fixed pihole config

configurations/nixos/defiant/configuration.nix

@@ -87,13 +87,13 @@
         };
       };
     };
-    podman = {
+    # podman = {
-      macvlan = {
+    #   macvlan = {
-        subnet = "192.168.1.0/24";
+    #     subnet = "192.168.1.0/24";
-        gateway = "192.168.1.1";
+    #     gateway = "192.168.1.1";
-        networkInterface = "bond0";
+    #     networkInterface = "bond0";
-      };
+    #   };
-    };
+    # };
     jellyfin = {
       enable = true;
       subdomain = "media";
@@ -112,7 +112,7 @@
     };
     pihole = {
       enable = true;
-      ip = "192.168.1.201";
+      # ip = "192.168.1.201";
     };
     nextcloud = {
       enable = true;
@@ -178,10 +178,12 @@
       extraUpFlags = [
         "--advertise-exit-node"
         "--advertise-routes=192.168.1.0/24"
+        "--accept-dns=false"
       ];
       extraSetFlags = [
         "--advertise-exit-node"
         "--advertise-routes=192.168.1.0/24"
+        "--accept-dns=false"
       ];
     };
   };

modules/nixos-modules/server/pihole.nix

@@ -5,6 +5,7 @@
   ...
 }: let
   dnsPort = 53;
+  webPort = 8090;
 in {
   options.host.pihole = {
     enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
@@ -14,9 +15,27 @@ in {
     };
     image = lib.mkOption {
       type = lib.types.str;
-      default = "pihole/pihole:2024.07.0";
+      default = "pihole/pihole:latest";
       description = "container image to use for pi-hole";
     };
+    # piholeStateDirectory = {
+    #   type = lib.types.str;
+    #   default = "${config.host.pihole.directory}/pihole";
+    # };
+    # tailscaleStateDirectory = {
+    #   type = lib.types.str;
+    #   default = "${config.host.pihole.directory}/tailscale";
+    # };
+    # piholeImage = lib.mkOption {
+    #   type = lib.types.str;
+    #   default = "pihole/pihole:2024.07.0";
+    #   description = "container image to use for pi-hole";
+    # };
+    # tailscaleImage = lib.mkOption {
+    #   type = lib.types.str;
+    #   default = "tailscale/tailscale:latest";
+    #   description = "container image to use for pi-holes tail scale";
+    # };
     ip = lib.mkOption {
       type = lib.types.str;
       description = "ip address to use for pi-hole";
@@ -25,14 +44,24 @@ in {
   config = lib.mkIf config.host.pihole.enable (lib.mkMerge [
     {
       host.podman.enable = true;
-      sops.secrets = {
+      sops = {
-        "services/pi-hole" = {
+        secrets = {
-          sopsFile = "${inputs.secrets}/defiant-services.yaml";
+          "services/pi-hole" = {
+            sopsFile = "${inputs.secrets}/defiant-services.yaml";
+          };
+          # "wireguard-keys/tailscale-authkey/pihole" = {
+          #   sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+          # };
         };
+        templates."pihole.env".content = ''
+          FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"}
+        '';
       };
       systemd = {
         tmpfiles.rules = [
           "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system
+          # "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -"
+          # "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -"
         ];
 
         services = {
@@ -40,12 +69,12 @@ in {
             serviceConfig = {
               Restart = lib.mkOverride 500 "always";
             };
-            after = [
+            # after = [
-              "podman-network-macvlan.service"
+            #   "podman-network-macvlan.service"
-            ];
+            # ];
-            requires = [
+            # requires = [
-              "podman-network-macvlan.service"
+            #   "podman-network-macvlan.service"
-            ];
+            # ];
             partOf = [
               "podman-compose-root.target"
             ];
@@ -56,13 +85,8 @@ in {
         };
       };
 
-      # TODO: we need to have a tailscale container here and use that to define the network_mode of pihole container
+      services.resolved.enable = false;
-      # TS_ACCEPT_DNS = "false";
+
-      # TS_AUTHKEY = ${something from a secrets file???}
-      # TS_HOSTNAME = "pihole";
-      # TS_USERSPACE = "false";
-      # TODO: volumes for tailnet container with impermanence config
-      # https://tailscale.com/kb/1282/docker
       virtualisation = {
         oci-containers = {
           containers = {
@@ -76,16 +100,40 @@ in {
               ];
               environment = {
                 TZ = "America/Chicago";
-                WEBPASSWORD_FILE = passwordFileLocation;
+                FTLCONF_webserver_port = toString webPort;
                 PIHOLE_UID = toString config.users.users.pihole.uid;
                 PIHOLE_GID = toString config.users.groups.pihole.gid;
               };
+              environmentFiles = [
+                config.sops.templates."pihole.env".path
+              ];
               log-driver = "journald";
               extraOptions = [
-                "--ip=${config.host.pihole.ip}"
+                "--network=host"
-                "--network=macvlan"
+                # "--network=container:${tailscale container id}"
               ];
             };
+            # ts-pihole = {
+            #   image = config.host.pihole.tailscaleImage;
+            #   volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale";
+            #   environment = {
+            #     TS_ACCEPT_DNS = "false";
+            #     TS_HOSTNAME = "pihole";
+            #     TS_STATE_DIR = "/var/lib/tailscale";
+            #     TS_USERSPACE = "false";
+            #     TS_EXTRA_ARGS = "--advertise-tags=tag:container";
+            #   };
+            #   environmentFiles = [
+            #     config.sops.templates."tailscale-pihole.env".path
+            #   ];
+            #   devices = [
+            #     "/dev/net/tun:/dev/net/tun"
+            #   ];
+            #   extraOptions = [
+            #     "--ip=${config.host.pihole.ip}"
+            #     "--network=macvlan"
+            #   ];
+            # };
           };
         };
       };

modules/nixos-modules/server/podman.nix

@@ -1,6 +1,5 @@
 {
   lib,
-  pkgs,
   config,
   ...
 }: {
@@ -26,19 +25,19 @@
   config = lib.mkIf config.host.podman.enable {
     systemd = {
       services = {
-        "podman-network-macvlan" = {
+        # "podman-network-macvlan" = {
-          path = [pkgs.podman];
+        #   path = [pkgs.podman];
-          serviceConfig = {
+        #   serviceConfig = {
-            Type = "oneshot";
+        #     Type = "oneshot";
-            RemainAfterExit = true;
+        #     RemainAfterExit = true;
-            ExecStop = "podman network rm -f macvlan";
+        #     ExecStop = "podman network rm -f macvlan";
-          };
+        #   };
-          script = ''
+        #   script = ''
-            podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan
+        #     podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan
-          '';
+        #   '';
-          partOf = ["podman-compose-root.target"];
+        #   partOf = ["podman-compose-root.target"];
-          wantedBy = ["podman-compose-root.target"];
+        #   wantedBy = ["podman-compose-root.target"];
-        };
+        # };
       };
       # disable computer sleeping
       targets = {