Remove the pihole system
This commit is contained in:
parent
e5b8f43e9b
commit
57eae5b15d
|
@ -44,7 +44,6 @@
|
|||
mail = mksdImage "mail";
|
||||
management = mksdImage "management";
|
||||
nextcloud = mksdImage "nextcloud";
|
||||
pihole = mksdImage "pihole";
|
||||
test-raspi = mksdImage "test-raspi";
|
||||
restic-server = mksdImage "restic-server";
|
||||
ttrss = mksdImage "ttrss";
|
||||
|
@ -82,10 +81,6 @@
|
|||
hostname = "nextcloud";
|
||||
inherit custom;
|
||||
};
|
||||
pihole = mkRaspi {
|
||||
hostname = "pihole";
|
||||
inherit custom;
|
||||
};
|
||||
plex = mkRaspi {
|
||||
hostname = "plex";
|
||||
home-module = "plex";
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
{ custom }: { config, ... }:
|
||||
let
|
||||
service-name = "${config.virtualisation.oci-containers.backend}-pihole";
|
||||
in
|
||||
{
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [
|
||||
53 # DNS
|
||||
67 # DHCP
|
||||
80 # Web Interface
|
||||
];
|
||||
firewall.allowedUDPPorts = [
|
||||
53 # DNS
|
||||
67 # DHCP
|
||||
];
|
||||
};
|
||||
age.secrets.piholeEnv.file = "${custom.inputs.self}/scrts/pihole_env.age";
|
||||
virtualisation.oci-containers = {
|
||||
backend = "docker";
|
||||
containers."pihole" = {
|
||||
image = "pihole/pihole";
|
||||
autoStart = true;
|
||||
environment = {
|
||||
TZ = "Europe/Zurich";
|
||||
ServerIP = "10.7.89.2";
|
||||
DNS1 = "127.0.0.1#5335"; # we're using the local unboud server here
|
||||
RATE_LIMIT = "10000/60";
|
||||
};
|
||||
environmentFiles = [ config.age.secrets.piholeEnv.path ];
|
||||
volumes = [
|
||||
"/var/lib/pihole/etc-pihole:/etc/pihole/"
|
||||
"/var/lib/pihole/etc-dnsmasq.d:/etc/dnsmasq.d/"
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=host"
|
||||
"--cap-add=NET_ADMIN"
|
||||
];
|
||||
};
|
||||
};
|
||||
systemd.services.${service-name}.after = [ "unbound.service" ];
|
||||
}
|
|
@ -1,70 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
verbosity = 0;
|
||||
interface = "127.0.0.1";
|
||||
port = 5335;
|
||||
do-ip4 = true;
|
||||
do-udp = true;
|
||||
do-tcp = true;
|
||||
|
||||
# May be set to true; if you have IPv6 connectivity
|
||||
do-ip6 = false;
|
||||
|
||||
# You want to leave this to false; unless you have *native* IPv6. With 6to4 and
|
||||
# Terredo tunnels your web browser should favor IPv4 for the same reasons
|
||||
prefer-ip6 = false;
|
||||
|
||||
# Use this only when you downloaded the list of primary root servers!
|
||||
# If you use the default dns-root-data package, unbound will find it automatically
|
||||
#root-hints: "/var/lib/unbound/root.hints"
|
||||
|
||||
# Trust glue only if it is within the server's authority
|
||||
harden-glue = true;
|
||||
|
||||
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
|
||||
harden-dnssec-stripped = true;
|
||||
|
||||
# Don't use Capitalization randomization as it kfalse;wn to cause DNSSEC issues sometimes
|
||||
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
|
||||
use-caps-for-id = false;
|
||||
|
||||
# Reduce EDNS reassembly buffer size.
|
||||
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
||||
edns-buffer-size = 1472;
|
||||
|
||||
# Perform prefetching of close to expired message cache entries
|
||||
# This only applies to domains that have been frequently queried
|
||||
prefetch = true;
|
||||
|
||||
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
|
||||
num-threads = 1;
|
||||
|
||||
# Ensure kernel buffer is large efalse;ugh to false;t lose messages in traffic spikes
|
||||
so-rcvbuf = "1m";
|
||||
|
||||
# Ensure privacy of local IP ranges
|
||||
private-address = [
|
||||
"192.168.0.0/16"
|
||||
"169.254.0.0/16"
|
||||
"172.16.0.0/12"
|
||||
"10.0.0.0/8"
|
||||
"fd00::/8"
|
||||
"fe80::/10"
|
||||
];
|
||||
|
||||
# Send minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sends minimum required labels of the QNAME and sets
|
||||
# QTYPE to NS when possible.
|
||||
|
||||
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
|
||||
# details.
|
||||
|
||||
qname-minimisation = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -7,7 +7,6 @@ skip=(
|
|||
"desktop-vm"
|
||||
"gwyn"
|
||||
"loki-test"
|
||||
"pihole"
|
||||
"staubfinger"
|
||||
"test-raspi"
|
||||
)
|
||||
|
@ -38,10 +37,3 @@ do
|
|||
echo
|
||||
echo
|
||||
done
|
||||
|
||||
pihole="pihole.2li.local"
|
||||
echo $pihole
|
||||
nixos-rebuild switch -j auto --use-remote-sudo --build-host localhost --target-host $pihole --flake ".#pihole" &&
|
||||
if [ $reboot -eq 1 ]; then
|
||||
ssh -i $rsa_key $pihole 'sudo reboot'
|
||||
fi
|
||||
|
|
|
@ -1,43 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa 7S8lxw
|
||||
kZWSGmhYKeN+fJ+bCSmGEXSkbj0Eh8A7U5tEJzq8dd0Rt8a6gK6ihFuP+jvYR6dP
|
||||
jyQlf6NNM7YZCMKsB/0KXi1LkMRECO78MBs6Q3X+Cz5EUzwahOaYALJzondQqmHJ
|
||||
192xT3QR76vUdJDQ/stYzdl/a32AglQ7ihK6Bde4kvW4Sq+RNb/Ekrxy5IbJ+GKn
|
||||
PxRhRrNe/4/DmhUVAaamE4Tcri/rAvTvjJbrxwgf7lkyJiCz7IytYRNlB4Euzfs8
|
||||
QkZ5/17dnxLof0u0bwFWfmsnCVLBtyOnugXY2mYnkL5bUIfWzW1GK+F2oRsVBact
|
||||
9SIetHKGic3Nt1GF1E9fAnkHme4VcrT5SM50WQxQjQLXIVxOf94y1N24CL73SBtx
|
||||
ibB3ZLUXTlrUoiDxbtdyGUNpCwqF7LJ5p/MTtWe/G2cPwdNGH9NpM29mD/+Vg8D4
|
||||
YRnlecJVeoX6xXjvwj7o7keatwqiB5xfnBM1QS4i/4dIXTVOIfL6qsTJHainJaUf
|
||||
|
||||
-> ssh-rsa Ws+JZA
|
||||
SflGjJBXmjtS4zvExSNs7q4C74Q7gg+P+TSiYEWF51WrQOUTX2AYzOUmx1vnKSUN
|
||||
3EDqfeRwqPQWuymKcDI1EhTpGAahbh1BJg2WF0Pzg8P+v8zPIuj4y1T8C7HTPAQx
|
||||
xjEMBy/GxphH1bMCQd46o4wapfsfO1HjVMBnYledglny0INsp0CuG04p8KSVHzu3
|
||||
JwWDryWcYXb704ydp2c/NQNW6x4K6qorHlupSVuT4/TUh9LY+TZXkzRpxCZX6ZpO
|
||||
bBvV0cYYNocxwdaMOwk8ZOlSCOe/u6vh1v/+lwX5wT4mwRy3+4mrW1GGTLKZ01SS
|
||||
qUaHgy7Vtfk3vuGUMDJXs+AEdI2hnp6HXP8YBCE7y4rspI5i9Rtk9TkLfANKbwq2
|
||||
3EI47GEVHXWFd0y23GczodEbIbpElmXkUHwnB80NO1LMXJTjkadE3E1KKseqYOQI
|
||||
TEZJBDMSJ5youQV8lVqw6hYM8CkLb/4T+IxZwZZYD8EWU6jzfTbGKw3WZ20ai4ev
|
||||
|
||||
-> ssh-ed25519 skmU/w PkdtYP3oAJZ2fl3hQ+tkTJAShzdFfKHjLRkFn2T/wFE
|
||||
rknFouO27G8wg5e3GeJ/NVLPRucsx234BCQORWLs0Uk
|
||||
-> ssh-ed25519 IjdJGQ z0v69Aemvh5IKfaHncSaIh3nHBFPFEqqwbwh/NVVMTc
|
||||
CJ6INtYhg2pwac4c3M/Sk/I2crsuUngktA1fWc/fCIA
|
||||
-> ssh-ed25519 KXqA9w VM5jdbb2A8mUnmpE29CjpsK+g+L/d3zgB+q10j/v0G4
|
||||
i1QugX8+ydFrszSjAgZvbAA8A71yy/jNuJH8qOJv3xs
|
||||
-> ssh-rsa KURlxQ
|
||||
ITQfAWqFdVig3Y1LkaYlyu3rZ8ihy+3NaT4jiFangtVx0H6e55LXIaB3KGdXUxxo
|
||||
kY1lDRPR0MvRZGB1hKD5b60Yjox5FqJZPhgZ4yREy/YwdAV6YgCOLjktm2GFkUaW
|
||||
Bn2ziII/b5vxnB+1i/IYEGoO22Csyam81t+lk3ZnqMzXXKcEZnDOQKH6ZrGamLWI
|
||||
OrEsVjNl+DL/1ft8aO5YtaO5taDj9LvjZJ6V1vSBYnkieAVTmaFxl+QTmy4uYLcK
|
||||
wdTYKo551OClrjQ2f9jXtmwtqRhMSNBETD/mWZg/q0sm/cRo0XWR0m8AUBeLJNKt
|
||||
fSUh8JLr5aakhbeyadZ4HkrEGpr0GlaXswCcIxqNcvDr4xLBy6QKCizJHh5st/zS
|
||||
mgJh2UwuQ6p2+KQhYU0viOScEPG0TnRLG9u9ecvZU0iepwEAG6kLB4GEPTBTtzFs
|
||||
RQ5HkUSLK1+fwYdgNwnn11AKyuqJoJyr66XpG/+EDQZ1Vwc9grGwyCjeH3EBQiBZ
|
||||
|
||||
-> ssh-ed25519 OytffA x1fwsr5bhoCrIzfXz4EolNyTU05GyL/x0f+pxvCg5zo
|
||||
+68XgmaK9ovOXe0VwDt8KHd38T6Ja8z5vLyR3ksv2tE
|
||||
-> .-grease ~ <=
|
||||
9CXakBVvFBnqlVA
|
||||
--- JHF+GS3FdcW6PcsMR8BmKF2t+RIP98wD4IQHaKaZHiY
|
||||
VÔ1¿!ð<>|å#µ–ùæ[dE»qêfC<66>FÕrÏ3Œ“Gµ# <09>ìÀrˆÇé‹ú>9ÒÆA
|
|
@ -10,7 +10,6 @@ let
|
|||
management = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENM7fUohjQY2BfkjCwMJ/hZzneBynREusTXBLX5LVnD";
|
||||
nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHASRPSKyADQUBe6lQEo8EHixPwktbHQjAPX24GIoWwg";
|
||||
nixos-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOcmWE9b7GQKOOq61gYLdFA5uZ+hhpBYePmmdRDGwIVu";
|
||||
pihole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN25V7+3R6AhcJwcmx/dxK/O3x1kNpuVj5Gxttar9pNX";
|
||||
plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAp4qkxNLabAuwRSKjD1e7nNZ0QuB+BO2VxcYpdfr/X";
|
||||
proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACtJWes3zBh0Hs0BEC2ZC+9+ddLALlzuAxyNjLgf5Fh";
|
||||
staubfinger = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcmDv8tnbuykX/0cUK+FnPD5YSjf/8wmsjWxqtXKuTYy1dtLS+Dx9X/LGS9GS1gd/LzYX+r9Kw1a4HfAz0+iinUaL/glbfGFm593BlS9jJaBz8nWV+pz3sJRj1GQ5oiKxN9bg+oNu8hZVpIqhMTpH7HkqgU5IWJfaVB5oNXaCCK7emh3fuJeqvQkKABumqji7eNr5la9qhc/XvI7O9aIc1sB05SVF+2TqYcZVpjMc27A3eSbS7+YXiOuP4I+51l9p7dH4Q1M9LB4+90XRP7DGA6kMwQ+cFTWMrFWwMy3NvaA9PnR2g3viNhbU7wLC+r6wCdS/Xu81HWwuXI/9lBScfZbxXIzfprjCUr4uifWevlTusYtgV0t1JJuWjefm8l/Sb+oJKEcGH/gxioM/pJCQiAcwoMVZRqZsNzYerNJ85VIKViuQhkek5A9EJsYhT1sOrQHYPGE+CReycwyswheXSnJ/VtkbyxRzu+q1573yfZgV5PVi8EUBI4i+gyvmz47E=";
|
||||
|
@ -24,7 +23,6 @@ let
|
|||
management
|
||||
nextcloud
|
||||
nixos-vm
|
||||
pihole
|
||||
plex
|
||||
proxy
|
||||
restic-server
|
||||
|
@ -37,7 +35,6 @@ in
|
|||
"gitea_env.age".publicKeys = defaultKeys ++ [ git ];
|
||||
"infomaniak_env.age".publicKeys = all;
|
||||
"nextcloud_env.age".publicKeys = defaultKeys ++ [ nextcloud ];
|
||||
"pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
|
||||
"personal_email.key.age".publicKeys = defaultKeys;
|
||||
"plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
|
||||
"restic.key.age".publicKeys = all;
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
{ custom, hostname }: { pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
(import "${custom.inputs.self}/systems/raspi4" {
|
||||
ip = "10.7.89.2";
|
||||
inherit custom hostname;
|
||||
})
|
||||
(import "${custom.inputs.self}/modules/restic-client-server" {
|
||||
path = "/var/lib/pihole";
|
||||
tag = "pihole";
|
||||
time = "02:00"; inherit custom;
|
||||
})
|
||||
(import "${custom.inputs.self}/modules/docker" { inherit custom; })
|
||||
(import "${custom.inputs.self}/modules/pihole" { inherit custom; })
|
||||
"${custom.inputs.self}/modules/unbound"
|
||||
];
|
||||
}
|
Loading…
Reference in New Issue