Remove the pihole system
This commit is contained in:
parent
e5b8f43e9b
commit
57eae5b15d
|
@ -44,7 +44,6 @@
|
||||||
mail = mksdImage "mail";
|
mail = mksdImage "mail";
|
||||||
management = mksdImage "management";
|
management = mksdImage "management";
|
||||||
nextcloud = mksdImage "nextcloud";
|
nextcloud = mksdImage "nextcloud";
|
||||||
pihole = mksdImage "pihole";
|
|
||||||
test-raspi = mksdImage "test-raspi";
|
test-raspi = mksdImage "test-raspi";
|
||||||
restic-server = mksdImage "restic-server";
|
restic-server = mksdImage "restic-server";
|
||||||
ttrss = mksdImage "ttrss";
|
ttrss = mksdImage "ttrss";
|
||||||
|
@ -82,10 +81,6 @@
|
||||||
hostname = "nextcloud";
|
hostname = "nextcloud";
|
||||||
inherit custom;
|
inherit custom;
|
||||||
};
|
};
|
||||||
pihole = mkRaspi {
|
|
||||||
hostname = "pihole";
|
|
||||||
inherit custom;
|
|
||||||
};
|
|
||||||
plex = mkRaspi {
|
plex = mkRaspi {
|
||||||
hostname = "plex";
|
hostname = "plex";
|
||||||
home-module = "plex";
|
home-module = "plex";
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
{ custom }: { config, ... }:
|
|
||||||
let
|
|
||||||
service-name = "${config.virtualisation.oci-containers.backend}-pihole";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
networking = {
|
|
||||||
firewall.allowedTCPPorts = [
|
|
||||||
53 # DNS
|
|
||||||
67 # DHCP
|
|
||||||
80 # Web Interface
|
|
||||||
];
|
|
||||||
firewall.allowedUDPPorts = [
|
|
||||||
53 # DNS
|
|
||||||
67 # DHCP
|
|
||||||
];
|
|
||||||
};
|
|
||||||
age.secrets.piholeEnv.file = "${custom.inputs.self}/scrts/pihole_env.age";
|
|
||||||
virtualisation.oci-containers = {
|
|
||||||
backend = "docker";
|
|
||||||
containers."pihole" = {
|
|
||||||
image = "pihole/pihole";
|
|
||||||
autoStart = true;
|
|
||||||
environment = {
|
|
||||||
TZ = "Europe/Zurich";
|
|
||||||
ServerIP = "10.7.89.2";
|
|
||||||
DNS1 = "127.0.0.1#5335"; # we're using the local unboud server here
|
|
||||||
RATE_LIMIT = "10000/60";
|
|
||||||
};
|
|
||||||
environmentFiles = [ config.age.secrets.piholeEnv.path ];
|
|
||||||
volumes = [
|
|
||||||
"/var/lib/pihole/etc-pihole:/etc/pihole/"
|
|
||||||
"/var/lib/pihole/etc-dnsmasq.d:/etc/dnsmasq.d/"
|
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
|
||||||
];
|
|
||||||
extraOptions = [
|
|
||||||
"--network=host"
|
|
||||||
"--cap-add=NET_ADMIN"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services.${service-name}.after = [ "unbound.service" ];
|
|
||||||
}
|
|
|
@ -1,70 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
services.unbound = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
server = {
|
|
||||||
verbosity = 0;
|
|
||||||
interface = "127.0.0.1";
|
|
||||||
port = 5335;
|
|
||||||
do-ip4 = true;
|
|
||||||
do-udp = true;
|
|
||||||
do-tcp = true;
|
|
||||||
|
|
||||||
# May be set to true; if you have IPv6 connectivity
|
|
||||||
do-ip6 = false;
|
|
||||||
|
|
||||||
# You want to leave this to false; unless you have *native* IPv6. With 6to4 and
|
|
||||||
# Terredo tunnels your web browser should favor IPv4 for the same reasons
|
|
||||||
prefer-ip6 = false;
|
|
||||||
|
|
||||||
# Use this only when you downloaded the list of primary root servers!
|
|
||||||
# If you use the default dns-root-data package, unbound will find it automatically
|
|
||||||
#root-hints: "/var/lib/unbound/root.hints"
|
|
||||||
|
|
||||||
# Trust glue only if it is within the server's authority
|
|
||||||
harden-glue = true;
|
|
||||||
|
|
||||||
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
|
|
||||||
harden-dnssec-stripped = true;
|
|
||||||
|
|
||||||
# Don't use Capitalization randomization as it kfalse;wn to cause DNSSEC issues sometimes
|
|
||||||
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
|
|
||||||
use-caps-for-id = false;
|
|
||||||
|
|
||||||
# Reduce EDNS reassembly buffer size.
|
|
||||||
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
|
||||||
edns-buffer-size = 1472;
|
|
||||||
|
|
||||||
# Perform prefetching of close to expired message cache entries
|
|
||||||
# This only applies to domains that have been frequently queried
|
|
||||||
prefetch = true;
|
|
||||||
|
|
||||||
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
|
|
||||||
num-threads = 1;
|
|
||||||
|
|
||||||
# Ensure kernel buffer is large efalse;ugh to false;t lose messages in traffic spikes
|
|
||||||
so-rcvbuf = "1m";
|
|
||||||
|
|
||||||
# Ensure privacy of local IP ranges
|
|
||||||
private-address = [
|
|
||||||
"192.168.0.0/16"
|
|
||||||
"169.254.0.0/16"
|
|
||||||
"172.16.0.0/12"
|
|
||||||
"10.0.0.0/8"
|
|
||||||
"fd00::/8"
|
|
||||||
"fe80::/10"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Send minimum amount of information to upstream servers to enhance
|
|
||||||
# privacy. Only sends minimum required labels of the QNAME and sets
|
|
||||||
# QTYPE to NS when possible.
|
|
||||||
|
|
||||||
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
|
|
||||||
# details.
|
|
||||||
|
|
||||||
qname-minimisation = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -7,7 +7,6 @@ skip=(
|
||||||
"desktop-vm"
|
"desktop-vm"
|
||||||
"gwyn"
|
"gwyn"
|
||||||
"loki-test"
|
"loki-test"
|
||||||
"pihole"
|
|
||||||
"staubfinger"
|
"staubfinger"
|
||||||
"test-raspi"
|
"test-raspi"
|
||||||
)
|
)
|
||||||
|
@ -38,10 +37,3 @@ do
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
done
|
done
|
||||||
|
|
||||||
pihole="pihole.2li.local"
|
|
||||||
echo $pihole
|
|
||||||
nixos-rebuild switch -j auto --use-remote-sudo --build-host localhost --target-host $pihole --flake ".#pihole" &&
|
|
||||||
if [ $reboot -eq 1 ]; then
|
|
||||||
ssh -i $rsa_key $pihole 'sudo reboot'
|
|
||||||
fi
|
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-rsa 7S8lxw
|
|
||||||
kZWSGmhYKeN+fJ+bCSmGEXSkbj0Eh8A7U5tEJzq8dd0Rt8a6gK6ihFuP+jvYR6dP
|
|
||||||
jyQlf6NNM7YZCMKsB/0KXi1LkMRECO78MBs6Q3X+Cz5EUzwahOaYALJzondQqmHJ
|
|
||||||
192xT3QR76vUdJDQ/stYzdl/a32AglQ7ihK6Bde4kvW4Sq+RNb/Ekrxy5IbJ+GKn
|
|
||||||
PxRhRrNe/4/DmhUVAaamE4Tcri/rAvTvjJbrxwgf7lkyJiCz7IytYRNlB4Euzfs8
|
|
||||||
QkZ5/17dnxLof0u0bwFWfmsnCVLBtyOnugXY2mYnkL5bUIfWzW1GK+F2oRsVBact
|
|
||||||
9SIetHKGic3Nt1GF1E9fAnkHme4VcrT5SM50WQxQjQLXIVxOf94y1N24CL73SBtx
|
|
||||||
ibB3ZLUXTlrUoiDxbtdyGUNpCwqF7LJ5p/MTtWe/G2cPwdNGH9NpM29mD/+Vg8D4
|
|
||||||
YRnlecJVeoX6xXjvwj7o7keatwqiB5xfnBM1QS4i/4dIXTVOIfL6qsTJHainJaUf
|
|
||||||
|
|
||||||
-> ssh-rsa Ws+JZA
|
|
||||||
SflGjJBXmjtS4zvExSNs7q4C74Q7gg+P+TSiYEWF51WrQOUTX2AYzOUmx1vnKSUN
|
|
||||||
3EDqfeRwqPQWuymKcDI1EhTpGAahbh1BJg2WF0Pzg8P+v8zPIuj4y1T8C7HTPAQx
|
|
||||||
xjEMBy/GxphH1bMCQd46o4wapfsfO1HjVMBnYledglny0INsp0CuG04p8KSVHzu3
|
|
||||||
JwWDryWcYXb704ydp2c/NQNW6x4K6qorHlupSVuT4/TUh9LY+TZXkzRpxCZX6ZpO
|
|
||||||
bBvV0cYYNocxwdaMOwk8ZOlSCOe/u6vh1v/+lwX5wT4mwRy3+4mrW1GGTLKZ01SS
|
|
||||||
qUaHgy7Vtfk3vuGUMDJXs+AEdI2hnp6HXP8YBCE7y4rspI5i9Rtk9TkLfANKbwq2
|
|
||||||
3EI47GEVHXWFd0y23GczodEbIbpElmXkUHwnB80NO1LMXJTjkadE3E1KKseqYOQI
|
|
||||||
TEZJBDMSJ5youQV8lVqw6hYM8CkLb/4T+IxZwZZYD8EWU6jzfTbGKw3WZ20ai4ev
|
|
||||||
|
|
||||||
-> ssh-ed25519 skmU/w PkdtYP3oAJZ2fl3hQ+tkTJAShzdFfKHjLRkFn2T/wFE
|
|
||||||
rknFouO27G8wg5e3GeJ/NVLPRucsx234BCQORWLs0Uk
|
|
||||||
-> ssh-ed25519 IjdJGQ z0v69Aemvh5IKfaHncSaIh3nHBFPFEqqwbwh/NVVMTc
|
|
||||||
CJ6INtYhg2pwac4c3M/Sk/I2crsuUngktA1fWc/fCIA
|
|
||||||
-> ssh-ed25519 KXqA9w VM5jdbb2A8mUnmpE29CjpsK+g+L/d3zgB+q10j/v0G4
|
|
||||||
i1QugX8+ydFrszSjAgZvbAA8A71yy/jNuJH8qOJv3xs
|
|
||||||
-> ssh-rsa KURlxQ
|
|
||||||
ITQfAWqFdVig3Y1LkaYlyu3rZ8ihy+3NaT4jiFangtVx0H6e55LXIaB3KGdXUxxo
|
|
||||||
kY1lDRPR0MvRZGB1hKD5b60Yjox5FqJZPhgZ4yREy/YwdAV6YgCOLjktm2GFkUaW
|
|
||||||
Bn2ziII/b5vxnB+1i/IYEGoO22Csyam81t+lk3ZnqMzXXKcEZnDOQKH6ZrGamLWI
|
|
||||||
OrEsVjNl+DL/1ft8aO5YtaO5taDj9LvjZJ6V1vSBYnkieAVTmaFxl+QTmy4uYLcK
|
|
||||||
wdTYKo551OClrjQ2f9jXtmwtqRhMSNBETD/mWZg/q0sm/cRo0XWR0m8AUBeLJNKt
|
|
||||||
fSUh8JLr5aakhbeyadZ4HkrEGpr0GlaXswCcIxqNcvDr4xLBy6QKCizJHh5st/zS
|
|
||||||
mgJh2UwuQ6p2+KQhYU0viOScEPG0TnRLG9u9ecvZU0iepwEAG6kLB4GEPTBTtzFs
|
|
||||||
RQ5HkUSLK1+fwYdgNwnn11AKyuqJoJyr66XpG/+EDQZ1Vwc9grGwyCjeH3EBQiBZ
|
|
||||||
|
|
||||||
-> ssh-ed25519 OytffA x1fwsr5bhoCrIzfXz4EolNyTU05GyL/x0f+pxvCg5zo
|
|
||||||
+68XgmaK9ovOXe0VwDt8KHd38T6Ja8z5vLyR3ksv2tE
|
|
||||||
-> .-grease ~ <=
|
|
||||||
9CXakBVvFBnqlVA
|
|
||||||
--- JHF+GS3FdcW6PcsMR8BmKF2t+RIP98wD4IQHaKaZHiY
|
|
||||||
VÔ1¿!ð<>|å#µ–ùæ[dE»qêfC<66>FÕrÏ3Œ“Gµ# <09>ìÀrˆÇé‹ú>9ÒÆA
|
|
|
@ -10,7 +10,6 @@ let
|
||||||
management = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENM7fUohjQY2BfkjCwMJ/hZzneBynREusTXBLX5LVnD";
|
management = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENM7fUohjQY2BfkjCwMJ/hZzneBynREusTXBLX5LVnD";
|
||||||
nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHASRPSKyADQUBe6lQEo8EHixPwktbHQjAPX24GIoWwg";
|
nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHASRPSKyADQUBe6lQEo8EHixPwktbHQjAPX24GIoWwg";
|
||||||
nixos-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOcmWE9b7GQKOOq61gYLdFA5uZ+hhpBYePmmdRDGwIVu";
|
nixos-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOcmWE9b7GQKOOq61gYLdFA5uZ+hhpBYePmmdRDGwIVu";
|
||||||
pihole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN25V7+3R6AhcJwcmx/dxK/O3x1kNpuVj5Gxttar9pNX";
|
|
||||||
plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAp4qkxNLabAuwRSKjD1e7nNZ0QuB+BO2VxcYpdfr/X";
|
plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAp4qkxNLabAuwRSKjD1e7nNZ0QuB+BO2VxcYpdfr/X";
|
||||||
proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACtJWes3zBh0Hs0BEC2ZC+9+ddLALlzuAxyNjLgf5Fh";
|
proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACtJWes3zBh0Hs0BEC2ZC+9+ddLALlzuAxyNjLgf5Fh";
|
||||||
staubfinger = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcmDv8tnbuykX/0cUK+FnPD5YSjf/8wmsjWxqtXKuTYy1dtLS+Dx9X/LGS9GS1gd/LzYX+r9Kw1a4HfAz0+iinUaL/glbfGFm593BlS9jJaBz8nWV+pz3sJRj1GQ5oiKxN9bg+oNu8hZVpIqhMTpH7HkqgU5IWJfaVB5oNXaCCK7emh3fuJeqvQkKABumqji7eNr5la9qhc/XvI7O9aIc1sB05SVF+2TqYcZVpjMc27A3eSbS7+YXiOuP4I+51l9p7dH4Q1M9LB4+90XRP7DGA6kMwQ+cFTWMrFWwMy3NvaA9PnR2g3viNhbU7wLC+r6wCdS/Xu81HWwuXI/9lBScfZbxXIzfprjCUr4uifWevlTusYtgV0t1JJuWjefm8l/Sb+oJKEcGH/gxioM/pJCQiAcwoMVZRqZsNzYerNJ85VIKViuQhkek5A9EJsYhT1sOrQHYPGE+CReycwyswheXSnJ/VtkbyxRzu+q1573yfZgV5PVi8EUBI4i+gyvmz47E=";
|
staubfinger = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcmDv8tnbuykX/0cUK+FnPD5YSjf/8wmsjWxqtXKuTYy1dtLS+Dx9X/LGS9GS1gd/LzYX+r9Kw1a4HfAz0+iinUaL/glbfGFm593BlS9jJaBz8nWV+pz3sJRj1GQ5oiKxN9bg+oNu8hZVpIqhMTpH7HkqgU5IWJfaVB5oNXaCCK7emh3fuJeqvQkKABumqji7eNr5la9qhc/XvI7O9aIc1sB05SVF+2TqYcZVpjMc27A3eSbS7+YXiOuP4I+51l9p7dH4Q1M9LB4+90XRP7DGA6kMwQ+cFTWMrFWwMy3NvaA9PnR2g3viNhbU7wLC+r6wCdS/Xu81HWwuXI/9lBScfZbxXIzfprjCUr4uifWevlTusYtgV0t1JJuWjefm8l/Sb+oJKEcGH/gxioM/pJCQiAcwoMVZRqZsNzYerNJ85VIKViuQhkek5A9EJsYhT1sOrQHYPGE+CReycwyswheXSnJ/VtkbyxRzu+q1573yfZgV5PVi8EUBI4i+gyvmz47E=";
|
||||||
|
@ -24,7 +23,6 @@ let
|
||||||
management
|
management
|
||||||
nextcloud
|
nextcloud
|
||||||
nixos-vm
|
nixos-vm
|
||||||
pihole
|
|
||||||
plex
|
plex
|
||||||
proxy
|
proxy
|
||||||
restic-server
|
restic-server
|
||||||
|
@ -37,7 +35,6 @@ in
|
||||||
"gitea_env.age".publicKeys = defaultKeys ++ [ git ];
|
"gitea_env.age".publicKeys = defaultKeys ++ [ git ];
|
||||||
"infomaniak_env.age".publicKeys = all;
|
"infomaniak_env.age".publicKeys = all;
|
||||||
"nextcloud_env.age".publicKeys = defaultKeys ++ [ nextcloud ];
|
"nextcloud_env.age".publicKeys = defaultKeys ++ [ nextcloud ];
|
||||||
"pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
|
|
||||||
"personal_email.key.age".publicKeys = defaultKeys;
|
"personal_email.key.age".publicKeys = defaultKeys;
|
||||||
"plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
|
"plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
|
||||||
"restic.key.age".publicKeys = all;
|
"restic.key.age".publicKeys = all;
|
||||||
|
|
|
@ -1,17 +0,0 @@
|
||||||
{ custom, hostname }: { pkgs, ... }:
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
(import "${custom.inputs.self}/systems/raspi4" {
|
|
||||||
ip = "10.7.89.2";
|
|
||||||
inherit custom hostname;
|
|
||||||
})
|
|
||||||
(import "${custom.inputs.self}/modules/restic-client-server" {
|
|
||||||
path = "/var/lib/pihole";
|
|
||||||
tag = "pihole";
|
|
||||||
time = "02:00"; inherit custom;
|
|
||||||
})
|
|
||||||
(import "${custom.inputs.self}/modules/docker" { inherit custom; })
|
|
||||||
(import "${custom.inputs.self}/modules/pihole" { inherit custom; })
|
|
||||||
"${custom.inputs.self}/modules/unbound"
|
|
||||||
];
|
|
||||||
}
|
|
Loading…
Reference in New Issue