created config for pihole

2025-01-02 21:39:39 -06:00 · 2025-01-02 21:39:39 -06:00 · b02bd1a5e2
commit b02bd1a5e2
parent e6852cc537
5 changed files with 185 additions and 129 deletions
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@ -81,6 +81,17 @@
      enable = true;
      subdomain = "home";
    };
+    pihole = {
+      enable = true;
+      ip = "192.168.1.201";
+    };
+    podman = {
+      macvlan = {
+        subnet = "192.168.1.0/24";
+        gateway = "192.168.1.1";
+        networkInterface = "bond0";
+      };
+    };
  };
  networking = {
    hostId = "c51763d6";
--- a/configurations/nixos/defiant/services.nix
+++ b/configurations/nixos/defiant/services.nix
@ -18,45 +18,6 @@ in {
      base_domain = lib.mkOption {
        type = lib.types.str;
      };
-      macvlan = {
-        subnet = lib.mkOption {
-          type = lib.types.str;
-          description = "Subnet for macvlan address range";
-        };
-        gateway = lib.mkOption {
-          type = lib.types.str;
-          description = "Gateway for macvlan";
-          # TODO: see if we can default this to systemd network gateway
-        };
-        networkInterface = lib.mkOption {
-          type = lib.types.str;
-          description = "Parent network interface for macvlan";
-          # TODO: see if we can default this some interface?
-        };
-      };
-      pihole = {
-        image = lib.mkOption {
-          type = lib.types.str;
-          description = "container image to use for pi-hole";
-        };
-        # TODO: check against subnet for macvlan
-        ip = lib.mkOption {
-          type = lib.types.str;
-          description = "ip address to use for pi-hole";
-        };
-        directory = {
-          root = lib.mkOption {
-            type = lib.types.str;
-            description = "directory that pihole will be hosted at";
-            default = "/var/lib/pihole";
-          };
-          data = lib.mkOption {
-            type = lib.types.str;
-            description = "directory that pihole data will be hosted at";
-            default = "${config.apps.pihole.directory.root}/data";
-          };
-        };
-      };
      headscale = {
        subdomain = lib.mkOption {
          type = lib.types.str;
@ -98,94 +59,14 @@ in {

  config = {
    sops.secrets = {
-      "services/pi-hole" = {
-        sopsFile = "${inputs.secrets}/defiant-services.yaml";
-      };
      "services/nextcloud_adminpass" = {
        sopsFile = "${inputs.secrets}/defiant-services.yaml";
        owner = config.users.users.nextcloud.name;
      };
    };

-    virtualisation = {
-      # Runtime
-      podman = {
-        enable = true;
-        autoPrune.enable = true;
-        dockerCompat = true;
-        defaultNetwork.settings = {
-          # Required for container networking to be able to use names.
-          dns_enabled = true;
-        };
-      };
-
-      oci-containers = {
-        backend = "podman";
-
-        containers = {
-          pihole = let
-            passwordFileLocation = "/var/lib/pihole/webpassword.txt";
-          in {
-            image = config.apps.pihole.image;
-            volumes = [
-              "${config.apps.pihole.directory.data}:/etc/pihole:rw"
-              "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}"
-            ];
-            environment = {
-              TZ = "America/Chicago";
-              WEBPASSWORD_FILE = passwordFileLocation;
-              PIHOLE_UID = toString config.users.users.pihole.uid;
-              PIHOLE_GID = toString config.users.groups.pihole.gid;
-            };
-            log-driver = "journald";
-            extraOptions = [
-              "--ip=${config.apps.pihole.ip}"
-              "--network=macvlan"
-            ];
-          };
-        };
-      };
-    };
-
-    # TODO: dynamic users
    systemd = {
-      tmpfiles.rules = [
-        "d ${config.apps.pihole.directory.root} 755 pihole pihole -" # is /home/docker/pihole on old system
-        "d ${config.apps.pihole.directory.data} 755 pihole pihole -" # is /home/docker/pihole on old system
-      ];
-
      services = {
-        "podman-pihole" = {
-          serviceConfig = {
-            Restart = lib.mkOverride 500 "always";
-          };
-          after = [
-            "podman-network-macvlan.service"
-          ];
-          requires = [
-            "podman-network-macvlan.service"
-          ];
-          partOf = [
-            "podman-compose-root.target"
-          ];
-          wantedBy = [
-            "podman-compose-root.target"
-          ];
-        };
-
-        "podman-network-macvlan" = {
-          path = [pkgs.podman];
-          serviceConfig = {
-            Type = "oneshot";
-            RemainAfterExit = true;
-            ExecStop = "podman network rm -f macvlan";
-          };
-          script = ''
-            podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.apps.macvlan.subnet} --gateway ${config.apps.macvlan.gateway} --opt parent=${config.apps.macvlan.networkInterface} macvlan
-          '';
-          partOf = ["podman-compose-root.target"];
-          wantedBy = ["podman-compose-root.target"];
-        };
        # nextcloud-setup = {
        #   after = ["network.target"];
        # };
@ -201,16 +82,6 @@ in {
        suspend.enable = false;
        hibernate.enable = false;
        hybrid-sleep.enable = false;
-
-        # Root service
-        # When started, this will automatically create all resources and start
-        # the containers. When stopped, this will teardown all resources.
-        "podman-compose-root" = {
-          unitConfig = {
-            Description = "Root target for podman targets.";
-          };
-          wantedBy = ["multi-user.target"];
-        };
      };
    };

--- a/modules/nixos-modules/server/default.nix
+++ b/modules/nixos-modules/server/default.nix
@ -3,9 +3,11 @@
    ./network_storage
    ./reverse_proxy.nix
    ./postgres.nix
+    ./podman.nix
    ./jellyfin.nix
    ./forgejo.nix
    ./searx.nix
    ./home-assistant.nix
+    ./pihole.nix
  ];
 }
--- a/modules/nixos-modules/server/pihole.nix
+++ b/modules/nixos-modules/server/pihole.nix
@ -0,0 +1,98 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}: {
+  options.host.pihole = {
+    enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
+    directory = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/pihole";
+    };
+    image = lib.mkOption {
+      type = lib.types.str;
+      default = "pihole/pihole:2024.07.0";
+      description = "container image to use for pi-hole";
+    };
+    ip = lib.mkOption {
+      type = lib.types.str;
+      description = "ip address to use for pi-hole";
+    };
+  };
+  config = lib.mkIf config.host.pihole.enable (lib.mkMerge [
+    {
+      host.podman.enable = true;
+      sops.secrets = {
+        "services/pi-hole" = {
+          sopsFile = "${inputs.secrets}/defiant-services.yaml";
+        };
+      };
+      systemd = {
+        tmpfiles.rules = [
+          "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system
+        ];
+
+        services = {
+          "podman-pihole" = {
+            serviceConfig = {
+              Restart = lib.mkOverride 500 "always";
+            };
+            after = [
+              "podman-network-macvlan.service"
+            ];
+            requires = [
+              "podman-network-macvlan.service"
+            ];
+            partOf = [
+              "podman-compose-root.target"
+            ];
+            wantedBy = [
+              "podman-compose-root.target"
+            ];
+          };
+        };
+      };
+
+      virtualisation = {
+        oci-containers = {
+          containers = {
+            pihole = let
+              passwordFileLocation = "/var/lib/pihole/webpassword.txt";
+            in {
+              image = config.host.pihole.image;
+              volumes = [
+                "${config.host.pihole.directory}:/etc/pihole:rw"
+                "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}"
+              ];
+              environment = {
+                TZ = "America/Chicago";
+                WEBPASSWORD_FILE = passwordFileLocation;
+                PIHOLE_UID = toString config.users.users.pihole.uid;
+                PIHOLE_GID = toString config.users.groups.pihole.gid;
+              };
+              log-driver = "journald";
+              extraOptions = [
+                "--ip=${config.host.pihole.ip}"
+                "--network=macvlan"
+              ];
+            };
+          };
+        };
+      };
+    }
+    (lib.mkIf config.host.impermanence.enable {
+      environment.persistence."/persist/system/root" = {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = config.host.pihole.directory;
+            user = "pihole";
+            group = "pihole";
+          }
+        ];
+      };
+    })
+  ]);
+}
--- a/modules/nixos-modules/server/podman.nix
+++ b/modules/nixos-modules/server/podman.nix
@ -0,0 +1,74 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  options.host.podman = {
+    enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
+    macvlan = {
+      subnet = lib.mkOption {
+        type = lib.types.str;
+        description = "Subnet for macvlan address range";
+      };
+      gateway = lib.mkOption {
+        type = lib.types.str;
+        description = "Gateway for macvlan";
+        # TODO: see if we can default this to systemd network gateway
+      };
+      networkInterface = lib.mkOption {
+        type = lib.types.str;
+        description = "Parent network interface for macvlan";
+        # TODO: see if we can default this some interface?
+      };
+    };
+  };
+  config = lib.mkIf config.host.podman.enable {
+    systemd = {
+      services = {
+        "podman-network-macvlan" = {
+          path = [pkgs.podman];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStop = "podman network rm -f macvlan";
+          };
+          script = ''
+            podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan
+          '';
+          partOf = ["podman-compose-root.target"];
+          wantedBy = ["podman-compose-root.target"];
+        };
+      };
+      # disable computer sleeping
+      targets = {
+        # Root service
+        # When started, this will automatically create all resources and start
+        # the containers. When stopped, this will teardown all resources.
+        "podman-compose-root" = {
+          unitConfig = {
+            Description = "Root target for podman targets.";
+          };
+          wantedBy = ["multi-user.target"];
+        };
+      };
+    };
+
+    virtualisation = {
+      # Runtime
+      podman = {
+        enable = true;
+        autoPrune.enable = true;
+        dockerCompat = true;
+        defaultNetwork.settings = {
+          # Required for container networking to be able to use names.
+          dns_enabled = true;
+        };
+      };
+
+      oci-containers = {
+        backend = "podman";
+      };
+    };
+  };
+}