diff --git a/nixos/docker/pihole/default.nix b/nixos/docker/pihole/default.nix index 0026230..19a0748 100644 --- a/nixos/docker/pihole/default.nix +++ b/nixos/docker/pihole/default.nix @@ -2,7 +2,7 @@ cfg = config.r5e.containers.pihole; in with lib; { options.r5e.containers.pihole = { - enable = mkEnableOption "pihole"; + enable = mkEnableOption "Pi-hole"; openFirewall = mkOption { type = types.bool; default = false; @@ -19,6 +19,10 @@ in with lib; { type = types.str; default = ""; }; + + dhcp = { + enable = mkEnableOption "the Pi-hole DHCP server"; + }; }; config = mkIf cfg.enable (mkMerge [ @@ -32,12 +36,12 @@ in with lib; { ports = [ (builtins.toString cfg.listenPortHTTP + ":80/tcp") (builtins.toString cfg.listenPortHTTPS + ":443/tcp") - ]; + ] ++ (optional cfg.dhcp.enable "67:67/udp"); }; networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 53 cfg.listenPortHTTP cfg.listenPortHTTPS ]; - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ 53 ] ++ (optional cfg.dhcp.enable 67); }; } ]); diff --git a/nixos/docker/pihole/docker-compose.nix b/nixos/docker/pihole/docker-compose.nix index dd9687b..b467602 100644 --- a/nixos/docker/pihole/docker-compose.nix +++ b/nixos/docker/pihole/docker-compose.nix @@ -21,7 +21,6 @@ ports = [ "53:53/tcp" "53:53/udp" - "67:67/udp" "80:80/tcp" "443:443/tcp" ]; diff --git a/nixos/docker/pihole/docker-compose.yml b/nixos/docker/pihole/docker-compose.yml index 729bb4d..75cb6fc 100644 --- a/nixos/docker/pihole/docker-compose.yml +++ b/nixos/docker/pihole/docker-compose.yml @@ -13,7 +13,7 @@ services: # Default HTTPs Port. FTL will generate a self-signed certificate - "443:443/tcp" # Uncomment the line below if you are using Pi-hole as your DHCP server - - "67:67/udp" + #- "67:67/udp" # Uncomment the line below if you are using Pi-hole as your NTP server #- "123:123/udp" environment: diff --git a/nixos/hosts/near/configuration.nix b/nixos/hosts/near/configuration.nix index 177d67e..a2291b0 100644 --- a/nixos/hosts/near/configuration.nix +++ b/nixos/hosts/near/configuration.nix @@ -7,6 +7,10 @@ ../../docker ]; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + }; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyZFWvrboUTM/dKzz5kQHEKjNqI410VJUGiVckhjOve rae@ioides" ]; @@ -15,48 +19,58 @@ virtualisation.docker.enable = true; r5e.containers = { pihole = { - enable = false; - openFirewall = true; + enable = true; + dhcp.enable = false; listenPortHTTP = 8080; listenPortHTTPS = 8443; + openFirewall = true; }; }; services = { - dnsmasq = { + create_ap = { enable = true; settings = { - dhcp-range = [ "192.168.14.10,192.168.14.254,24h" ]; - interface = "wlan0"; - }; - }; - hostapd = { - enable = true; - radios.wlan0 = { - band = "2g"; - channel = 7; - countryCode = "US"; - networks.wlan0 = { - ssid = "near [2.4ghz]"; - authentication = { - mode = "wpa2-sha256"; - wpaPassword = "techcat8"; - }; - }; - settings = { - ht_capab = lib.mkForce "[HT40][SHORT-GI-20]"; - }; + COUNTRY = "US"; + GATEWAY = "10.0.0.1"; + INTERNET_IFACE = "end0"; + NO_DNS = 1; + PASSPHRASE = "techcat8"; + SSID = "near"; + WIFI_IFACE = "wlan0"; }; }; + # hostapd = { + # enable = true; + # radios.wlan0 = { + # band = "2g"; + # channel = 7; + # countryCode = "US"; + # networks.wlan0 = { + # authentication = { + # mode = "wpa2-sha256"; + # wpaPassword = "techcat8"; + # }; + # logLevel = 1; + # ssid = "near"; + # }; + # settings = { + # ht_capab = lib.mkForce "[HT40][SHORT-GI-20]"; + # }; + # }; + # }; }; networking = { # bridges.br0 = { # interfaces = [ "end0" "wlan0" ]; # }; - defaultGateway.address = "10.0.0.1"; - firewall.allowedTCPPorts = [ 53 22 ]; - firewall.allowedUDPPorts = [ 53 67 68 ]; + firewall = { + allowedTCPPorts = [ 22 ]; + extraCommands = '' + iptables -t nat -A POSTROUTING -o end0 -j MASQUERADE + ''; + }; hostName = "near"; interfaces = { # br0 = {