removed pihole

started drafting out adguardhome
2025-03-06 14:23:12 -06:00 · 2025-03-06 14:23:12 -06:00 · 591566cc2a
commit 591566cc2a
parent c4a7c711fb
8 changed files with 90 additions and 186 deletions
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@ -104,8 +104,8 @@
      enable = true;
      subdomain = "home";
    };
-    pihole = {
+    adguardhome = {
-      enable = true;
+      enable = false;
    };
    nextcloud = {
      enable = true;
--- a/configurations/nixos/defiant/hardware-configuration.nix
+++ b/configurations/nixos/defiant/hardware-configuration.nix
@ -74,6 +74,9 @@
        address = [
          "192.168.1.10/24"
        ];
        gateway = ["192.168.1.1"];
        dns = ["192.168.1.1"];
      };
    };
  };
--- a/modules/nixos-modules/impermanence.nix
+++ b/modules/nixos-modules/impermanence.nix
@ -102,19 +102,6 @@
          directories = [
            "/var/lib/nixos"
            "/var/lib/systemd/coredump"
            # config.apps.pihole.directory.root
            # config.apps.jellyfin.mediaDirectory
            # config.services.jellyfin.configDir
            # config.services.jellyfin.cacheDir
            # config.services.jellyfin.dataDir
            # "/var/hass" # config.users.users.hass.home
            # "/var/postgresql" # config.users.users.postgresql.home
            # "/var/forgejo" # config.users.users.forgejo.home
            # "/var/nextcloud" # config.users.users.nextcloud.home
            # "/var/headscale" # config.users.users.headscale.home
          ];
          files = [
            "/etc/machine-id"
--- a/modules/nixos-modules/server/adguardhome.nix
+++ b/modules/nixos-modules/server/adguardhome.nix
@ -0,0 +1,72 @@
 {
  lib,
  config,
  ...
 }: let
  dnsPort = 53;
 in {
  options.host.adguardhome = {
    enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
    directory = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/AdGuardHome/";
    };
  };
  config = lib.mkIf config.host.adguardhome.enable (lib.mkMerge [
    {
      services.adguardhome = {
        enable = true;
        mutableSettings = false;
        settings = {
          dns = {
            bootstrap_dns = [
              "1.1.1.1"
              "9.9.9.9"
            ];
            upstream_dns = [
              "dns.quad9.net"
            ];
          };
          filtering = {
            protection_enabled = true;
            filtering_enabled = true;
            parental_enabled = false; # Parental control-based DNS requests filtering.
            safe_search = {
              enabled = false; # Enforcing "Safe search" option for search engines, when possible.
            };
          };
          # The following notation uses map
          # to not have to manually create {enabled = true; url = "";} for every filter
          # This is, however, fully optional
          filters =
            map (url: {
              enabled = true;
              url = url;
            }) [
              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"
              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
            ];
        };
      };
      networking.firewall.allowedTCPPorts = [
        dnsPort
      ];
    }
    (lib.mkIf config.host.impermanence.enable {
      environment.persistence."/persist/system/root" = {
        enable = true;
        hideMounts = true;
        directories = [
          {
            directory = config.host.adguardhome.directory;
            user = "adguardhome";
            group = "adguardhome";
          }
        ];
      };
    })
  ]);
 }
--- a/modules/nixos-modules/server/default.nix
+++ b/modules/nixos-modules/server/default.nix
@ -9,7 +9,7 @@
    ./forgejo.nix
    ./searx.nix
    ./home-assistant.nix
-    ./pihole.nix
+    ./adguardhome.nix
    ./nextcloud.nix
  ];
 }
--- a/modules/nixos-modules/server/pihole.nix
+++ b/modules/nixos-modules/server/pihole.nix
@ -1,158 +0,0 @@
 {
  lib,
  config,
  inputs,
  ...
