add pihole and recursive dns

2024-11-11 16:09:48 -06:00
parent 9c10fa694d
commit f1a1e11992
8 changed files with 180 additions and 24 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1385,11 +1385,11 @@
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-swUtIf1jN3XSE4xExChj4M5rBWCSs08qqxXsJu1tZYs=",
-        "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/home-manager",
+        "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/home-manager",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/home-manager",
+        "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/home-manager",
        "type": "path"
      }
    },
@@ -2066,11 +2066,11 @@
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=",
-        "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/programs",
+        "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/programs",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/programs",
+        "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/programs",
        "type": "path"
      }
    },
@@ -2142,11 +2142,11 @@
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=",
-        "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/services/sddm",
+        "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/services/sddm",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/services/sddm",
+        "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/services/sddm",
        "type": "path"
      }
    },
@@ -2213,12 +2213,12 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-a6apb0B+Ob0NtnxKA/Qsvc25wCwXz+AQRZeYw/7HBQc=",
-        "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/system-config",
+        "narHash": "sha256-+lpkyF/b2w9P0vWDZdkv42PIlOxICLWdCms+U9HkH+4=",
+        "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/system-config",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/system-config",
+        "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/system-config",
        "type": "path"
      }
    },
--- a/system-config/configuration/homebox/default.nix
+++ b/system-config/configuration/homebox/default.nix
@@ -167,6 +167,7 @@
      "/var/lib/bluetooth"
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
+      "/var/lib/docker"
      "/etc/NetworkManager/system-connections"
    ];
    files = [
@@ -190,6 +191,7 @@

            "authentik/pass" = {};
            "authentik/secret_key" = {};
+            "pihole/pass" = {};
        };
    };

@@ -243,8 +245,12 @@

            authentik.enable = true;

+            jellyfin.enable = true;
+
            "blunkall.us".enable = true;

+            pihole.enable = true;
+            
            gitlab.enable = false;
        };
    };
--- a/system-config/configuration/homebox/secrets/secrets.yaml
+++ b/system-config/configuration/homebox/secrets/secrets.yaml
@@ -3,6 +3,8 @@ nathan:
 authentik:
    pass: ENC[AES256_GCM,data:pTjpwRgdUVU5543T199P7Zoy,iv:93WpIK6qq+A1LhaQdBvMQ4jzuAOmMUt575y/p8m8Ugk=,tag:jTg/JED3vpdOVHF8LdIyLg==,type:str]
    secret_key: ENC[AES256_GCM,data:tIWDGtB/z7Ysizz9FPQJe2EeSTAxDPkeHJnaDfytDvbqvRaiCgg7qGpEF6hAQFdZ,iv:gloup5aI0qY+SYJt8V6lvUdE+18IWH09BXtz8dRi6JE=,tag:vFwF9h1Rsa/X1bjvdSRSfQ==,type:str]
+pihole:
+    pass: ENC[AES256_GCM,data:hintZA==,iv:HA5K8mHYlLtf5s8iaLI/QRolYgcKwG8DWCH+LXnWI4k=,tag:DlnXxG0n9dBVpk2kILlPKg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -18,8 +20,8 @@ sops:
            S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
            8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-10T15:37:25Z"
-    mac: ENC[AES256_GCM,data:8xtyW9Kp8ND/lojNIPwNdhw82zdfBQSQoiti7nvbZ9ubk0PIAzrxyRXFqZ7C+Lf+QX0qyC5ZWZBRF8SnuldqWaI3jGSfZsPNq8r4Nd0XD+I2ImDHTfVNtZBawgDc2QXd2YvOibgp6FkRJ7xAkJSmgxO0S/Q6l4pms/KvNlCkV4Q=,iv:v6M4n/wxcowY0jCObmpuA+yz+xe1LbKyYud/fT0YZJc=,tag:WW1aqb+f4EPxBJ9h1yzBRQ==,type:str]
+    lastmodified: "2024-11-11T17:49:35Z"
+    mac: ENC[AES256_GCM,data:sjv2jD36o02RWeuDcEnUbUGRiAVvH/Gv+TJw9sIydaMT3uSJklRZ3pct71NZQerxi0WLJLimjLJMJQjL65VzrCzA8oU1KT3cawUo1val3/9OUxcrFln9EOdm3569X4/iU+44cAn8Tz68kO2Cq4BxtyESMEpTv4WdKSCnAydZmTg=,iv:u7EHrQ4GfXIRzb0f0YN9a8J1HLEoHPNA7/mb2dh3hR4=,tag:PQOAqCF8fyjd26qsesC3gw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/system-config/services/containers/authentik/default.nix
+++ b/system-config/services/containers/authentik/default.nix
@@ -8,7 +8,7 @@

    config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable {

-        sops.templates.".env" = {
+        sops.templates."authentik.env" = {
            content = ''
                POSTGRES_DB=authentik-db
                POSTGRES_USER=authentik-admin
--- a/system-config/services/containers/default.nix
+++ b/system-config/services/containers/default.nix
@@ -6,5 +6,7 @@
 #        ./authentik-nix
        ./authentik
        ./nginx
+        ./jellyfin
+        ./pihole
    ];
 }
--- a/system-config/services/containers/jellyfin/default.nix
+++ b/system-config/services/containers/jellyfin/default.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }: {
+
+    options.sysconfig.opts.virtualization.jellyfin.enable = lib.options.mkOption {
+        type = lib.types.bool;
+        default = false;
+    };
+
+    config = lib.mkIf config.sysconfig.opts.virtualization.jellyfin.enable {
+
+        containers.jellyfin = {
+
+            autoStart = true;
+            privateNetwork = true;
+            hostAddress = "192.168.100.10";
+            localAddress = "192.168.100.14";
+
+            bindMounts = {
+                "/etc/jellyfin" = {
+                    hostPath = "/ssd1/Jellyfin";
+                    isReadOnly = false;
+                };
+            };
+
+            config = {
+                
+                services.jellyfin = {
+                    
+                    enable = true;
+                    dataDir = "/etc/jellyfin/data";
+                    configDir = "/etc/jellyfin/config";
+                    logDir = "/etc/jellyfin/log";
+                    openFirewall = true;
+                };
+            };
+        };
+    };
+}
--- a/system-config/services/containers/pihole/default.nix
+++ b/system-config/services/containers/pihole/default.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }: {
+
+    options.sysconfig.opts.virtualization.pihole.enable = lib.options.mkOption {
+        type = lib.types.bool;
+        default = false;
+    };
+
+    config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable {
+        
+        sops.templates."pihole.env" = {
+            content = ''
+                WEBPASSWORD=${config.sops.placeholder."pihole/pass"}
+            '';
+
+            path = "/ssd1/Pihole/.env";
+        };
+        systemd.services.launchPihole = {
+
+            enable = true;
+            
+            wantedBy = [ "multi-user.target" ];
+
+            script = ''
+                cd /ssd1/Pihole
+                ${pkgs.docker-compose}/bin/docker-compose up
+            '';
+        };
+
+        containers.unbound = {
+            
+            autoStart = true;
+            privateNetwork = true;
+            hostAddress = "192.168.100.10";
+            localAddress = "192.168.100.15";
+
+            config = {
+                
+                services.unbound = {
+                    enable = true;
+                    
+                    settings = {
+                        server = {
+                            interface = [ "127.0.0.1" ];
+
+                            port = 5335;
+
+                            do-ipv4 = "yes";
+
+                            do-udp = "yes";
+
+                            do-tcp = "yes";
+
+                            do-ipv6 = "no";
+
+                            perfer-ipv6 = "no";
+
+                            harden-glue = "yes";
+
+                            harden-dnssec-stripped = "yes";
+
+                            use-caps-for-id = "no";
+
+                            edns-buffer-size = 1232;
+
+                            prefetch = "yes";
+
+                            num-threads = 1;
+
+                            so-rcvbuf = "1m";
+
+                            private-address = [ 
+                                "192.168.0.0/16"
+                                "169.254.0.0/16"
+                                "172.16.0.0/12"
+                                "10.0.0.0/8"
+                                "fd00::/8"
+                                "fe80::/10"
+                            ];
+                        };
+                    };
+                };
+            };
+        };
+    };
+}
--- a/system-config/services/containers/traefik/default.nix
+++ b/system-config/services/containers/traefik/default.nix
@@ -14,9 +14,9 @@
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.11";
            forwardPorts = [
-            {
-            containerPort = 80;
-            hostPort = 80;
+                {
+                    containerPort = 80;
+                    hostPort = 80;
                }
                {
                    containerPort = 443;
@@ -87,7 +87,13 @@
                            websecure = {
                                address = ":443";
                                asDefault = true;
-                                http.tls.certResolver = "cloudflare";
+                                http.tls = {
+                                    certResolver = "cloudflare";
+                                    domains = {
+                                        main = "blunkall.us";
+                                        sans = [ "*.blunkall.us" "blunkall.us" ];
+                                    };
+                                };
                            };
                        };
                        log = {
@@ -119,33 +125,48 @@
                    dynamicConfigOptions = {
                        http = {
                            routers = {
-                                homepageSecure = {
+                                 homepageSecure = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`blunkall.us`) || Host(`www.blunkall.us`)";
                                    service = "homepage";
                                    middlewares = [
                                        "authentik"
                                    ];
-                                    tls = {
+                                    /*tls = {
                                        certResolver = "cloudflare";
                                        domains = {
                                            main = "blunkall.us";
-                                            sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
+                                            sans = [ "*.blunkall.us" ];
                                        };
-                                    };
+                                    };*/
+                                };
+                                jellyfin = {
+                                    entryPoints = [ "localsecure" "websecure" ];
+                                    rule = "Host(`jellyfin.blunkall.us`)";
+                                    service = "jellyfin";
+                                    /*middlewares = [
+                                        "authentik"
+                                    ];*/
+                                    /*tls = {
+                                        certResolver = "cloudflare";
+                                        domains = {
+                                            main = "blunkall.us";
+                                            sans = [ "*.blunkall.us" ];
+                                        };
+                                    };*/
                                };

                                auth = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`auth.blunkall.us`)";
                                    service = "authentik";
-                                    tls = {
+                                    /*tls = {
                                        certResolver = "cloudflare";
                                        domains = {
-                                            main = "auth.blunkall.us";
-                                            sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
+                                            main = "blunkall.us";
+                                            sans = [ "*.blunkall.us" ];
                                        };
-                                    };
+                                    };*/
                                };

                                /*gitlab = {
@@ -200,6 +221,8 @@

                                homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ];

+                                jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ];
+
                                authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ];
                            };
                        };
@@ -207,6 +230,7 @@
                };

                networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080 ];
+                networking.firewall.allowedUDPPorts = [ 80 443 ];

                system.stateVersion = "24.05";
            };