pihole: enabled and combined with stubby

2024-06-17 01:06:03 +07:00 · 2024-06-17 01:06:03 +07:00 · 73f22bea6a
parent 2c91ce9e07
commit 73f22bea6a
8 changed files with 125 additions and 12 deletions
--- a/hardware-configuration/homeserver.nix
+++ b/hardware-configuration/homeserver.nix
@ -5,7 +5,8 @@

 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
@ -14,12 +15,14 @@
  boot.extraModulePackages = [ ];

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
+    {
+      device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
      fsType = "ext4";
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/47A1-0296";
+    {
+      device = "/dev/disk/by-uuid/47A1-0296";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
@ -36,7 +39,24 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp9s0.useDHCP = lib.mkDefault true;
+  networking.defaultGateway = "192.168.100.1";
+  networking.interfaces.enp9s0 = {
+    useDHCP = false;
+    ipv4.addresses = [
+      {
+        address = "192.168.100.3";
+        prefixLength = 24;
+      }
+      {
+        address = "192.168.100.4";
+        prefixLength = 24;
+      }
+      {
+        address = "192.168.100.5";
+        prefixLength = 24;
+      }
+    ];
+  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
--- a/options/podman.nix
+++ b/options/podman.nix
@ -4,5 +4,6 @@
    enable = lib.mkEnableOption "podman";
    caddy.enable = lib.mkEnableOption "caddy podman";
    kavita.enable = lib.mkEnableOption "kavita podman";
+    pihole.enable = lib.mkEnableOption "pihole podman";
  };
 }
--- a/profiles/homeserver.nix
+++ b/profiles/homeserver.nix
@ -23,11 +23,12 @@
    networking.firewall.enable = true;
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    podman = {
-      enable = false;
+      enable = true;
+      pihole.enable = true;
    };

    docker = {
-      enable = true;
+      enable = false;
    };

    services = {
--- a/secrets/pihole.yaml
+++ b/secrets/pihole.yaml
@ -0,0 +1,22 @@
+pihole:
+    env: ENC[AES256_GCM,data:JLpWZwnefbu0mauukndehWjrsqjvnGdqKYev+UwqP3EoqG88o6c9,iv:u5iaBCjQdga/+O+/IN6dt86ElOO4sferh/BOnS/AXZw=,tag:4oRuUQJ8g11DkYGkRt6EPg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFhuaFp4Zm5idmFXUGRO
+            RG9YbzV3WUdJcHRFWlpISE5GNzVRZEpILzFvCjJUQlFqeWFsNU15Y1pINWgvc2wz
+            OU82L3ZPdW9GY1dyaXV4dndIUmNGRzQKLS0tIGpYMGZQeFJMMlhYUGR5c3lkbng2
+            VlpjTVo3NlIzR0QrVGZNdWdORjVMVmMKIrSq+w9oB3UdOxGNbwabXrpgPSfys+zo
+            M79xEqCUZ30jmfpPvL2VUiD25Bq/iWyj3x8d1xVGxQqUOg23AMb9mA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-16T17:29:06Z"
+    mac: ENC[AES256_GCM,data:e4VrmU1OtVuTxIz56NIumSoLTN2PDCYk5+f8UhPZyTF9rH/hz78LxhbPEPLy4TqQpxZZw/cH8wUUTNXUsYRdlbeL+IIbsEcwzjEBWZCSu38gMj/bNhBNwKU/oAWoKHdAQJYxYe3xnyji1xMLZofDVGQv2i46AI1TMXjFBU9Lz6Q=,iv:ILLCVVWxEKgVqCLHGuDmVINdgh0T3oYimdBIeWvQ7PE=,tag:7yvr0eEciG8yOVrHk1eGeg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/system/modules/networking.nix
+++ b/system/modules/networking.nix
@ -9,7 +9,9 @@
      cfg = config.profile.networking.firewall;
    in
    {
-      enable = cfg.enable;
+      # enable = cfg.enable;
+      enable = true;
      allowedTCPPorts = cfg.allowedTCPPorts;
+      allowedUDPPorts = [ 53 ];
    };
 }
--- a/system/podman/default.nix
+++ b/system/podman/default.nix
@ -32,5 +32,6 @@ in
  imports = [
    ./caddy.nix
    ./kavita.nix
+    ./pihole.nix
  ];
 }
--- a/system/podman/pihole.nix
+++ b/system/podman/pihole.nix
@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let
+  name = "pihole";
+  podman = config.profile.podman;
+  pihole = podman.pihole;
+  inherit (lib) mkIf;
+  gateway = "10.1.1.1";
+  subnet = "10.1.1.0/29";
+  ip = "10.1.1.3";
+  ip-range = "10.1.1.3/29";
+  image = "pihole/pihole:latest";
+in
+{
+  config = mkIf (podman.enable && pihole.enable) {
+    services.caddy.virtualHosts."pihole.tigor.web.id".extraConfig = ''
+      @root path /
+      redir @root /admin
+      reverse_proxy ${ip}:80
+    '';
+
+    sops.secrets."pihole/env" = {
+      sopsFile = ../../secrets/pihole.yaml;
+    };
+
+
+    systemd.services.create-kavita-network = {
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      wantedBy = [ "podman-pihole.service" ];
+      script = ''${pkgs.podman}/bin/podman network exists ${name} || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} ${name}'';
+    };
+
+    virtualisation.oci-containers.containers.pihole = {
+      inherit image;
+      environment = {
+        TZ = "Asia/Jakarta";
+        PIHOLE_DNS_ = "192.168.100.5";
+        DHCP_START = "192.168.100.20";
+        DHCP_END = "192.168.100.254";
+        DHCP_ROUTER = "192.168.100.1";
+      };
+      ports = [
+        "192.168.100.4:53:53/udp"
+        "67:67/udp"
+      ];
+      volumes = [
+        "pihole-etc:/etc/pihole"
+        "pihole-dnsmasq:/etc/dnsmasq.d"
+      ];
+      environmentFiles = [
+        config.sops.secrets."pihole/env".path
+      ];
+      extraOptions = [
+        "--ip=${ip}"
+        "--network=${name}"
+        "--cap-add=NET_ADMIN"
+        "--cap-add=NET_BIND_SERVICE"
+        "--cap-add=NET_RAW"
+        "--cap-add=SYS_NICE"
+        "--cap-add=CHOWN"
+      ];
+    };
+  };
+}
--- a/system/services/stubby.nix
+++ b/system/services/stubby.nix
@ -5,13 +5,13 @@ let
 in
 {
  config = mkIf cfg.enable {
-    networking.resolvconf.useLocalResolver = true;
+    networking.resolvconf.useLocalResolver = false;
+    networking.nameservers = [ "192.168.100.5" ];
    services.stubby = {
      enable = true;
      settings = pkgs.stubby.passthru.settingsExample // {
        listen_addresses = [
-          "0.0.0.0@53"
-          "0::0"
+          "192.168.100.5"
        ];
        upstream_recursive_servers = [
          {