 }: let
  dnsPort = 53;
  webPort = 8090;
 in {
  options.host.pihole = {
    enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
    directory = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/pihole";
    };
    image = lib.mkOption {
      type = lib.types.str;
      default = "pihole/pihole:latest";
      description = "container image to use for pi-hole";
    };
    # piholeStateDirectory = {
    #   type = lib.types.str;
    #   default = "${config.host.pihole.directory}/pihole";
    # };
    # tailscaleStateDirectory = {
    #   type = lib.types.str;
    #   default = "${config.host.pihole.directory}/tailscale";
    # };
    # piholeImage = lib.mkOption {
    #   type = lib.types.str;
    #   default = "pihole/pihole:2024.07.0";
    #   description = "container image to use for pi-hole";
    # };
    # tailscaleImage = lib.mkOption {
    #   type = lib.types.str;
    #   default = "tailscale/tailscale:latest";
    #   description = "container image to use for pi-holes tail scale";
    # };
    ip = lib.mkOption {
      type = lib.types.str;
      description = "ip address to use for pi-hole";
    };
  };
  config = lib.mkIf config.host.pihole.enable (lib.mkMerge [
    {
      host.podman.enable = true;
      sops = {
        secrets = {
          "services/pi-hole" = {
            sopsFile = "${inputs.secrets}/defiant-services.yaml";
          };
          # "wireguard-keys/tailscale-authkey/pihole" = {
          #   sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
          # };
        };
        templates."pihole.env".content = ''
          FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"}
        '';
      };
      systemd = {
        tmpfiles.rules = [
          "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system
          # "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -"
          # "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -"
        ];
        services = {
          "podman-pihole" = {
            serviceConfig = {
              Restart = lib.mkOverride 500 "always";
            };
            # after = [
            #   "podman-network-macvlan.service"
            # ];
            # requires = [
            #   "podman-network-macvlan.service"
            # ];
            partOf = [
              "podman-compose-root.target"
            ];
            wantedBy = [
              "podman-compose-root.target"
            ];
          };
        };
      };
      services.resolved.enable = false;
      virtualisation = {
        oci-containers = {
          containers = {
            pihole = let
              passwordFileLocation = "/var/lib/pihole/webpassword.txt";
            in {
              image = config.host.pihole.image;
              volumes = [
                "${config.host.pihole.directory}:/etc/pihole:rw"
                "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}"
              ];
              environment = {
                TZ = "America/Chicago";
                FTLCONF_webserver_port = toString webPort;
                PIHOLE_UID = toString config.users.users.pihole.uid;
                PIHOLE_GID = toString config.users.groups.pihole.gid;
              };
              environmentFiles = [
                config.sops.templates."pihole.env".path
              ];
              log-driver = "journald";
              extraOptions = [
                "--network=host"
                # "--network=container:${tailscale container id}"
              ];
            };
            # ts-pihole = {
            #   image = config.host.pihole.tailscaleImage;
            #   volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale";
            #   environment = {
            #     TS_ACCEPT_DNS = "false";
            #     TS_HOSTNAME = "pihole";
            #     TS_STATE_DIR = "/var/lib/tailscale";
            #     TS_USERSPACE = "false";
            #     TS_EXTRA_ARGS = "--advertise-tags=tag:container";
            #   };
            #   environmentFiles = [
            #     config.sops.templates."tailscale-pihole.env".path
            #   ];
            #   devices = [
            #     "/dev/net/tun:/dev/net/tun"
            #   ];
            #   extraOptions = [
            #     "--ip=${config.host.pihole.ip}"
            #     "--network=macvlan"
            #   ];
            # };
          };
        };
      };
      networking.firewall.allowedTCPPorts = [
        dnsPort
      ];
    }
    (lib.mkIf config.host.impermanence.enable {
      environment.persistence."/persist/system/root" = {
        enable = true;
        hideMounts = true;
        directories = [
          {
            directory = config.host.pihole.directory;
            user = "pihole";
            group = "pihole";
          }
        ];
      };
    })
  ]);
 }
--- a/modules/nixos-modules/server/podman.nix
+++ b/modules/nixos-modules/server/podman.nix
@ -59,10 +59,10 @@
        enable = true;
        autoPrune.enable = true;
        dockerCompat = true;
-        defaultNetwork.settings = {
+        # defaultNetwork.settings = {
-          # Required for container networking to be able to use names.
+        #   # Required for container networking to be able to use names.
-          dns_enabled = true;
+        #   dns_enabled = true;
-        };
+        # };
      };
      oci-containers = {
--- a/modules/nixos-modules/users.nix
+++ b/modules/nixos-modules/users.nix
@ -17,7 +17,7 @@
    eve = 1002;
    jellyfin = 2000;
    forgejo = 2002;
-    pihole = 2003;
+    adguardhome = 2003;
    hass = 2004;
    headscale = 2005;
    nextcloud = 2006;
@ -32,7 +32,7 @@
    jellyfin_media = 2001;
    jellyfin = 2000;
    forgejo = 2002;
-    pihole = 2003;
+    adguardhome = 2003;
    hass = 2004;
    headscale = 2005;
    nextcloud = 2006;
@ -123,10 +123,10 @@ in {
            group = config.users.users.forgejo.name;
          };
-          pihole = {
+          adguardhome = {
-            uid = lib.mkForce uids.pihole;
+            uid = lib.mkForce uids.adguardhome;
            isSystemUser = true;
-            group = config.users.users.pihole.name;
+            group = config.users.users.adguardhome.name;
          };
          hass = {
@ -208,10 +208,10 @@ in {
            ];
          };
-          pihole = {
+          adguardhome = {
-            gid = lib.mkForce gids.pihole;
+            gid = lib.mkForce gids.adguardhome;
            members = [
-              users.pihole.name
+              users.adguardhome.name
              # leyla
            ];
          };