From 591566cc2a499998db353718c34b03e7fcc47d70 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Thu, 6 Mar 2025 14:23:12 -0600 Subject: [PATCH] removed pihole started drafting out adguardhome --- .../nixos/defiant/configuration.nix | 4 +- .../nixos/defiant/hardware-configuration.nix | 3 + modules/nixos-modules/impermanence.nix | 13 -- modules/nixos-modules/server/adguardhome.nix | 72 ++++++++ modules/nixos-modules/server/default.nix | 2 +- modules/nixos-modules/server/pihole.nix | 158 ------------------ modules/nixos-modules/server/podman.nix | 8 +- modules/nixos-modules/users.nix | 16 +- 8 files changed, 90 insertions(+), 186 deletions(-) create mode 100644 modules/nixos-modules/server/adguardhome.nix delete mode 100644 modules/nixos-modules/server/pihole.nix diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index bfd5a50..3ea37e9 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -104,8 +104,8 @@ enable = true; subdomain = "home"; }; - pihole = { - enable = true; + adguardhome = { + enable = false; }; nextcloud = { enable = true; diff --git a/configurations/nixos/defiant/hardware-configuration.nix b/configurations/nixos/defiant/hardware-configuration.nix index da19108..85dcd9e 100644 --- a/configurations/nixos/defiant/hardware-configuration.nix +++ b/configurations/nixos/defiant/hardware-configuration.nix @@ -74,6 +74,9 @@ address = [ "192.168.1.10/24" ]; + + gateway = ["192.168.1.1"]; + dns = ["192.168.1.1"]; }; }; }; diff --git a/modules/nixos-modules/impermanence.nix b/modules/nixos-modules/impermanence.nix index 008f060..e969e20 100644 --- a/modules/nixos-modules/impermanence.nix +++ b/modules/nixos-modules/impermanence.nix @@ -102,19 +102,6 @@ directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" - - # config.apps.pihole.directory.root - - # config.apps.jellyfin.mediaDirectory - # config.services.jellyfin.configDir - # config.services.jellyfin.cacheDir - # config.services.jellyfin.dataDir - - # "/var/hass" # config.users.users.hass.home - # "/var/postgresql" # config.users.users.postgresql.home - # "/var/forgejo" # config.users.users.forgejo.home - # "/var/nextcloud" # config.users.users.nextcloud.home - # "/var/headscale" # config.users.users.headscale.home ]; files = [ "/etc/machine-id" diff --git a/modules/nixos-modules/server/adguardhome.nix b/modules/nixos-modules/server/adguardhome.nix new file mode 100644 index 0000000..866ad8a --- /dev/null +++ b/modules/nixos-modules/server/adguardhome.nix @@ -0,0 +1,72 @@ +{ + lib, + config, + ... +}: let + dnsPort = 53; +in { + options.host.adguardhome = { + enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; + directory = lib.mkOption { + type = lib.types.str; + default = "/var/lib/AdGuardHome/"; + }; + }; + config = lib.mkIf config.host.adguardhome.enable (lib.mkMerge [ + { + services.adguardhome = { + enable = true; + mutableSettings = false; + settings = { + dns = { + bootstrap_dns = [ + "1.1.1.1" + "9.9.9.9" + ]; + upstream_dns = [ + "dns.quad9.net" + ]; + }; + filtering = { + protection_enabled = true; + filtering_enabled = true; + + parental_enabled = false; # Parental control-based DNS requests filtering. + safe_search = { + enabled = false; # Enforcing "Safe search" option for search engines, when possible. + }; + }; + # The following notation uses map + # to not have to manually create {enabled = true; url = "";} for every filter + # This is, however, fully optional + filters = + map (url: { + enabled = true; + url = url; + }) [ + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt" + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ + dnsPort + ]; + } + (lib.mkIf config.host.impermanence.enable { + environment.persistence."/persist/system/root" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = config.host.adguardhome.directory; + user = "adguardhome"; + group = "adguardhome"; + } + ]; + }; + }) + ]); +} diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index c8e17a9..a031b0d 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -9,7 +9,7 @@ ./forgejo.nix ./searx.nix ./home-assistant.nix - ./pihole.nix + ./adguardhome.nix ./nextcloud.nix ]; } diff --git a/modules/nixos-modules/server/pihole.nix b/modules/nixos-modules/server/pihole.nix deleted file mode 100644 index aee6105..0000000 --- a/modules/nixos-modules/server/pihole.nix +++ /dev/null @@ -1,158 +0,0 @@ -{ - lib, - config, - inputs, - ... -}: let - dnsPort = 53; - webPort = 8090; -in { - options.host.pihole = { - enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; - directory = lib.mkOption { - type = lib.types.str; - default = "/var/lib/pihole"; - }; - image = lib.mkOption { - type = lib.types.str; - default = "pihole/pihole:latest"; - description = "container image to use for pi-hole"; - }; - # piholeStateDirectory = { - # type = lib.types.str; - # default = "${config.host.pihole.directory}/pihole"; - # }; - # tailscaleStateDirectory = { - # type = lib.types.str; - # default = "${config.host.pihole.directory}/tailscale"; - # }; - # piholeImage = lib.mkOption { - # type = lib.types.str; - # default = "pihole/pihole:2024.07.0"; - # description = "container image to use for pi-hole"; - # }; - # tailscaleImage = lib.mkOption { - # type = lib.types.str; - # default = "tailscale/tailscale:latest"; - # description = "container image to use for pi-holes tail scale"; - # }; - ip = lib.mkOption { - type = lib.types.str; - description = "ip address to use for pi-hole"; - }; - }; - config = lib.mkIf config.host.pihole.enable (lib.mkMerge [ - { - host.podman.enable = true; - sops = { - secrets = { - "services/pi-hole" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; - }; - # "wireguard-keys/tailscale-authkey/pihole" = { - # sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; - # }; - }; - templates."pihole.env".content = '' - FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"} - ''; - }; - systemd = { - tmpfiles.rules = [ - "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system - # "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -" - # "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -" - ]; - - services = { - "podman-pihole" = { - serviceConfig = { - Restart = lib.mkOverride 500 "always"; - }; - # after = [ - # "podman-network-macvlan.service" - # ]; - # requires = [ - # "podman-network-macvlan.service" - # ]; - partOf = [ - "podman-compose-root.target" - ]; - wantedBy = [ - "podman-compose-root.target" - ]; - }; - }; - }; - - services.resolved.enable = false; - - virtualisation = { - oci-containers = { - containers = { - pihole = let - passwordFileLocation = "/var/lib/pihole/webpassword.txt"; - in { - image = config.host.pihole.image; - volumes = [ - "${config.host.pihole.directory}:/etc/pihole:rw" - "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}" - ]; - environment = { - TZ = "America/Chicago"; - FTLCONF_webserver_port = toString webPort; - PIHOLE_UID = toString config.users.users.pihole.uid; - PIHOLE_GID = toString config.users.groups.pihole.gid; - }; - environmentFiles = [ - config.sops.templates."pihole.env".path - ]; - log-driver = "journald"; - extraOptions = [ - "--network=host" - # "--network=container:${tailscale container id}" - ]; - }; - # ts-pihole = { - # image = config.host.pihole.tailscaleImage; - # volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale"; - # environment = { - # TS_ACCEPT_DNS = "false"; - # TS_HOSTNAME = "pihole"; - # TS_STATE_DIR = "/var/lib/tailscale"; - # TS_USERSPACE = "false"; - # TS_EXTRA_ARGS = "--advertise-tags=tag:container"; - # }; - # environmentFiles = [ - # config.sops.templates."tailscale-pihole.env".path - # ]; - # devices = [ - # "/dev/net/tun:/dev/net/tun" - # ]; - # extraOptions = [ - # "--ip=${config.host.pihole.ip}" - # "--network=macvlan" - # ]; - # }; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - dnsPort - ]; - } - (lib.mkIf config.host.impermanence.enable { - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = config.host.pihole.directory; - user = "pihole"; - group = "pihole"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/podman.nix b/modules/nixos-modules/server/podman.nix index b75c56f..e806e65 100644 --- a/modules/nixos-modules/server/podman.nix +++ b/modules/nixos-modules/server/podman.nix @@ -59,10 +59,10 @@ enable = true; autoPrune.enable = true; dockerCompat = true; - defaultNetwork.settings = { - # Required for container networking to be able to use names. - dns_enabled = true; - }; + # defaultNetwork.settings = { + # # Required for container networking to be able to use names. + # dns_enabled = true; + # }; }; oci-containers = { diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix index 15631a9..f57e894 100644 --- a/modules/nixos-modules/users.nix +++ b/modules/nixos-modules/users.nix @@ -17,7 +17,7 @@ eve = 1002; jellyfin = 2000; forgejo = 2002; - pihole = 2003; + adguardhome = 2003; hass = 2004; headscale = 2005; nextcloud = 2006; @@ -32,7 +32,7 @@ jellyfin_media = 2001; jellyfin = 2000; forgejo = 2002; - pihole = 2003; + adguardhome = 2003; hass = 2004; headscale = 2005; nextcloud = 2006; @@ -123,10 +123,10 @@ in { group = config.users.users.forgejo.name; }; - pihole = { - uid = lib.mkForce uids.pihole; + adguardhome = { + uid = lib.mkForce uids.adguardhome; isSystemUser = true; - group = config.users.users.pihole.name; + group = config.users.users.adguardhome.name; }; hass = { @@ -208,10 +208,10 @@ in { ]; }; - pihole = { - gid = lib.mkForce gids.pihole; + adguardhome = { + gid = lib.mkForce gids.adguardhome; members = [ - users.pihole.name + users.adguardhome.name # leyla ]; };