~

nixos/docker/pihole/default.nix

@@ -2,7 +2,7 @@
 	cfg = config.r5e.containers.pihole;
 in with lib; {
 	options.r5e.containers.pihole = {
-		enable = mkEnableOption "pihole";
+		enable = mkEnableOption "Pi-hole";
 		openFirewall = mkOption {
 			type = types.bool;
 			default = false;
@@ -19,6 +19,10 @@ in with lib; {
 			type = types.str;
 			default = "";
 		};
+
+		dhcp = {
+			enable = mkEnableOption "the Pi-hole DHCP server";
+		};
 	};
 
 	config = mkIf cfg.enable (mkMerge [
@@ -32,12 +36,12 @@ in with lib; {
 				ports = [
 					(builtins.toString cfg.listenPortHTTP + ":80/tcp")
 					(builtins.toString cfg.listenPortHTTPS + ":443/tcp")
-				];
+				] ++ (optional cfg.dhcp.enable "67:67/udp");
 			};
 
 			networking.firewall = mkIf cfg.openFirewall {
 				allowedTCPPorts = [ 53 cfg.listenPortHTTP cfg.listenPortHTTPS ];
-				allowedUDPPorts = [ 53 67 ];
+				allowedUDPPorts = [ 53 ] ++ (optional cfg.dhcp.enable 67);
 			};
 		}
 	]);

nixos/docker/pihole/docker-compose.nix

@@ -21,7 +21,6 @@
     ports = [
       "53:53/tcp"
       "53:53/udp"
-      "67:67/udp"
       "80:80/tcp"
       "443:443/tcp"
     ];

nixos/docker/pihole/docker-compose.yml

@@ -13,7 +13,7 @@ services:
       # Default HTTPs Port. FTL will generate a self-signed certificate
       - "443:443/tcp"
       # Uncomment the line below if you are using Pi-hole as your DHCP server
-      - "67:67/udp"
+      #- "67:67/udp"
       # Uncomment the line below if you are using Pi-hole as your NTP server
       #- "123:123/udp"
     environment: