Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

removed pihole

Browse source 
started drafting out adguardhome
This commit is contained in:
Leyla Becker 2025-03-06 14:23:12 -06:00
parent c4a7c711fb
commit 591566cc2a
8 changed files with 90 additions and 186 deletions
Download patch file Download diff file Expand all files Collapse all files

4
configurations/nixos/defiant/configuration.nix
View file

@ -104,8 +104,8 @@
enable = true;
subdomain = "home";
};
pihole = {
enable = true;
adguardhome = {
enable = false;
};
nextcloud = {
enable = true;

3
configurations/nixos/defiant/hardware-configuration.nix
View file

@ -74,6 +74,9 @@
address = [
"192.168.1.10/24"
];
gateway = ["192.168.1.1"];
dns = ["192.168.1.1"];
};
};
};

13
modules/nixos-modules/impermanence.nix
View file

@ -102,19 +102,6 @@
directories = [
"/var/lib/nixos"
"/var/lib/systemd/coredump"
# config.apps.pihole.directory.root
# config.apps.jellyfin.mediaDirectory
# config.services.jellyfin.configDir
# config.services.jellyfin.cacheDir
# config.services.jellyfin.dataDir
# "/var/hass" # config.users.users.hass.home
# "/var/postgresql" # config.users.users.postgresql.home
# "/var/forgejo" # config.users.users.forgejo.home
# "/var/nextcloud" # config.users.users.nextcloud.home
# "/var/headscale" # config.users.users.headscale.home
];
files = [
"/etc/machine-id"

72
modules/nixos-modules/server/adguardhome.nix Normal file
View file

@ -0,0 +1,72 @@
{
lib,
config,
...
}: let
dnsPort = 53;
in {
options.host.adguardhome = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
directory = lib.mkOption {
type = lib.types.str;
default = "/var/lib/AdGuardHome/";
};
};
config = lib.mkIf config.host.adguardhome.enable (lib.mkMerge [
{
services.adguardhome = {
enable = true;
mutableSettings = false;
settings = {
dns = {
bootstrap_dns = [
"1.1.1.1"
"9.9.9.9"
];
upstream_dns = [
"dns.quad9.net"
];
};
filtering = {
protection_enabled = true;
filtering_enabled = true;
parental_enabled = false; # Parental control-based DNS requests filtering.
safe_search = {
enabled = false; # Enforcing "Safe search" option for search engines, when possible.
};
};
# The following notation uses map
# to not have to manually create {enabled = true; url = "";} for every filter
# This is, however, fully optional
filters =
map (url: {
enabled = true;
url = url;
}) [
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
];
};
};
networking.firewall.allowedTCPPorts = [
dnsPort
];
}
(lib.mkIf config.host.impermanence.enable {
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = config.host.adguardhome.directory;
user = "adguardhome";
group = "adguardhome";
}
];
};
})
]);
}

2
modules/nixos-modules/server/default.nix
View file

@ -9,7 +9,7 @@
./forgejo.nix
./searx.nix
./home-assistant.nix
./pihole.nix
./adguardhome.nix
./nextcloud.nix
];
}

