{ lib, config, inputs, ... }: let dnsPort = 53; webPort = 8090; in { options.host.pihole = { enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; directory = lib.mkOption { type = lib.types.str; default = "/var/lib/pihole"; }; image = lib.mkOption { type = lib.types.str; default = "pihole/pihole:latest"; description = "container image to use for pi-hole"; }; # piholeStateDirectory = { # type = lib.types.str; # default = "${config.host.pihole.directory}/pihole"; # }; # tailscaleStateDirectory = { # type = lib.types.str; # default = "${config.host.pihole.directory}/tailscale"; # }; # piholeImage = lib.mkOption { # type = lib.types.str; # default = "pihole/pihole:2024.07.0"; # description = "container image to use for pi-hole"; # }; # tailscaleImage = lib.mkOption { # type = lib.types.str; # default = "tailscale/tailscale:latest"; # description = "container image to use for pi-holes tail scale"; # }; ip = lib.mkOption { type = lib.types.str; description = "ip address to use for pi-hole"; }; }; config = lib.mkIf config.host.pihole.enable (lib.mkMerge [ { host.podman.enable = true; sops = { secrets = { "services/pi-hole" = { sopsFile = "${inputs.secrets}/defiant-services.yaml"; }; # "wireguard-keys/tailscale-authkey/pihole" = { # sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; # }; }; templates."pihole.env".content = '' FTLCONF_webserver_api_password=${config.sops.placeholder."services/pi-hole"} ''; }; systemd = { tmpfiles.rules = [ "d ${config.host.pihole.directory} 755 pihole pihole -" # is /home/docker/pihole on old system # "d ${config.host.pihole.piholeStateDirectory} 755 pihole pihole -" # "d ${config.host.pihole.tailscaleStateDirectory} 755 pihole pihole -" ]; services = { "podman-pihole" = { serviceConfig = { Restart = lib.mkOverride 500 "always"; }; # after = [ # "podman-network-macvlan.service" # ]; # requires = [ # "podman-network-macvlan.service" # ]; partOf = [ "podman-compose-root.target" ]; wantedBy = [ "podman-compose-root.target" ]; }; }; }; services.resolved.enable = false; virtualisation = { oci-containers = { containers = { pihole = let passwordFileLocation = "/var/lib/pihole/webpassword.txt"; in { image = config.host.pihole.image; volumes = [ "${config.host.pihole.directory}:/etc/pihole:rw" "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}" ]; environment = { TZ = "America/Chicago"; FTLCONF_webserver_port = toString webPort; PIHOLE_UID = toString config.users.users.pihole.uid; PIHOLE_GID = toString config.users.groups.pihole.gid; }; environmentFiles = [ config.sops.templates."pihole.env".path ]; log-driver = "journald"; extraOptions = [ "--network=host" # "--network=container:${tailscale container id}" ]; }; # ts-pihole = { # image = config.host.pihole.tailscaleImage; # volumes = "${config.host.pihole.tailscaleStateDirectory}:/var/lib/tailscale"; # environment = { # TS_ACCEPT_DNS = "false"; # TS_HOSTNAME = "pihole"; # TS_STATE_DIR = "/var/lib/tailscale"; # TS_USERSPACE = "false"; # TS_EXTRA_ARGS = "--advertise-tags=tag:container"; # }; # environmentFiles = [ # config.sops.templates."tailscale-pihole.env".path # ]; # devices = [ # "/dev/net/tun:/dev/net/tun" # ]; # extraOptions = [ # "--ip=${config.host.pihole.ip}" # "--network=macvlan" # ]; # }; }; }; }; networking.firewall.allowedTCPPorts = [ dnsPort ]; } (lib.mkIf config.host.impermanence.enable { environment.persistence."/persist/system/root" = { enable = true; hideMounts = true; directories = [ { directory = config.host.pihole.directory; user = "pihole"; group = "pihole"; } ]; }; }) ]); }