Remove the pihole system

2023-01-09 19:15:30 +01:00 · 2023-01-09 19:15:30 +01:00 · 57eae5b15d
parent e5b8f43e9b
commit 57eae5b15d
7 changed files with 0 additions and 188 deletions
--- a/flake.nix
+++ b/flake.nix
@ -44,7 +44,6 @@
        mail = mksdImage "mail";
        management = mksdImage "management";
        nextcloud = mksdImage "nextcloud";
-        pihole = mksdImage "pihole";
        test-raspi = mksdImage "test-raspi";
        restic-server = mksdImage "restic-server";
        ttrss = mksdImage "ttrss";
@ -82,10 +81,6 @@
          hostname = "nextcloud";
          inherit custom;
        };
-        pihole = mkRaspi {
-          hostname = "pihole";
-          inherit custom;
-        };
        plex = mkRaspi {
          hostname = "plex";
          home-module = "plex";
--- a/modules/pihole/default.nix
+++ b/modules/pihole/default.nix
@ -1,42 +0,0 @@
-{ custom }: { config, ... }:
-let
-  service-name = "${config.virtualisation.oci-containers.backend}-pihole";
-in
-{
-  networking = {
-    firewall.allowedTCPPorts = [
-      53 # DNS
-      67 # DHCP
-      80 # Web Interface
-    ];
-    firewall.allowedUDPPorts = [
-      53 # DNS
-      67 # DHCP
-    ];
-  };
-  age.secrets.piholeEnv.file = "${custom.inputs.self}/scrts/pihole_env.age";
-  virtualisation.oci-containers = {
-    backend = "docker";
-    containers."pihole" = {
-      image = "pihole/pihole";
-      autoStart = true;
-      environment = {
-        TZ = "Europe/Zurich";
-        ServerIP = "10.7.89.2";
-        DNS1 = "127.0.0.1#5335"; # we're using the local unboud server here
-        RATE_LIMIT = "10000/60";
-      };
-      environmentFiles = [ config.age.secrets.piholeEnv.path ];
-      volumes = [
-        "/var/lib/pihole/etc-pihole:/etc/pihole/"
-        "/var/lib/pihole/etc-dnsmasq.d:/etc/dnsmasq.d/"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      extraOptions = [
-        "--network=host"
-        "--cap-add=NET_ADMIN"
-      ];
-    };
-  };
-  systemd.services.${service-name}.after = [ "unbound.service" ];
-}
--- a/modules/unbound/default.nix
+++ b/modules/unbound/default.nix
@ -1,70 +0,0 @@
-{ ... }:
-{
-  services.unbound = {
-    enable = true;
-    settings = {
-      server = {
-        verbosity = 0;
-        interface = "127.0.0.1";
-        port = 5335;
-        do-ip4 = true;
-        do-udp = true;
-        do-tcp = true;
-
-        # May be set to true; if you have IPv6 connectivity
-        do-ip6 = false;
-
-        # You want to leave this to false; unless you have *native* IPv6. With 6to4 and
-        # Terredo tunnels your web browser should favor IPv4 for the same reasons
-        prefer-ip6 = false;
-
-        # Use this only when you downloaded the list of primary root servers!
-        # If you use the default dns-root-data package, unbound will find it automatically
-        #root-hints: "/var/lib/unbound/root.hints"
-
-        # Trust glue only if it is within the server's authority
-        harden-glue = true;
-
-        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
-        harden-dnssec-stripped = true;
-
-        # Don't use Capitalization randomization as it kfalse;wn to cause DNSSEC issues sometimes
-        # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
-        use-caps-for-id = false;
-
-        # Reduce EDNS reassembly buffer size.
-        # Suggested by the unbound man page to reduce fragmentation reassembly problems
-        edns-buffer-size = 1472;
-
-        # Perform prefetching of close to expired message cache entries
-        # This only applies to domains that have been frequently queried
-        prefetch = true;
-
-        # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
-        num-threads = 1;
-
-        # Ensure kernel buffer is large efalse;ugh to false;t lose messages in traffic spikes
-        so-rcvbuf = "1m";
-
-        # Ensure privacy of local IP ranges
-        private-address = [
-          "192.168.0.0/16"
-          "169.254.0.0/16"
-          "172.16.0.0/12"
-          "10.0.0.0/8"
-          "fd00::/8"
-          "fe80::/10"
-        ];
-
-        # Send minimum amount of information to upstream servers to enhance
-        # privacy. Only sends minimum required labels of the QNAME and sets
-        # QTYPE to NS when possible.
-
-        # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
-        # details.
