diff --git a/flake.nix b/flake.nix index 6da0cdb..eb4b539 100644 --- a/flake.nix +++ b/flake.nix @@ -44,7 +44,6 @@ mail = mksdImage "mail"; management = mksdImage "management"; nextcloud = mksdImage "nextcloud"; - pihole = mksdImage "pihole"; test-raspi = mksdImage "test-raspi"; restic-server = mksdImage "restic-server"; ttrss = mksdImage "ttrss"; @@ -82,10 +81,6 @@ hostname = "nextcloud"; inherit custom; }; - pihole = mkRaspi { - hostname = "pihole"; - inherit custom; - }; plex = mkRaspi { hostname = "plex"; home-module = "plex"; diff --git a/modules/pihole/default.nix b/modules/pihole/default.nix deleted file mode 100644 index ca3fc4b..0000000 --- a/modules/pihole/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ custom }: { config, ... }: -let - service-name = "${config.virtualisation.oci-containers.backend}-pihole"; -in -{ - networking = { - firewall.allowedTCPPorts = [ - 53 # DNS - 67 # DHCP - 80 # Web Interface - ]; - firewall.allowedUDPPorts = [ - 53 # DNS - 67 # DHCP - ]; - }; - age.secrets.piholeEnv.file = "${custom.inputs.self}/scrts/pihole_env.age"; - virtualisation.oci-containers = { - backend = "docker"; - containers."pihole" = { - image = "pihole/pihole"; - autoStart = true; - environment = { - TZ = "Europe/Zurich"; - ServerIP = "10.7.89.2"; - DNS1 = "127.0.0.1#5335"; # we're using the local unboud server here - RATE_LIMIT = "10000/60"; - }; - environmentFiles = [ config.age.secrets.piholeEnv.path ]; - volumes = [ - "/var/lib/pihole/etc-pihole:/etc/pihole/" - "/var/lib/pihole/etc-dnsmasq.d:/etc/dnsmasq.d/" - "/etc/localtime:/etc/localtime:ro" - ]; - extraOptions = [ - "--network=host" - "--cap-add=NET_ADMIN" - ]; - }; - }; - systemd.services.${service-name}.after = [ "unbound.service" ]; -} diff --git a/modules/unbound/default.nix b/modules/unbound/default.nix deleted file mode 100644 index 6f0c059..0000000 --- a/modules/unbound/default.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ ... }: -{ - services.unbound = { - enable = true; - settings = { - server = { - verbosity = 0; - interface = "127.0.0.1"; - port = 5335; - do-ip4 = true; - do-udp = true; - do-tcp = true; - - # May be set to true; if you have IPv6 connectivity - do-ip6 = false; - - # You want to leave this to false; unless you have *native* IPv6. With 6to4 and - # Terredo tunnels your web browser should favor IPv4 for the same reasons - prefer-ip6 = false; - - # Use this only when you downloaded the list of primary root servers! - # If you use the default dns-root-data package, unbound will find it automatically - #root-hints: "/var/lib/unbound/root.hints" - - # Trust glue only if it is within the server's authority - harden-glue = true; - - # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS - harden-dnssec-stripped = true; - - # Don't use Capitalization randomization as it kfalse;wn to cause DNSSEC issues sometimes - # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details - use-caps-for-id = false; - - # Reduce EDNS reassembly buffer size. - # Suggested by the unbound man page to reduce fragmentation reassembly problems - edns-buffer-size = 1472; - - # Perform prefetching