pihole: enabled and combined with stubby
This commit is contained in:
parent
2c91ce9e07
commit
73f22bea6a
|
@ -5,7 +5,8 @@
|
|||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||
|
@ -14,12 +15,14 @@
|
|||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
|
||||
{
|
||||
device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/47A1-0296";
|
||||
{
|
||||
device = "/dev/disk/by-uuid/47A1-0296";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
@ -36,7 +39,24 @@
|
|||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp9s0.useDHCP = lib.mkDefault true;
|
||||
networking.defaultGateway = "192.168.100.1";
|
||||
networking.interfaces.enp9s0 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.100.3";
|
||||
prefixLength = 24;
|
||||
}
|
||||
{
|
||||
address = "192.168.100.4";
|
||||
prefixLength = 24;
|
||||
}
|
||||
{
|
||||
address = "192.168.100.5";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
|
|
@ -4,5 +4,6 @@
|
|||
enable = lib.mkEnableOption "podman";
|
||||
caddy.enable = lib.mkEnableOption "caddy podman";
|
||||
kavita.enable = lib.mkEnableOption "kavita podman";
|
||||
pihole.enable = lib.mkEnableOption "pihole podman";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -23,11 +23,12 @@
|
|||
networking.firewall.enable = true;
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
podman = {
|
||||
enable = false;
|
||||
enable = true;
|
||||
pihole.enable = true;
|
||||
};
|
||||
|
||||
docker = {
|
||||
enable = true;
|
||||
enable = false;
|
||||
};
|
||||
|
||||
services = {
|
||||
|
|
22
secrets/pihole.yaml
Normal file
22
secrets/pihole.yaml
Normal file
|
@ -0,0 +1,22 @@
|
|||
pihole:
|
||||
env: ENC[AES256_GCM,data:JLpWZwnefbu0mauukndehWjrsqjvnGdqKYev+UwqP3EoqG88o6c9,iv:u5iaBCjQdga/+O+/IN6dt86ElOO4sferh/BOnS/AXZw=,tag:4oRuUQJ8g11DkYGkRt6EPg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFhuaFp4Zm5idmFXUGRO
|
||||
RG9YbzV3WUdJcHRFWlpISE5GNzVRZEpILzFvCjJUQlFqeWFsNU15Y1pINWgvc2wz
|
||||
OU82L3ZPdW9GY1dyaXV4dndIUmNGRzQKLS0tIGpYMGZQeFJMMlhYUGR5c3lkbng2
|
||||
VlpjTVo3NlIzR0QrVGZNdWdORjVMVmMKIrSq+w9oB3UdOxGNbwabXrpgPSfys+zo
|
||||
M79xEqCUZ30jmfpPvL2VUiD25Bq/iWyj3x8d1xVGxQqUOg23AMb9mA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-16T17:29:06Z"
|
||||
mac: ENC[AES256_GCM,data:e4VrmU1OtVuTxIz56NIumSoLTN2PDCYk5+f8UhPZyTF9rH/hz78LxhbPEPLy4TqQpxZZw/cH8wUUTNXUsYRdlbeL+IIbsEcwzjEBWZCSu38gMj/bNhBNwKU/oAWoKHdAQJYxYe3xnyji1xMLZofDVGQv2i46AI1TMXjFBU9Lz6Q=,iv:ILLCVVWxEKgVqCLHGuDmVINdgh0T3oYimdBIeWvQ7PE=,tag:7yvr0eEciG8yOVrHk1eGeg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -9,7 +9,9 @@
|
|||
cfg = config.profile.networking.firewall;
|
||||
in
|
||||
{
|
||||
enable = cfg.enable;
|
||||
# enable = cfg.enable;
|
||||
enable = true;
|
||||
allowedTCPPorts = cfg.allowedTCPPorts;
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -32,5 +32,6 @@ in
|
|||
imports = [
|
||||
./caddy.nix
|
||||
./kavita.nix
|
||||
./pihole.nix
|
||||
];
|
||||
}
|
||||
|
|
66
system/podman/pihole.nix
Normal file
66
system/podman/pihole.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
name = "pihole";
|
||||
podman = config.profile.podman;
|
||||
pihole = podman.pihole;
|
||||
inherit (lib) mkIf;
|
||||
gateway = "10.1.1.1";
|
||||
subnet = "10.1.1.0/29";
|
||||
ip = "10.1.1.3";
|
||||
ip-range = "10.1.1.3/29";
|
||||
image = "pihole/pihole:latest";
|
||||
in
|
||||
{
|
||||
config = mkIf (podman.enable && pihole.enable) {
|
||||
services.caddy.virtualHosts."pihole.tigor.web.id".extraConfig = ''
|
||||
@root path /
|
||||
redir @root /admin
|
||||
reverse_proxy ${ip}:80
|
||||
'';
|
||||
|
||||
sops.secrets."pihole/env" = {
|
||||
sopsFile = ../../secrets/pihole.yaml;
|
||||
};
|
||||
|
||||
|
||||
systemd.services.create-kavita-network = {
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
wantedBy = [ "podman-pihole.service" ];
|
||||
script = ''${pkgs.podman}/bin/podman network exists ${name} || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} ${name}'';
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.pihole = {
|
||||
inherit image;
|
||||
environment = {
|
||||
TZ = "Asia/Jakarta";
|
||||
PIHOLE_DNS_ = "192.168.100.5";
|
||||
DHCP_START = "192.168.100.20";
|
||||
DHCP_END = "192.168.100.254";
|
||||
DHCP_ROUTER = "192.168.100.1";
|
||||
};
|
||||
ports = [
|
||||
"192.168.100.4:53:53/udp"
|
||||
"67:67/udp"
|
||||
];
|
||||
volumes = [
|
||||
"pihole-etc:/etc/pihole"
|
||||
"pihole-dnsmasq:/etc/dnsmasq.d"
|
||||
];
|
||||
environmentFiles = [
|
||||
config.sops.secrets."pihole/env".path
|
||||
];
|
||||
extraOptions = [
|
||||
"--ip=${ip}"
|
||||
"--network=${name}"
|
||||
"--cap-add=NET_ADMIN"
|
||||
"--cap-add=NET_BIND_SERVICE"
|
||||
"--cap-add=NET_RAW"
|
||||
"--cap-add=SYS_NICE"
|
||||
"--cap-add=CHOWN"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,13 +5,13 @@ let
|
|||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
networking.resolvconf.useLocalResolver = true;
|
||||
networking.resolvconf.useLocalResolver = false;
|
||||
networking.nameservers = [ "192.168.100.5" ];
|
||||
services.stubby = {
|
||||
enable = true;
|
||||
settings = pkgs.stubby.passthru.settingsExample // {
|
||||
listen_addresses = [
|
||||
"0.0.0.0@53"
|
||||
"0::0"
|
||||
"192.168.100.5"
|
||||
];
|
||||
upstream_recursive_servers = [
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue