{ config, lib, nixpkgs-us, ... }: { options.sysconfig.virtualization.pihole.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.virtualization.pihole.enable { /* sops.secrets."pihole/pass" = {}; sops.templates."pihole.env" = { content = '' WEBPASSWORD=${config.sops.placeholder."pihole/pass"} ''; path = "/ssd1/Pihole/.env"; }; */ networking = { nameservers = [ "192.168.100.28" "1.1.1.1" "1.0.0.1" ]; nat.internalInterfaces = [ "ve-pihole" ]; /*firewall.interfaces."ve-traefik" = { allowedTCPPorts = [ 53 80 ]; allowedUDPPorts = [ 53 ]; };*/ }; /*services = { pihole-web = { enable = true; hostName = "pihole.local"; ports = [ 80 ]; }; pihole-ftl = { enable = true; openFirewallDNS = true; openFirewallWebserver = true; lists = [ { url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; } ]; settings = { dns = { upstreams = [ #"127.0.0.1#5335" "1.0.0.1" "1.1.1.1" ]; cnameRecords = [ "traefik.local,local.internal.esotericbytes.com" "pihole.local,local.internal.esotericbytes.com" "hass.local,local.internal.esotericbytes.com" ]; }; misc.dnsmasq_lines = [ "interface=ve-traefik" ]; }; }; };*/ containers.pihole = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.28"; timeoutStartSec = "30s"; config = let pkgs-us = import nixpkgs-us { system = "x86_64-linux"; }; in { /*imports = [ (import "${nixpkgs-us}/nixos/modules/services/networking/pihole-ftl.nix" { config = config.containers.pihole.config; inherit lib; pkgs = pkgs-us;}) (import "${nixpkgs-us}/nixos/modules/services/web-apps/pihole-web.nix" { config = config.containers.pihole.config; inherit lib; pkgs = pkgs-us;}) ];*/ services = { pihole-web = { enable = true; hostName = "pihole.local"; ports = [ 80 ]; }; pihole-ftl = { enable = true; openFirewallDNS = true; openFirewallWebserver = true; lists = [ { url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; } ]; settings = { dns = { upstreams = [ #"127.0.0.1#5335" "1.0.0.1" "1.1.1.1" ]; cnameRecords = [ "traefik.local,local.internal.esotericbytes.com" "pihole.local,local.internal.esotericbytes.com" "hass.local,local.internal.esotericbytes.com" ]; }; misc.dnsmasq_lines = [ "except-interface=nonexisting" ]; }; }; /*unbound = { enable = true; resolveLocalQueries = false; settings = { server = { interface = [ "127.0.0.1" ]; port = 5335; access-control = [ "127.0.0.1 allow" ]; harden-glue = true; harden-dnssec-stripped = true; use-caps-for-id = false; prefetch = true; edns-buffer-size = 1232; hide-identity = true; hide-version = true; }; forward-zone = [ { name = "cloudflare"; forward-addr = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; forward-tls-upstream = true; } ]; }; };*/ }; systemd.services.pihole-ftl-setup.preStart = '' while [[ ! ''$(ip l | grep eth0 | grep UP) ]]; do sleep 1; done; ''; systemd.network = { enable = true; networks."eth0@if24" = { linkConfig.requiredForOnline = "yes"; }; }; networking = { useHostResolvConf = false; firewall.allowedTCPPorts = [ 5335 ]; firewall.allowedUDPPorts = [ 5335 ]; }; system.stateVersion = "25.05"; }; }; }; }