{ config, lib, ... }: let hostPort = 9001; subdomain = "pihole"; name = "pihole"; in { options.sysconfig.docker.pihole.enable = with lib; mkOption { type = with types; bool; default = false; }; config = lib.mkIf (config.sysconfig.docker.pihole.enable && config.sysconfig.docker.enable) { environment.etc."resolv.conf" = { enable = true; text = '' nameserver 127.0.0.1 nameserver 1.1.1.1 nameserver 1.0.0.1 options edns0 ''; user = "root"; mode = "0664"; }; networking.firewall.interfaces = { "ve-traefik" = { allowedTCPPorts = [ hostPort ]; }; }; virtualisation.oci-containers.containers.pihole = { image = "pihole/pihole:latest"; # unstable, waiting for 26.05 #pull = "newer"; hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; labels = { "traefik.enable" = "true"; "traefik.http.routers.${name}.entrypoints" = "localsecure"; "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; "traefik.http.routers.${name}.service" = "${name}"; "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; #"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; "traefik.http.services.${name}.loadbalancer.server.port" = "80"; }; extraOptions = [ "--ip=192.168.101.12" ]; ports = [ "${builtins.toString hostPort}:80" "127.0.0.1:53:53/tcp" "127.0.0.1:53:53/udp" ]; volumes = [ "vol_pihole:/etc/pihole" ]; environment = { FTLCONF_webserver_api_password = "7567"; FTLCONF_dns_listeningMode = "ALL"; }; }; }; }