158
modules/nixos-modules/server/pihole.nix
View file

@ -1,158 +0,0 @@
{
lib,
config,
inputs,
...
}: let
dnsPort = 53;
webPort = 8090;
in {
options.host.pihole = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
directory = lib.mkOption {
type = lib.types.str;
default = "/var/lib/pihole";
};
image = lib.mkOption {
type = lib.types.str;
default = "pihole/pihole:latest";
description = "container image to use for pi-hole";
};
# piholeStateDirectory = {
# type = lib.types.str;
# default = "${config.host.pihole.directory}/pihole";
# };
# tailscaleStateDirectory = {
# type = lib.types.str;
# default = "${config.host.pihole.directory}/tailscale";
# };
# piholeImage = lib.mkOption {
# type = lib.types.str;
# default = "pihole/pihole:2024.07.0";
# description = "container image to use for pi-hole";
# };
# tailscaleImage = lib.mkOption {
# type = lib.types.str;
# default = "tailscale/tailscale:latest";
# description = "container image to use for pi-holes tail scale";
# };
ip = lib.mkOption {
type = lib.types.str;
description = "ip address to use for pi-hole";
};
};
config = lib.mkIf config.host.pihole.enable (lib.mkMerge [
{
host.podman.enable = true;
sops = {
secrets = {
"services/pi-hole" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
};
# "wireguard-keys/tailscale-authkey/pihole" = {
# sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
# };
};
templates."pihole.env".content = ''
FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"}
'';
};
systemd = {
tmpfiles.rules = [
"d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system
# "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -"
# "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -"
];
services = {
"podman-pihole" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
# after = [
# "podman-network-macvlan.service"
# ];
# requires = [
# "podman-network-macvlan.service"
# ];
partOf = [
"podman-compose-root.target"
];
wantedBy = [
"podman-compose-root.target"
];
};
};
};
services.resolved.enable = false;
virtualisation = {
oci-containers = {
containers = {
pihole = let
passwordFileLocation = "/var/lib/pihole/webpassword.txt";
in {
image = config.host.pihole.image;
volumes = [
"${config.host.pihole.directory}:/etc/pihole:rw"
"${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}"
];
environment = {
TZ = "America/Chicago";
FTLCONF_webserver_port = toString webPort;
PIHOLE_UID = toString config.users.users.pihole.uid;
PIHOLE_GID = toString config.users.groups.pihole.gid;
};
environmentFiles = [
config.sops.templates."pihole.env".path
];
log-driver = "journald";
extraOptions = [
"--network=host"
# "--network=container:${tailscale container id}"
];
};
# ts-pihole = {
# image = config.host.pihole.tailscaleImage;
# volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale";
# environment = {
# TS_ACCEPT_DNS = "false";
# TS_HOSTNAME = "pihole";
# TS_STATE_DIR = "/var/lib/tailscale";
# TS_USERSPACE = "false";
# TS_EXTRA_ARGS = "--advertise-tags=tag:container";
# };
# environmentFiles = [
# config.sops.templates."tailscale-pihole.env".path
# ];
# devices = [
# "/dev/net/tun:/dev/net/tun"
# ];
# extraOptions = [
# "--ip=${config.host.pihole.ip}"
# "--network=macvlan"
# ];
# };
};
};
};
networking.firewall.allowedTCPPorts = [
dnsPort
];
}
(lib.mkIf config.host.impermanence.enable {
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = config.host.pihole.directory;
user = "pihole";
group = "pihole";
}
];
};
})
]);
}

8
modules/nixos-modules/server/podman.nix
View file

@ -59,10 +59,10 @@
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
# defaultNetwork.settings = {
# # Required for container networking to be able to use names.
# dns_enabled = true;
# };
};
oci-containers = {

16
modules/nixos-modules/users.nix
View file

@ -17,7 +17,7 @@
eve = 1002;
jellyfin = 2000;
forgejo = 2002;
pihole = 2003;
adguardhome = 2003;
hass = 2004;
headscale = 2005;
nextcloud = 2006;
@ -32,7 +32,7 @@
jellyfin_media = 2001;
jellyfin = 2000;
forgejo = 2002;
pihole = 2003;
adguardhome = 2003;
hass = 2004;
headscale = 2005;
nextcloud = 2006;
@ -123,10 +123,10 @@ in {
group = config.users.users.forgejo.name;
};
pihole = {
uid = lib.mkForce uids.pihole;
adguardhome = {
uid = lib.mkForce uids.adguardhome;
isSystemUser = true;
group = config.users.users.pihole.name;
group = config.users.users.adguardhome.name;
};
hass = {
@ -208,10 +208,10 @@ in {
];
};
pihole = {
gid = lib.mkForce gids.pihole;
adguardhome = {
gid = lib.mkForce gids.adguardhome;
members = [
users.pihole.name
users.adguardhome.name
# leyla
];
};