From 923a1637865c1d077607da406a74475065f6844e Mon Sep 17 00:00:00 2001
From: roxwize <rae@roxwize.xyz>
Date: Fri, 7 Mar 2025 21:13:38 -0500
Subject: [PATCH] ~

---
 nixos/docker/default.nix               |  5 ++
 nixos/docker/pihole/default.nix        | 23 ++++++++
 nixos/docker/pihole/docker-compose.nix | 79 ++++++++++++++++++++++++++
 nixos/docker/pihole/docker-compose.yml | 36 ++++++++++++
 nixos/hosts/near/configuration.nix     | 52 ++---------------
 5 files changed, 147 insertions(+), 48 deletions(-)
 create mode 100644 nixos/docker/default.nix
 create mode 100644 nixos/docker/pihole/default.nix
 create mode 100644 nixos/docker/pihole/docker-compose.nix
 create mode 100644 nixos/docker/pihole/docker-compose.yml

diff --git a/nixos/docker/default.nix b/nixos/docker/default.nix
new file mode 100644
index 0000000..9ef246a
--- /dev/null
+++ b/nixos/docker/default.nix
@@ -0,0 +1,5 @@
+{ ... }: {
+	imports = [
+		./pihole
+	];
+}
diff --git a/nixos/docker/pihole/default.nix b/nixos/docker/pihole/default.nix
new file mode 100644
index 0000000..6db7be9
--- /dev/null
+++ b/nixos/docker/pihole/default.nix
@@ -0,0 +1,23 @@
+{ pkgs, lib, config, ... }: let
+	cfg = config.r5e.containers.pihole;
+in with lib; {
+	options.r5e.containers.pihole = {
+		enable = mkEnableOption "pihole";
+		api-password = mkOption {
+			type = types.string;
+			default = "";
+		};
+	};
+
+	config = mkIf cfg.enable mkMerge [
+		(import ./docker-compose.nix { inherit pkgs lib; })
+		{
+			virtualisation.oci-containers.containers.pihole = {
+				environment = {
+					TZ = config.time.timeZone;
+					FTLCONF_webserver_api_password = mkIf (cfg.api-password != null) cfg.api-password;
+				};
+			};
+		}
+	];
+}
\ No newline at end of file
diff --git a/nixos/docker/pihole/docker-compose.nix b/nixos/docker/pihole/docker-compose.nix
new file mode 100644
index 0000000..082bfa5
--- /dev/null
+++ b/nixos/docker/pihole/docker-compose.nix
@@ -0,0 +1,79 @@
+# Auto-generated using compose2nix v0.3.1.
+{ pkgs, lib, ... }:
+
+{
+  # Runtime
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+  virtualisation.oci-containers.backend = "docker";
+
+  # Containers
+  virtualisation.oci-containers.containers."pihole" = {
+    image = "pihole/pihole:latest";
+    environment = {
+      "FTLCONF_dns_listeningMode" = "all";
+    };
+    volumes = [
+      "/etc/pihole:/etc/pihole:rw"
+    ];
+    ports = [
+      "53:53/tcp"
+      "53:53/udp"
+      "80:80/tcp"
+      "443:443/tcp"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--cap-add=SYS_NICE"
+      "--network-alias=pihole"
+      "--network=pihole_default"
+    ];
+  };
+  systemd.services."docker-pihole" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+      RestartMaxDelaySec = lib.mkOverride 90 "1m";
+      RestartSec = lib.mkOverride 90 "100ms";
+      RestartSteps = lib.mkOverride 90 9;
+    };
+    after = [
+      "docker-network-pihole_default.service"
+    ];
+    requires = [
+      "docker-network-pihole_default.service"
+    ];
+    partOf = [
+      "docker-compose-pihole-root.target"
+    ];
+    wantedBy = [
+      "docker-compose-pihole-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."docker-network-pihole_default" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "docker network rm -f pihole_default";
+    };
+    script = ''
+      docker network inspect pihole_default || docker network create pihole_default
+    '';
+    partOf = [ "docker-compose-pihole-root.target" ];
+    wantedBy = [ "docker-compose-pihole-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."docker-compose-pihole-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/nixos/docker/pihole/docker-compose.yml b/nixos/docker/pihole/docker-compose.yml
new file mode 100644
index 0000000..d459fdf
--- /dev/null
+++ b/nixos/docker/pihole/docker-compose.yml
@@ -0,0 +1,36 @@
+# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
+name: pihole
+services:
+  pihole:
+    container_name: pihole
+    image: pihole/pihole:latest
+    ports:
+      # DNS Ports
+      - "53:53/tcp"
+      - "53:53/udp"
+      # Default HTTP Port
+      - "80:80/tcp"
+      # Default HTTPs Port. FTL will generate a self-signed certificate
+      - "443:443/tcp"
+      # Uncomment the line below if you are using Pi-hole as your DHCP server
+      #- "67:67/udp"
+      # Uncomment the line below if you are using Pi-hole as your NTP server
+      #- "123:123/udp"
+    environment:
+      # If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
+      FTLCONF_dns_listeningMode: 'all'
+    # Volumes store your data between container upgrades
+    volumes:
+      # For persisting Pi-hole's databases and common configuration file
+      - '/etc/pihole:/etc/pihole'
+      # Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards. Needs environment variable FTLCONF_misc_etc_dnsmasq_d: 'true'
+      #- './etc-dnsmasq.d:/etc/dnsmasq.d'
+    cap_add:
+      # See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+      # Required if you are using Pi-hole as your DHCP server, else not needed
+      # - NET_ADMIN
+      # Required if you are using Pi-hole as your NTP client to be able to set the host's system time
+      # - SYS_TIME
+      # Optional, if Pi-hole should get some more processing time
+      - SYS_NICE
+    restart: unless-stopped
\ No newline at end of file
diff --git a/nixos/hosts/near/configuration.nix b/nixos/hosts/near/configuration.nix
index e93108d..2e16a83 100644
--- a/nixos/hosts/near/configuration.nix
+++ b/nixos/hosts/near/configuration.nix
@@ -4,6 +4,7 @@
 		inputs.raspberry-pi-nix.nixosModules.sd-image
 		./hardware-configuration.nix
 		../base.nix
+		../../docker
 	];
 
 	users.users.root.openssh.authorizedKeys.keys = [
@@ -12,63 +13,18 @@
 
 	programs.git.enable = true;
 	virtualisation.docker.enable = true;
-
-	services = {
-		homepage-dashboard = {
+	r5e.containers = {
+		pihole = {
 			enable = true;
-			listenPort = 80;
-			openFirewall = true;
-			settings = {
-				title = "near";
-				theme = "dark";
-				color = "violet";
-				headerStyle = "clean";
-				target = "_self";
-				quickLaunch.provider = "duckduckgo";
-			};
-			widgets = [
-				{
-					search.provider = "duckduckgo";
-				}
-				{
-					resources = {
-						cpu = true;
-						memory = true;
-						disk = "/";
-						uptime = true;
-						network = true;
-					};
-				}
-				{
-					openmeteo = {
-						label = "Jacksonville";
-						latitude = 30.3321838;
-						longitude = -81.655651;
-						timezone = "America/New_York";
-						units = "imperial";
-					};
-				}
-			];
-		};
-		openssh = {
-			ports = [ 22 ];
-			banner = "I won't hold it against you";
-			settings = {
-				PasswordAuthentication = false;
-			};
 		};
 	};
 
 	networking = {
 		hostName = "near";
 		firewall.allowedTCPPorts = [ 22 ];
-		#! TODO: webkitgtk seems to be a cache miss (alongside SDL and openal) which makes this take FOREVER to build
-		# networkmanager = {
-		# 	enable = true;
-		# };
 	};
 
-	environment.systemPackages = with pkgs; [ git ];
+	environment.systemPackages = with pkgs; [ git linux-wifi-hotspot ];
 
 	time.timeZone = "America/New_York";