pihole: enabled and combined with stubby
This commit is contained in:
parent
2c91ce9e07
commit
73f22bea6a
|
@ -5,7 +5,8 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
[
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
@ -14,19 +15,21 @@
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
|
{
|
||||||
|
device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/47A1-0296";
|
{
|
||||||
|
device = "/dev/disk/by-uuid/47A1-0296";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [ "fmask=0022" "dmask=0022" ];
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/nas" = {
|
fileSystems."/nas" = {
|
||||||
device = "/dev/disk/by-label/WD_RED_4T_1";
|
device = "/dev/disk/by-label/WD_RED_4T_1";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
@ -36,7 +39,24 @@
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.enp9s0.useDHCP = lib.mkDefault true;
|
networking.defaultGateway = "192.168.100.1";
|
||||||
|
networking.interfaces.enp9s0 = {
|
||||||
|
useDHCP = false;
|
||||||
|
ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "192.168.100.3";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = "192.168.100.4";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = "192.168.100.5";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
|
|
@ -4,5 +4,6 @@
|
||||||
enable = lib.mkEnableOption "podman";
|
enable = lib.mkEnableOption "podman";
|
||||||
caddy.enable = lib.mkEnableOption "caddy podman";
|
caddy.enable = lib.mkEnableOption "caddy podman";
|
||||||
kavita.enable = lib.mkEnableOption "kavita podman";
|
kavita.enable = lib.mkEnableOption "kavita podman";
|
||||||
|
pihole.enable = lib.mkEnableOption "pihole podman";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,11 +23,12 @@
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
podman = {
|
podman = {
|
||||||
enable = false;
|
enable = true;
|
||||||
|
pihole.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
docker = {
|
docker = {
|
||||||
enable = true;
|
enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|
22
secrets/pihole.yaml
Normal file
22
secrets/pihole.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
pihole:
|
||||||
|
env: ENC[AES256_GCM,data:JLpWZwnefbu0mauukndehWjrsqjvnGdqKYev+UwqP3EoqG88o6c9,iv:u5iaBCjQdga/+O+/IN6dt86ElOO4sferh/BOnS/AXZw=,tag:4oRuUQJ8g11DkYGkRt6EPg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFhuaFp4Zm5idmFXUGRO
|
||||||
|
RG9YbzV3WUdJcHRFWlpISE5GNzVRZEpILzFvCjJUQlFqeWFsNU15Y1pINWgvc2wz
|
||||||
|
OU82L3ZPdW9GY1dyaXV4dndIUmNGRzQKLS0tIGpYMGZQeFJMMlhYUGR5c3lkbng2
|
||||||
|
VlpjTVo3NlIzR0QrVGZNdWdORjVMVmMKIrSq+w9oB3UdOxGNbwabXrpgPSfys+zo
|
||||||
|
M79xEqCUZ30jmfpPvL2VUiD25Bq/iWyj3x8d1xVGxQqUOg23AMb9mA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-16T17:29:06Z"
|
||||||
|
mac: ENC[AES256_GCM,data:e4VrmU1OtVuTxIz56NIumSoLTN2PDCYk5+f8UhPZyTF9rH/hz78LxhbPEPLy4TqQpxZZw/cH8wUUTNXUsYRdlbeL+IIbsEcwzjEBWZCSu38gMj/bNhBNwKU/oAWoKHdAQJYxYe3xnyji1xMLZofDVGQv2i46AI1TMXjFBU9Lz6Q=,iv:ILLCVVWxEKgVqCLHGuDmVINdgh0T3oYimdBIeWvQ7PE=,tag:7yvr0eEciG8yOVrHk1eGeg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -9,7 +9,9 @@
|
||||||
cfg = config.profile.networking.firewall;
|
cfg = config.profile.networking.firewall;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
enable = cfg.enable;
|
# enable = cfg.enable;
|
||||||
|
enable = true;
|
||||||
allowedTCPPorts = cfg.allowedTCPPorts;
|
allowedTCPPorts = cfg.allowedTCPPorts;
|
||||||
|
allowedUDPPorts = [ 53 ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,5 +32,6 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
./caddy.nix
|
./caddy.nix
|
||||||
./kavita.nix
|
./kavita.nix
|
||||||
|
./pihole.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
66
system/podman/pihole.nix
Normal file
66
system/podman/pihole.nix
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
name = "pihole";
|
||||||
|
podman = config.profile.podman;
|
||||||
|
pihole = podman.pihole;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
gateway = "10.1.1.1";
|
||||||
|
subnet = "10.1.1.0/29";
|
||||||
|
ip = "10.1.1.3";
|
||||||
|
ip-range = "10.1.1.3/29";
|
||||||
|
image = "pihole/pihole:latest";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf (podman.enable && pihole.enable) {
|
||||||
|
services.caddy.virtualHosts."pihole.tigor.web.id".extraConfig = ''
|
||||||
|
@root path /
|
||||||
|
redir @root /admin
|
||||||
|
reverse_proxy ${ip}:80
|
||||||
|
'';
|
||||||
|
|
||||||
|
sops.secrets."pihole/env" = {
|
||||||
|
sopsFile = ../../secrets/pihole.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
systemd.services.create-kavita-network = {
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
wantedBy = [ "podman-pihole.service" ];
|
||||||
|
script = ''${pkgs.podman}/bin/podman network exists ${name} || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} ${name}'';
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.pihole = {
|
||||||
|
inherit image;
|
||||||
|
environment = {
|
||||||
|
TZ = "Asia/Jakarta";
|
||||||
|
PIHOLE_DNS_ = "192.168.100.5";
|
||||||
|
DHCP_START = "192.168.100.20";
|
||||||
|
DHCP_END = "192.168.100.254";
|
||||||
|
DHCP_ROUTER = "192.168.100.1";
|
||||||
|
};
|
||||||
|
ports = [
|
||||||
|
"192.168.100.4:53:53/udp"
|
||||||
|
"67:67/udp"
|
||||||
|
];
|
||||||
|
volumes = [
|
||||||
|
"pihole-etc:/etc/pihole"
|
||||||
|
"pihole-dnsmasq:/etc/dnsmasq.d"
|
||||||
|
];
|
||||||
|
environmentFiles = [
|
||||||
|
config.sops.secrets."pihole/env".path
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--ip=${ip}"
|
||||||
|
"--network=${name}"
|
||||||
|
"--cap-add=NET_ADMIN"
|
||||||
|
"--cap-add=NET_BIND_SERVICE"
|
||||||
|
"--cap-add=NET_RAW"
|
||||||
|
"--cap-add=SYS_NICE"
|
||||||
|
"--cap-add=CHOWN"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,13 +5,13 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
networking.resolvconf.useLocalResolver = true;
|
networking.resolvconf.useLocalResolver = false;
|
||||||
|
networking.nameservers = [ "192.168.100.5" ];
|
||||||
services.stubby = {
|
services.stubby = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = pkgs.stubby.passthru.settingsExample // {
|
settings = pkgs.stubby.passthru.settingsExample // {
|
||||||
listen_addresses = [
|
listen_addresses = [
|
||||||
"0.0.0.0@53"
|
"192.168.100.5"
|
||||||
"0::0"
|
|
||||||
];
|
];
|
||||||
upstream_recursive_servers = [
|
upstream_recursive_servers = [
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue