/net/tun"
# ];
# extraOptions = [
# "--ip=${config.host.pihole.ip}"
# "--network=macvlan"
# ];
# };
};
};
};

27
modules/nixos-modules/server/podman.nix
View file

@ -1,6 +1,5 @@
{
lib,
pkgs,
config,
...
}: {
@ -26,19 +25,19 @@
config = lib.mkIf config.host.podman.enable {
systemd = {
services = {
"podman-network-macvlan" = {
path = [pkgs.podman];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "podman network rm -f macvlan";
};
script = ''
podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan
'';
partOf = ["podman-compose-root.target"];
wantedBy = ["podman-compose-root.target"];
};
# "podman-network-macvlan" = {
# path = [pkgs.podman];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# ExecStop = "podman network rm -f macvlan";
# };
# script = ''
# podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan
# '';
# partOf = ["podman-compose-root.target"];
# wantedBy = ["podman-compose-root.target"];
# };
};
# disable computer sleeping
targets = {