of close to expired message cache entries - # This only applies to domains that have been frequently queried - prefetch = true; - - # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. - num-threads = 1; - - # Ensure kernel buffer is large efalse;ugh to false;t lose messages in traffic spikes - so-rcvbuf = "1m"; - - # Ensure privacy of local IP ranges - private-address = [ - "192.168.0.0/16" - "169.254.0.0/16" - "172.16.0.0/12" - "10.0.0.0/8" - "fd00::/8" - "fe80::/10" - ]; - - # Send minimum amount of information to upstream servers to enhance - # privacy. Only sends minimum required labels of the QNAME and sets - # QTYPE to NS when possible. - - # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for - # details. - - qname-minimisation = true; - }; - }; - }; -} diff --git a/scripts/remote_switch.sh b/scripts/remote_switch.sh index bccf5a8..a035622 100755 --- a/scripts/remote_switch.sh +++ b/scripts/remote_switch.sh @@ -7,7 +7,6 @@ skip=( "desktop-vm" "gwyn" "loki-test" - "pihole" "staubfinger" "test-raspi" ) @@ -38,10 +37,3 @@ do echo echo done - -pihole="pihole.2li.local" -echo $pihole -nixos-rebuild switch -j auto --use-remote-sudo --build-host localhost --target-host $pihole --flake ".#pihole" && -if [ $reboot -eq 1 ]; then - ssh -i $rsa_key $pihole 'sudo reboot' -fi diff --git a/scrts/pihole_env.age b/scrts/pihole_env.age deleted file mode 100644 index e48a377..0000000 --- a/scrts/pihole_env.age +++ /dev/null @@ -1,43 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa 7S8lxw -kZWSGmhYKeN+fJ+bCSmGEXSkbj0Eh8A7U5tEJzq8dd0Rt8a6gK6ihFuP+jvYR6dP -jyQlf6NNM7YZCMKsB/0KXi1LkMRECO78MBs6Q3X+Cz5EUzwahOaYALJzondQqmHJ -192xT3QR76vUdJDQ/stYzdl/a32AglQ7ihK6Bde4kvW4Sq+RNb/Ekrxy5IbJ+GKn -PxRhRrNe/4/DmhUVAaamE4Tcri/rAvTvjJbrxwgf7lkyJiCz7IytYRNlB4Euzfs8 -QkZ5/17dnxLof0u0bwFWfmsnCVLBtyOnugXY2mYnkL5bUIfWzW1GK+F2oRsVBact -9SIetHKGic3Nt1GF1E9fAnkHme4VcrT5SM50WQxQjQLXIVxOf94y1N24CL73SBtx -ibB3ZLUXTlrUoiDxbtdyGUNpCwqF7LJ5p/MTtWe/G2cPwdNGH9NpM29mD/+Vg8D4 -YRnlecJVeoX6xXjvwj7o7keatwqiB5xfnBM1QS4i/4dIXTVOIfL6qsTJHainJaUf - --> ssh-rsa Ws+JZA -SflGjJBXmjtS4zvExSNs7q4C74Q7gg+P+TSiYEWF51WrQOUTX2AYzOUmx1vnKSUN -3EDqfeRwqPQWuymKcDI1EhTpGAahbh1BJg2WF0Pzg8P+v8zPIuj4y1T8C7HTPAQx -xjEMBy/GxphH1bMCQd46o4wapfsfO1HjVMBnYledglny0INsp0CuG04p8KSVHzu3 -JwWDryWcYXb704ydp2c/NQNW6x4K6qorHlupSVuT4/TUh9LY+TZXkzRpxCZX6ZpO -bBvV0cYYNocxwdaMOwk8ZOlSCOe/u6vh1v/+lwX5wT4mwRy3+4mrW1GGTLKZ01SS -qUaHgy7Vtfk3vuGUMDJXs+AEdI2hnp6HXP8YBCE7y4rspI5i9Rtk9TkLfANKbwq2 -3EI47GEVHXWFd0y23GczodEbIbpElmXkUHwnB80NO1LMXJTjkadE3E1KKseqYOQI -TEZJBDMSJ5youQV8lVqw6hYM8CkLb/4T+IxZwZZYD8EWU6jzfTbGKw3WZ20ai4ev - --> ssh-ed25519 skmU/w PkdtYP3oAJZ2fl3hQ+tkTJAShzdFfKHjLRkFn2T/wFE -rknFouO27G8wg5e3GeJ/NVLPRucsx234BCQORWLs0Uk --> ssh-ed25519 IjdJGQ z0v69Aemvh5IKfaHncSaIh3nHBFPFEqqwbwh/NVVMTc -CJ6INtYhg2pwac4c3M/Sk/I2crsuUngktA1fWc/fCIA --> ssh-ed25519 KXqA9w VM5jdbb2A8mUnmpE29CjpsK+g+L/d3zgB+q10j/v0G4 -i1QugX8+ydFrszSjAgZvbAA8A71yy/jNuJH8qOJv3xs --> ssh-rsa KURlxQ -ITQfAWqFdVig3Y1LkaYlyu3rZ8ihy+3NaT4jiFangtVx0H6e55LXIaB3KGdXUxxo -kY1lDRPR0MvRZGB1hKD5b60Yjox5FqJZPhgZ4yREy/YwdAV6YgCOLjktm2GFkUaW -Bn2ziII/b5vxnB+1i/IYEGoO22Csyam81t+lk3ZnqMzXXKcEZnDOQKH6ZrGamLWI -OrEsVjNl+DL/1ft8aO5YtaO5taDj9LvjZJ6V1vSBYnkieAVTmaFxl+QTmy4uYLcK -wdTYKo551OClrjQ2f9jXtmwtqRhMSNBETD/mWZg/q0sm/cRo0XWR0m8AUBeLJNKt -fSUh8JLr5aakhbeyadZ4HkrEGpr0GlaXswCcIxqNcvDr4xLBy6QKCizJHh5st/zS -mgJh2UwuQ6p2+KQhYU0viOScEPG0TnRLG9u9ecvZU0iepwEAG6kLB4GEPTBTtzFs -RQ5HkUSLK1+fwYdgNwnn11AKyuqJoJyr66XpG/+EDQZ1Vwc9grGwyCjeH3EBQiBZ - --> ssh-ed25519 OytffA x1fwsr5bhoCrIzfXz4EolNyTU05GyL/x0f+pxvCg5zo -+68XgmaK9ovOXe0VwDt8KHd38T6Ja8z5vLyR3ksv2tE --> .-grease ~ <= -9CXakBVvFBnqlVA ---- JHF+GS3FdcW6PcsMR8BmKF2t+RIP98wD4IQHaKaZHiY -VÔ1¿!ð|å#µ–ùæ[dE»qêfCFÕrÏ3Œ“Gµ# ìÀrˆÇé‹ú>9ÒÆA \ No newline at end of file diff --git a/scrts/secrets.nix b/scrts/secrets.nix index f98eda4..fdbd890 100644 --- a/scrts/secrets.nix +++ b/scrts/secrets.nix @@ -10,7 +10,6 @@ let management = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENM7fUohjQY2BfkjCwMJ/hZzneBynREusTXBLX5LVnD"; nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHASRPSKyADQUBe6lQEo8EHixPwktbHQjAPX24GIoWwg"; nixos-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOcmWE9b7GQKOOq61gYLdFA5uZ+hhpBYePmmdRDGwIVu"; - pihole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN25V7+3R6AhcJwcmx/dxK/O3x1kNpuVj5Gxttar9pNX"; plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAp4qkxNLabAuwRSKjD1e7nNZ0QuB+BO2VxcYpdfr/X"; proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACtJWes3zBh0Hs0BEC2ZC+9+ddLALlzuAxyNjLgf5Fh"; staubfinger = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcmDv8tnbuykX/0cUK+FnPD5YSjf/8wmsjWxqtXKuTYy1dtLS+Dx9X/LGS9GS1gd/LzYX+r9Kw1a4HfAz0+iinUaL/glbfGFm593BlS9jJaBz8nWV+pz3sJRj1GQ5oiKxN9bg+oNu8hZVpIqhMTpH7HkqgU5IWJfaVB5oNXaCCK7emh3fuJeqvQkKABumqji7eNr5la9qhc/XvI7O9aIc1sB05SVF+2TqYcZVpjMc27A3eSbS7+YXiOuP4I+51l9p7dH4Q1M9LB4+90XRP7DGA6kMwQ+cFTWMrFWwMy3NvaA9PnR2g3viNhbU7wLC+r6wCdS/Xu81HWwuXI/9lBScfZbxXIzfprjCUr4uifWevlTusYtgV0t1JJuWjefm8l/Sb+oJKEcGH/gxioM/pJCQiAcwoMVZRqZsNzYerNJ85VIKViuQhkek5A9EJsYhT1sOrQHYPGE+CReycwyswheXSnJ/VtkbyxRzu+q1573yfZgV5PVi8EUBI4i+gyvmz47E="; @@ -24,7 +23,6 @@ let management nextcloud nixos-vm - pihole plex proxy restic-server @@ -37,7 +35,6 @@ in "gitea_env.age".publicKeys = defaultKeys ++ [ git ]; "infomaniak_env.age".publicKeys = all; "nextcloud_env.age".publicKeys = defaultKeys ++ [ nextcloud ]; - "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ]; "personal_email.key.age".publicKeys = defaultKeys; "plex_claim.age".publicKeys = defaultKeys ++ [ plex ]; "restic.key.age".publicKeys = all; diff --git a/systems/pihole/default.nix b/systems/pihole/default.nix deleted file mode 100644 index 95f81cc..0000000 --- a/systems/pihole/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ custom, hostname }: { pkgs, ... }: -{ - imports = [ - (import "${custom.inputs.self}/systems/raspi4" { - ip = "10.7.89.2"; - inherit custom hostname; - }) - (import "${custom.inputs.self}/modules/restic-client-server" { - path = "/var/lib/pihole"; - tag = "pihole"; - time = "02:00"; inherit custom; - }) - (import "${custom.inputs.self}/modules/docker" { inherit custom; }) - (import "${custom.inputs.self}/modules/pihole" { inherit custom; }) - "${custom.inputs.self}/modules/unbound" - ]; -}