-
-        qname-minimisation = true;
-      };
-    };
-  };
-}
--- a/scripts/remote_switch.sh
+++ b/scripts/remote_switch.sh
@ -7,7 +7,6 @@ skip=(
    "desktop-vm"
    "gwyn"
    "loki-test"
-    "pihole"
    "staubfinger"
    "test-raspi"
 )
@ -38,10 +37,3 @@ do
    echo
    echo
 done
-
-pihole="pihole.2li.local"
-echo $pihole
-nixos-rebuild switch -j auto --use-remote-sudo --build-host localhost --target-host $pihole --flake ".#pihole" &&
-if [ $reboot -eq 1 ]; then
-    ssh -i $rsa_key $pihole 'sudo reboot'
-fi
--- a/scrts/pihole_env.age
+++ b/scrts/pihole_env.age
@ -1,43 +0,0 @@
-age-encryption.org/v1
-> ssh-rsa 7S8lxw
-kZWSGmhYKeN+fJ+bCSmGEXSkbj0Eh8A7U5tEJzq8dd0Rt8a6gK6ihFuP+jvYR6dP
-jyQlf6NNM7YZCMKsB/0KXi1LkMRECO78MBs6Q3X+Cz5EUzwahOaYALJzondQqmHJ
-192xT3QR76vUdJDQ/stYzdl/a32AglQ7ihK6Bde4kvW4Sq+RNb/Ekrxy5IbJ+GKn
-PxRhRrNe/4/DmhUVAaamE4Tcri/rAvTvjJbrxwgf7lkyJiCz7IytYRNlB4Euzfs8
-QkZ5/17dnxLof0u0bwFWfmsnCVLBtyOnugXY2mYnkL5bUIfWzW1GK+F2oRsVBact
-9SIetHKGic3Nt1GF1E9fAnkHme4VcrT5SM50WQxQjQLXIVxOf94y1N24CL73SBtx
-ibB3ZLUXTlrUoiDxbtdyGUNpCwqF7LJ5p/MTtWe/G2cPwdNGH9NpM29mD/+Vg8D4
-YRnlecJVeoX6xXjvwj7o7keatwqiB5xfnBM1QS4i/4dIXTVOIfL6qsTJHainJaUf
-
-> ssh-rsa Ws+JZA
-SflGjJBXmjtS4zvExSNs7q4C74Q7gg+P+TSiYEWF51WrQOUTX2AYzOUmx1vnKSUN
-3EDqfeRwqPQWuymKcDI1EhTpGAahbh1BJg2WF0Pzg8P+v8zPIuj4y1T8C7HTPAQx
-xjEMBy/GxphH1bMCQd46o4wapfsfO1HjVMBnYledglny0INsp0CuG04p8KSVHzu3
-JwWDryWcYXb704ydp2c/NQNW6x4K6qorHlupSVuT4/TUh9LY+TZXkzRpxCZX6ZpO
-bBvV0cYYNocxwdaMOwk8ZOlSCOe/u6vh1v/+lwX5wT4mwRy3+4mrW1GGTLKZ01SS
-qUaHgy7Vtfk3vuGUMDJXs+AEdI2hnp6HXP8YBCE7y4rspI5i9Rtk9TkLfANKbwq2
-3EI47GEVHXWFd0y23GczodEbIbpElmXkUHwnB80NO1LMXJTjkadE3E1KKseqYOQI
-TEZJBDMSJ5youQV8lVqw6hYM8CkLb/4T+IxZwZZYD8EWU6jzfTbGKw3WZ20ai4ev
-
-> ssh-ed25519 skmU/w PkdtYP3oAJZ2fl3hQ+tkTJAShzdFfKHjLRkFn2T/wFE
-rknFouO27G8wg5e3GeJ/NVLPRucsx234BCQORWLs0Uk
-> ssh-ed25519 IjdJGQ z0v69Aemvh5IKfaHncSaIh3nHBFPFEqqwbwh/NVVMTc
-CJ6INtYhg2pwac4c3M/Sk/I2crsuUngktA1fWc/fCIA
-> ssh-ed25519 KXqA9w VM5jdbb2A8mUnmpE29CjpsK+g+L/d3zgB+q10j/v0G4
-i1QugX8+ydFrszSjAgZvbAA8A71yy/jNuJH8qOJv3xs
-> ssh-rsa KURlxQ
-ITQfAWqFdVig3Y1LkaYlyu3rZ8ihy+3NaT4jiFangtVx0H6e55LXIaB3KGdXUxxo
-kY1lDRPR0MvRZGB1hKD5b60Yjox5FqJZPhgZ4yREy/YwdAV6YgCOLjktm2GFkUaW
-Bn2ziII/b5vxnB+1i/IYEGoO22Csyam81t+lk3ZnqMzXXKcEZnDOQKH6ZrGamLWI
-OrEsVjNl+DL/1ft8aO5YtaO5taDj9LvjZJ6V1vSBYnkieAVTmaFxl+QTmy4uYLcK
-wdTYKo551OClrjQ2f9jXtmwtqRhMSNBETD/mWZg/q0sm/cRo0XWR0m8AUBeLJNKt
-fSUh8JLr5aakhbeyadZ4HkrEGpr0GlaXswCcIxqNcvDr4xLBy6QKCizJHh5st/zS
-mgJh2UwuQ6p2+KQhYU0viOScEPG0TnRLG9u9ecvZU0iepwEAG6kLB4GEPTBTtzFs
-RQ5HkUSLK1+fwYdgNwnn11AKyuqJoJyr66XpG/+EDQZ1Vwc9grGwyCjeH3EBQiBZ
-
-> ssh-ed25519 OytffA x1fwsr5bhoCrIzfXz4EolNyTU05GyL/x0f+pxvCg5zo
