From b02bd1a5e2d89e219174fcd13c8ca5e325e31bbb Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Thu, 2 Jan 2025 21:39:39 -0600 Subject: [PATCH] created config for pihole --- .../nixos/defiant/configuration.nix | 11 ++ configurations/nixos/defiant/services.nix | 129 ------------------ modules/nixos-modules/server/default.nix | 2 + modules/nixos-modules/server/pihole.nix | 98 +++++++++++++ modules/nixos-modules/server/podman.nix | 74 ++++++++++ 5 files changed, 185 insertions(+), 129 deletions(-) create mode 100644 modules/nixos-modules/server/pihole.nix create mode 100644 modules/nixos-modules/server/podman.nix diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index f366a60..e86dbc4 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -81,6 +81,17 @@ enable = true; subdomain = "home"; }; + pihole = { + enable = true; + ip = "192.168.1.201"; + }; + podman = { + macvlan = { + subnet = "192.168.1.0/24"; + gateway = "192.168.1.1"; + networkInterface = "bond0"; + }; + }; }; networking = { hostId = "c51763d6"; diff --git a/configurations/nixos/defiant/services.nix b/configurations/nixos/defiant/services.nix index 0a6bb46..2774a1d 100644 --- a/configurations/nixos/defiant/services.nix +++ b/configurations/nixos/defiant/services.nix @@ -18,45 +18,6 @@ in { base_domain = lib.mkOption { type = lib.types.str; }; - macvlan = { - subnet = lib.mkOption { - type = lib.types.str; - description = "Subnet for macvlan address range"; - }; - gateway = lib.mkOption { - type = lib.types.str; - description = "Gateway for macvlan"; - # TODO: see if we can default this to systemd network gateway - }; - networkInterface = lib.mkOption { - type = lib.types.str; - description = "Parent network interface for macvlan"; - # TODO: see if we can default this some interface? - }; - }; - pihole = { - image = lib.mkOption { - type = lib.types.str; - description = "container image to use for pi-hole"; - }; - # TODO: check against subnet for macvlan - ip = lib.mkOption { - type = lib.types.str; - description = "ip address to use for pi-hole"; - }; - directory = { - root = lib.mkOption { - type = lib.types.str; - description = "directory that pihole will be hosted at"; - default = "/var/lib/pihole"; - }; - data = lib.mkOption { - type = lib.types.str; - description = "directory that pihole data will be hosted at"; - default = "${config.apps.pihole.directory.root}/data"; - }; - }; - }; headscale = { subdomain = lib.mkOption { type = lib.types.str; @@ -98,94 +59,14 @@ in { config = { sops.secrets = { - "services/pi-hole" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; - }; "services/nextcloud_adminpass" = { sopsFile = "${inputs.secrets}/defiant-services.yaml"; owner = config.users.users.nextcloud.name; }; }; - virtualisation = { - # Runtime - podman = { - enable = true; - autoPrune.enable = true; - dockerCompat = true; - defaultNetwork.settings = { - # Required for container networking to be able to use names. - dns_enabled = true; - }; - }; - - oci-containers = { - backend = "podman"; - - containers = { - pihole = let - passwordFileLocation = "/var/lib/pihole/webpassword.txt"; - in { - image = config.apps.pihole.image; - volumes = [ - "${config.apps.pihole.directory.data}:/etc/pihole:rw" - "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}" - ]; - environment = { - TZ = "America/Chicago"; - WEBPASSWORD_FILE = passwordFileLocation; - PIHOLE_UID = toString config.users.users.pihole.uid; - PIHOLE_GID = toString config.users.groups.pihole.gid; - }; - log-driver = "journald"; - extraOptions = [ - "--ip=${config.apps.pihole.ip}" - "--network=macvlan" - ]; - }; - }; - }; - }; - - # TODO: dynamic users systemd = { - tmpfiles.rules = [ - "d ${config.apps.pihole.directory.root} 755 pihole pihole -" # is /home/docker/pihole on old system - "d ${config.apps.pihole.directory.data} 755 pihole pihole -" # is /home/docker/pihole on old system - ]; - services = { - "podman-pihole" = { - serviceConfig = { - Restart = lib.mkOverride 500 "always"; - }; - after = [ - "podman-network-macvlan.service" - ]; - requires = [ - "podman-network-macvlan.service" - ]; - partOf = [ - "podman-compose-root.target" - ]; - wantedBy = [ - "podman-compose-root.target" - ]; - }; - - "podman-network-macvlan" = { - path = [pkgs.podman]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "podman network rm -f macvlan"; - }; - script = '' - podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.apps.macvlan.subnet} --gateway ${config.apps.macvlan.gateway} --opt parent=${config.apps.macvlan.networkInterface} macvlan - ''; - partOf = ["podman-compose-root.target"]; - wantedBy = ["podman-compose-root.target"]; - }; # nextcloud-setup = { # after = ["network.target"]; # }; @@ -201,16 +82,6 @@ in { suspend.enable = false; hibernate.enable = false; hybrid-sleep.enable = false; - - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - "podman-compose-root" = { - unitConfig = { - Description = "Root target for podman targets."; - }; - wantedBy = ["multi-user.target"]; - }; }; }; diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index 38516d8..dd19cfd 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -3,9 +3,11 @@ ./network_storage ./reverse_proxy.nix ./postgres.nix + ./podman.nix ./jellyfin.nix ./forgejo.nix ./searx.nix ./home-assistant.nix + ./pihole.nix ]; } diff --git a/modules/nixos-modules/server/pihole.nix b/modules/nixos-modules/server/pihole.nix new file mode 100644 index 0000000..df86b97 --- /dev/null +++ b/modules/nixos-modules/server/pihole.nix @@ -0,0 +1,98 @@ +{ + lib, + config, + inputs, + ... +}: { + options.host.pihole = { + enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; + directory = lib.mkOption { + type = lib.types.str; + default = "/var/lib/pihole"; + }; + image = lib.mkOption { + type = lib.types.str; + default = "pihole/pihole:2024.07.0"; + description = "container image to use for pi-hole"; + }; + ip = lib.mkOption { + type = lib.types.str; + description = "ip address to use for pi-hole"; + }; + }; + config = lib.mkIf config.host.pihole.enable (lib.mkMerge [ + { + host.podman.enable = true; + sops.secrets = { + "services/pi-hole" = { + sopsFile = "${inputs.secrets}/defiant-services.yaml"; + }; + }; + systemd = { + tmpfiles.rules = [ + "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system + ]; + + services = { + "podman-pihole" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-macvlan.service" + ]; + requires = [ + "podman-network-macvlan.service" + ]; + partOf = [ + "podman-compose-root.target" + ]; + wantedBy = [ + "podman-compose-root.target" + ]; + }; + }; + }; + + virtualisation = { + oci-containers = { + containers = { + pihole = let + passwordFileLocation = "/var/lib/pihole/webpassword.txt"; + in { + image = config.host.pihole.image; + volumes = [ + "${config.host.pihole.directory}:/etc/pihole:rw" + "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}" + ]; + environment = { + TZ = "America/Chicago"; + WEBPASSWORD_FILE = passwordFileLocation; + PIHOLE_UID = toString config.users.users.pihole.uid; + PIHOLE_GID = toString config.users.groups.pihole.gid; + }; + log-driver = "journald"; + extraOptions = [ + "--ip=${config.host.pihole.ip}" + "--network=macvlan" + ]; + }; + }; + }; + }; + } + (lib.mkIf config.host.impermanence.enable { + environment.persistence."/persist/system/root" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = config.host.pihole.directory; + user = "pihole"; + group = "pihole"; + } + ]; + }; + }) + ]); +} diff --git a/modules/nixos-modules/server/podman.nix b/modules/nixos-modules/server/podman.nix new file mode 100644 index 0000000..0f48ac9 --- /dev/null +++ b/modules/nixos-modules/server/podman.nix @@ -0,0 +1,74 @@ +{ + lib, + pkgs, + config, + ... +}: { + options.host.podman = { + enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; + macvlan = { + subnet = lib.mkOption { + type = lib.types.str; + description = "Subnet for macvlan address range"; + }; + gateway = lib.mkOption { + type = lib.types.str; + description = "Gateway for macvlan"; + # TODO: see if we can default this to systemd network gateway + }; + networkInterface = lib.mkOption { + type = lib.types.str; + description = "Parent network interface for macvlan"; + # TODO: see if we can default this some interface? + }; + }; + }; + config = lib.mkIf config.host.podman.enable { + systemd = { + services = { + "podman-network-macvlan" = { + path = [pkgs.podman]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f macvlan"; + }; + script = '' + podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan + ''; + partOf = ["podman-compose-root.target"]; + wantedBy = ["podman-compose-root.target"]; + }; + }; + # disable computer sleeping + targets = { + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + "podman-compose-root" = { + unitConfig = { + Description = "Root target for podman targets."; + }; + wantedBy = ["multi-user.target"]; + }; + }; + }; + + virtualisation = { + # Runtime + podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + + oci-containers = { + backend = "podman"; + }; + }; + }; +}