diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 6394e77..9d61f65 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -87,13 +87,13 @@ }; }; }; - podman = { - macvlan = { - subnet = "192.168.1.0/24"; - gateway = "192.168.1.1"; - networkInterface = "bond0"; - }; - }; + # podman = { + # macvlan = { + # subnet = "192.168.1.0/24"; + # gateway = "192.168.1.1"; + # networkInterface = "bond0"; + # }; + # }; jellyfin = { enable = true; subdomain = "media"; @@ -112,7 +112,7 @@ }; pihole = { enable = true; - ip = "192.168.1.201"; + # ip = "192.168.1.201"; }; nextcloud = { enable = true; @@ -178,10 +178,12 @@ extraUpFlags = [ "--advertise-exit-node" "--advertise-routes=192.168.1.0/24" + "--accept-dns=false" ]; extraSetFlags = [ "--advertise-exit-node" "--advertise-routes=192.168.1.0/24" + "--accept-dns=false" ]; }; }; diff --git a/modules/nixos-modules/server/pihole.nix b/modules/nixos-modules/server/pihole.nix index e877864..aee6105 100644 --- a/modules/nixos-modules/server/pihole.nix +++ b/modules/nixos-modules/server/pihole.nix @@ -5,6 +5,7 @@ ... }: let dnsPort = 53; + webPort = 8090; in { options.host.pihole = { enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; @@ -14,9 +15,27 @@ in { }; image = lib.mkOption { type = lib.types.str; - default = "pihole/pihole:2024.07.0"; + default = "pihole/pihole:latest"; description = "container image to use for pi-hole"; }; + # piholeStateDirectory = { + # type = lib.types.str; + # default = "${config.host.pihole.directory}/pihole"; + # }; + # tailscaleStateDirectory = { + # type = lib.types.str; + # default = "${config.host.pihole.directory}/tailscale"; + # }; + # piholeImage = lib.mkOption { + # type = lib.types.str; + # default = "pihole/pihole:2024.07.0"; + # description = "container image to use for pi-hole"; + # }; + # tailscaleImage = lib.mkOption { + # type = lib.types.str; + # default = "tailscale/tailscale:latest"; + # description = "container image to use for pi-holes tail scale"; + # }; ip = lib.mkOption { type = lib.types.str; description = "ip address to use for pi-hole"; @@ -25,14 +44,24 @@ in { config = lib.mkIf config.host.pihole.enable (lib.mkMerge [ { host.podman.enable = true; - sops.secrets = { - "services/pi-hole" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; + sops = { + secrets = { + "services/pi-hole" = { + sopsFile = "${inputs.secrets}/defiant-services.yaml"; + }; + # "wireguard-keys/tailscale-authkey/pihole" = { + # sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; + # }; }; + templates."pihole.env".content = '' + FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"} + ''; }; systemd = { tmpfiles.rules = [ "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system + # "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -" + # "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -" ]; services = { @@ -40,12 +69,12 @@ in { serviceConfig = { Restart = lib.mkOverride 500 "always"; }; - after = [ - "podman-network-macvlan.service" - ]; - requires = [ - "podman-network-macvlan.service" - ]; + # after = [ + # "podman-network-macvlan.service" + # ]; + # requires = [ + # "podman-network-macvlan.service" + # ]; partOf = [ "podman-compose-root.target" ]; @@ -56,13 +85,8 @@ in { }; }; - # TODO: we need to have a tailscale container here and use that to define the network_mode of pihole container - # TS_ACCEPT_DNS = "false"; - # TS_AUTHKEY = ${something from a secrets file???} - # TS_HOSTNAME = "pihole"; - # TS_USERSPACE = "false"; - # TODO: volumes for tailnet container with impermanence config - # https://tailscale.com/kb/1282/docker + services.resolved.enable = false; + virtualisation = { oci-containers = { containers = { @@ -76,16 +100,40 @@ in { ]; environment = { TZ = "America/Chicago"; - WEBPASSWORD_FILE = passwordFileLocation; + FTLCONF_webserver_port = toString webPort; PIHOLE_UID = toString config.users.users.pihole.uid; PIHOLE_GID = toString config.users.groups.pihole.gid; }; + environmentFiles = [ + config.sops.templates."pihole.env".path + ]; log-driver = "journald"; extraOptions = [ - "--ip=${config.host.pihole.ip}" - "--network=macvlan" + "--network=host" + # "--network=container:${tailscale container id}" ]; }; + # ts-pihole = { + # image = config.host.pihole.tailscaleImage; + # volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale"; + # environment = { + # TS_ACCEPT_DNS = "false"; + # TS_HOSTNAME = "pihole"; + # TS_STATE_DIR = "/var/lib/tailscale"; + # TS_USERSPACE = "false"; + # TS_EXTRA_ARGS = "--advertise-tags=tag:container"; + # }; + # environmentFiles = [ + # config.sops.templates."tailscale-pihole.env".path + # ]; + # devices = [ + # "/dev/net/tun:/dev/net/tun" + # ]; + # extraOptions = [ + # "--ip=${config.host.pihole.ip}" + # "--network=macvlan" + # ]; + # }; }; }; }; diff --git a/modules/nixos-modules/server/podman.nix b/modules/nixos-modules/server/podman.nix index 0f48ac9..b75c56f 100644 --- a/modules/nixos-modules/server/podman.nix +++ b/modules/nixos-modules/server/podman.nix @@ -1,6 +1,5 @@ { lib, - pkgs, config, ... }: { @@ -26,19 +25,19 @@ config = lib.mkIf config.host.podman.enable { systemd = { services = { - "podman-network-macvlan" = { - path = [pkgs.podman]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "podman network rm -f macvlan"; - }; - script = '' - podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan - ''; - partOf = ["podman-compose-root.target"]; - wantedBy = ["podman-compose-root.target"]; - }; + # "podman-network-macvlan" = { + # path = [pkgs.podman]; + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # ExecStop = "podman network rm -f macvlan"; + # }; + # script = '' + # podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan + # ''; + # partOf = ["podman-compose-root.target"]; + # wantedBy = ["podman-compose-root.target"]; + # }; }; # disable computer sleeping targets = {