-+68XgmaK9ovOXe0VwDt8KHd38T6Ja8z5vLyR3ksv2tE
-> .-grease ~ <=
-9CXakBVvFBnqlVA
--- JHF+GS3FdcW6PcsMR8BmKF2t+RIP98wD4IQHaKaZHiY
-VÔ1¿!ð<>|å#µ–ùæ[dE»qêfC<66>FÕrÏ3Œ“Gµ#	<09>ìÀrˆÇé‹ú>9ÒÆA
--- a/scrts/secrets.nix
+++ b/scrts/secrets.nix
@ -10,7 +10,6 @@ let
  management = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENM7fUohjQY2BfkjCwMJ/hZzneBynREusTXBLX5LVnD";
  nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHASRPSKyADQUBe6lQEo8EHixPwktbHQjAPX24GIoWwg";
  nixos-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOcmWE9b7GQKOOq61gYLdFA5uZ+hhpBYePmmdRDGwIVu";
-  pihole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN25V7+3R6AhcJwcmx/dxK/O3x1kNpuVj5Gxttar9pNX";
  plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAp4qkxNLabAuwRSKjD1e7nNZ0QuB+BO2VxcYpdfr/X";
  proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACtJWes3zBh0Hs0BEC2ZC+9+ddLALlzuAxyNjLgf5Fh";
  staubfinger = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcmDv8tnbuykX/0cUK+FnPD5YSjf/8wmsjWxqtXKuTYy1dtLS+Dx9X/LGS9GS1gd/LzYX+r9Kw1a4HfAz0+iinUaL/glbfGFm593BlS9jJaBz8nWV+pz3sJRj1GQ5oiKxN9bg+oNu8hZVpIqhMTpH7HkqgU5IWJfaVB5oNXaCCK7emh3fuJeqvQkKABumqji7eNr5la9qhc/XvI7O9aIc1sB05SVF+2TqYcZVpjMc27A3eSbS7+YXiOuP4I+51l9p7dH4Q1M9LB4+90XRP7DGA6kMwQ+cFTWMrFWwMy3NvaA9PnR2g3viNhbU7wLC+r6wCdS/Xu81HWwuXI/9lBScfZbxXIzfprjCUr4uifWevlTusYtgV0t1JJuWjefm8l/Sb+oJKEcGH/gxioM/pJCQiAcwoMVZRqZsNzYerNJ85VIKViuQhkek5A9EJsYhT1sOrQHYPGE+CReycwyswheXSnJ/VtkbyxRzu+q1573yfZgV5PVi8EUBI4i+gyvmz47E=";
@ -24,7 +23,6 @@ let
    management
    nextcloud
    nixos-vm
-    pihole
    plex
    proxy
    restic-server
@ -37,7 +35,6 @@ in
  "gitea_env.age".publicKeys = defaultKeys ++ [ git ];
  "infomaniak_env.age".publicKeys = all;
  "nextcloud_env.age".publicKeys = defaultKeys ++ [ nextcloud ];
-  "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
  "personal_email.key.age".publicKeys = defaultKeys;
  "plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
  "restic.key.age".publicKeys = all;
--- a/systems/pihole/default.nix
+++ b/systems/pihole/default.nix
@ -1,17 +0,0 @@
-{ custom, hostname }: { pkgs, ... }:
-{
-  imports = [
-    (import "${custom.inputs.self}/systems/raspi4" {
-      ip = "10.7.89.2";
-      inherit custom hostname;
-    })
-    (import "${custom.inputs.self}/modules/restic-client-server" {
-      path = "/var/lib/pihole";
-      tag = "pihole";
-      time = "02:00"; inherit custom;
-    })
-    (import "${custom.inputs.self}/modules/docker" { inherit custom; })
-    (import "${custom.inputs.self}/modules/pihole" { inherit custom; })
-    "${custom.inputs.self}/modules/unbound"
-  ];
-}