pihole: enabled and combined with stubby

This commit is contained in:
Tigor Hutasuhut 2024-06-17 01:06:03 +07:00
parent 2c91ce9e07
commit 73f22bea6a
8 changed files with 125 additions and 12 deletions

View file

@ -5,7 +5,8 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
@ -14,12 +15,14 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803"; {
device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/47A1-0296"; {
device = "/dev/disk/by-uuid/47A1-0296";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0022" "dmask=0022" ];
}; };
@ -36,7 +39,24 @@
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp9s0.useDHCP = lib.mkDefault true; networking.defaultGateway = "192.168.100.1";
networking.interfaces.enp9s0 = {
useDHCP = false;
ipv4.addresses = [
{
address = "192.168.100.3";
prefixLength = 24;
}
{
address = "192.168.100.4";
prefixLength = 24;
}
{
address = "192.168.100.5";
prefixLength = 24;
}
];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

View file

@ -4,5 +4,6 @@
enable = lib.mkEnableOption "podman"; enable = lib.mkEnableOption "podman";
caddy.enable = lib.mkEnableOption "caddy podman"; caddy.enable = lib.mkEnableOption "caddy podman";
kavita.enable = lib.mkEnableOption "kavita podman"; kavita.enable = lib.mkEnableOption "kavita podman";
pihole.enable = lib.mkEnableOption "pihole podman";
}; };
} }

View file

@ -23,11 +23,12 @@
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
podman = { podman = {
enable = false; enable = true;
pihole.enable = true;
}; };
docker = { docker = {
enable = true; enable = false;
}; };
services = { services = {

22
secrets/pihole.yaml Normal file
View file

@ -0,0 +1,22 @@
pihole:
env: ENC[AES256_GCM,data:JLpWZwnefbu0mauukndehWjrsqjvnGdqKYev+UwqP3EoqG88o6c9,iv:u5iaBCjQdga/+O+/IN6dt86ElOO4sferh/BOnS/AXZw=,tag:4oRuUQJ8g11DkYGkRt6EPg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFhuaFp4Zm5idmFXUGRO
RG9YbzV3WUdJcHRFWlpISE5GNzVRZEpILzFvCjJUQlFqeWFsNU15Y1pINWgvc2wz
OU82L3ZPdW9GY1dyaXV4dndIUmNGRzQKLS0tIGpYMGZQeFJMMlhYUGR5c3lkbng2
VlpjTVo3NlIzR0QrVGZNdWdORjVMVmMKIrSq+w9oB3UdOxGNbwabXrpgPSfys+zo
M79xEqCUZ30jmfpPvL2VUiD25Bq/iWyj3x8d1xVGxQqUOg23AMb9mA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-16T17:29:06Z"
mac: ENC[AES256_GCM,data:e4VrmU1OtVuTxIz56NIumSoLTN2PDCYk5+f8UhPZyTF9rH/hz78LxhbPEPLy4TqQpxZZw/cH8wUUTNXUsYRdlbeL+IIbsEcwzjEBWZCSu38gMj/bNhBNwKU/oAWoKHdAQJYxYe3xnyji1xMLZofDVGQv2i46AI1TMXjFBU9Lz6Q=,iv:ILLCVVWxEKgVqCLHGuDmVINdgh0T3oYimdBIeWvQ7PE=,tag:7yvr0eEciG8yOVrHk1eGeg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -9,7 +9,9 @@
cfg = config.profile.networking.firewall; cfg = config.profile.networking.firewall;
in in
{ {
enable = cfg.enable; # enable = cfg.enable;
enable = true;
allowedTCPPorts = cfg.allowedTCPPorts; allowedTCPPorts = cfg.allowedTCPPorts;
allowedUDPPorts = [ 53 ];
}; };
} }

View file

@ -32,5 +32,6 @@ in
imports = [ imports = [
./caddy.nix ./caddy.nix
./kavita.nix ./kavita.nix
./pihole.nix
]; ];
} }

66
system/podman/pihole.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, lib, pkgs, ... }:
let
name = "pihole";
podman = config.profile.podman;
pihole = podman.pihole;
inherit (lib) mkIf;
gateway = "10.1.1.1";
subnet = "10.1.1.0/29";
ip = "10.1.1.3";
ip-range = "10.1.1.3/29";
image = "pihole/pihole:latest";
in
{
config = mkIf (podman.enable && pihole.enable) {
services.caddy.virtualHosts."pihole.tigor.web.id".extraConfig = ''
@root path /
redir @root /admin
reverse_proxy ${ip}:80
'';
sops.secrets."pihole/env" = {
sopsFile = ../../secrets/pihole.yaml;
};
systemd.services.create-kavita-network = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
wantedBy = [ "podman-pihole.service" ];
script = ''${pkgs.podman}/bin/podman network exists ${name} || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} ${name}'';
};
virtualisation.oci-containers.containers.pihole = {
inherit image;
environment = {
TZ = "Asia/Jakarta";
PIHOLE_DNS_ = "192.168.100.5";
DHCP_START = "192.168.100.20";
DHCP_END = "192.168.100.254";
DHCP_ROUTER = "192.168.100.1";
};
ports = [
"192.168.100.4:53:53/udp"
"67:67/udp"
];
volumes = [
"pihole-etc:/etc/pihole"
"pihole-dnsmasq:/etc/dnsmasq.d"
];
environmentFiles = [
config.sops.secrets."pihole/env".path
];
extraOptions = [
"--ip=${ip}"
"--network=${name}"
"--cap-add=NET_ADMIN"
"--cap-add=NET_BIND_SERVICE"
"--cap-add=NET_RAW"
"--cap-add=SYS_NICE"
"--cap-add=CHOWN"
];
};
};
}

View file

@ -5,13 +5,13 @@ let
in in
{ {
config = mkIf cfg.enable { config = mkIf cfg.enable {
networking.resolvconf.useLocalResolver = true; networking.resolvconf.useLocalResolver = false;
networking.nameservers = [ "192.168.100.5" ];
services.stubby = { services.stubby = {
enable = true; enable = true;
settings = pkgs.stubby.passthru.settingsExample // { settings = pkgs.stubby.passthru.settingsExample // {
listen_addresses = [ listen_addresses = [
"0.0.0.0@53" "192.168.100.5"
"0::0"
]; ];
upstream_recursive_servers = [ upstream_recursive_servers = [
{ {