~

2025-03-13 07:53:25 +00:00 · 2025-03-08 22:11:17 -05:00 · 2025-03-08 22:11:17 -05:00 · 8037e88c20
commit 8037e88c20
parent f85fb25d59
4 changed files with 48 additions and 31 deletions
--- a/nixos/docker/pihole/default.nix
+++ b/nixos/docker/pihole/default.nix
@ -2,7 +2,7 @@
 	cfg = config.r5e.containers.pihole;
 in with lib; {
 	options.r5e.containers.pihole = {
-		enable = mkEnableOption "pihole";
+		enable = mkEnableOption "Pi-hole";
 		openFirewall = mkOption {
 			type = types.bool;
 			default = false;
@ -19,6 +19,10 @@ in with lib; {
 			type = types.str;
 			default = "";
 		};
+
+		dhcp = {
+			enable = mkEnableOption "the Pi-hole DHCP server";
+		};
 	};

 	config = mkIf cfg.enable (mkMerge [
@ -32,12 +36,12 @@ in with lib; {
 				ports = [
 					(builtins.toString cfg.listenPortHTTP + ":80/tcp")
 					(builtins.toString cfg.listenPortHTTPS + ":443/tcp")
-				];
+				] ++ (optional cfg.dhcp.enable "67:67/udp");
 			};

 			networking.firewall = mkIf cfg.openFirewall {
 				allowedTCPPorts = [ 53 cfg.listenPortHTTP cfg.listenPortHTTPS ];
-				allowedUDPPorts = [ 53 67 ];
+				allowedUDPPorts = [ 53 ] ++ (optional cfg.dhcp.enable 67);
 			};
 		}
 	]);
--- a/nixos/docker/pihole/docker-compose.nix
+++ b/nixos/docker/pihole/docker-compose.nix
@ -21,7 +21,6 @@
    ports = [
      "53:53/tcp"
      "53:53/udp"
-      "67:67/udp"
      "80:80/tcp"
      "443:443/tcp"
    ];
--- a/nixos/docker/pihole/docker-compose.yml
+++ b/nixos/docker/pihole/docker-compose.yml
@ -13,7 +13,7 @@ services:
      # Default HTTPs Port. FTL will generate a self-signed certificate
      - "443:443/tcp"
      # Uncomment the line below if you are using Pi-hole as your DHCP server
-      - "67:67/udp"
+      #- "67:67/udp"
      # Uncomment the line below if you are using Pi-hole as your NTP server
      #- "123:123/udp"
    environment:
--- a/nixos/hosts/near/configuration.nix
+++ b/nixos/hosts/near/configuration.nix
@ -7,6 +7,10 @@
 		../../docker
 	];

+	boot.kernel.sysctl = {
+		"net.ipv4.ip_forward" = true;
+	};
+
 	users.users.root.openssh.authorizedKeys.keys = [
 		"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyZFWvrboUTM/dKzz5kQHEKjNqI410VJUGiVckhjOve rae@ioides"
 	];
@ -15,48 +19,58 @@
 	virtualisation.docker.enable = true;
 	r5e.containers = {
 		pihole = {
-			enable = false;
-			openFirewall = true;
+			enable = true;
+			dhcp.enable = false;
 			listenPortHTTP = 8080;
 			listenPortHTTPS = 8443;
+			openFirewall = true;
 		};
 	};

 	services = {
-		dnsmasq = {
+		create_ap = {
 			enable = true;
 			settings = {
-				dhcp-range = [ "192.168.14.10,192.168.14.254,24h" ];
-				interface = "wlan0";
-			};
-		};
-		hostapd = {
-			enable = true;
-			radios.wlan0 = {
-				band = "2g";
-				channel = 7;
-				countryCode = "US";
-				networks.wlan0 = {
-					ssid = "near [2.4ghz]";
-					authentication = {
-						mode = "wpa2-sha256";
-						wpaPassword = "techcat8";
-					};
-				};
-				settings = {
-					ht_capab = lib.mkForce "[HT40][SHORT-GI-20]";
-				};
+				COUNTRY = "US";
+				GATEWAY = "10.0.0.1";
+				INTERNET_IFACE = "end0";
+				NO_DNS = 1;
+				PASSPHRASE = "techcat8";
+				SSID = "near";
+				WIFI_IFACE = "wlan0";
 			};
 		};
+		# hostapd = {
+		# 	enable = true;
+		# 	radios.wlan0 = {
+		# 		band = "2g";
+		# 		channel = 7;
+		# 		countryCode = "US";
+		# 		networks.wlan0 = {
+		# 			authentication = {
+		# 				mode = "wpa2-sha256";
+		# 				wpaPassword = "techcat8";
+		# 			};
+		# 			logLevel = 1;
+		# 			ssid = "near";
+		# 		};
+		# 		settings = {
+		# 			ht_capab = lib.mkForce "[HT40][SHORT-GI-20]";
+		# 		};
+		# 	};
+		# };
 	};

 	networking = {
 		# bridges.br0 = {
 		# 	interfaces = [ "end0" "wlan0" ];
 		# };
-		defaultGateway.address = "10.0.0.1";
-		firewall.allowedTCPPorts = [ 53 22 ];
-		firewall.allowedUDPPorts = [ 53 67 68 ];
+		firewall = {
+			allowedTCPPorts = [ 22 ];
+			extraCommands = ''
+				iptables -t nat -A POSTROUTING -o end0 -j MASQUERADE
+			'';
+		};
 		hostName = "near";
 		interfaces = {
 			# br0 = {