feat(nixos): update flake.lock and configure services for ryu and tako

feat(home): adjust vicinae and eilmeldung configurations feat(neovim): enable folding in neovim configuration fix(nixos): disable resolved dns and remove fallback dns on tako chore(nixos): add pihole and resolved services to tsuba chore(home): remove unused packages from programs chore(nixos): add gamescope-wsi and vulkan-tools to steam configuration chore(nixos): update navidrome service with sops integration and systemd tmpfiles chore(darwin): use dynamic user in shiro configuration chore(secrets): add lastfm and pihole secrets to secrets.yaml
2025-12-30 04:32:13 +05:30
parent 0fa7586c97
commit e8aece3f47
15 changed files with 229 additions and 111 deletions
--- a/nixos/tsuba/services/default.nix
+++ b/nixos/tsuba/services/default.nix
@@ -10,5 +10,7 @@
    ./flaresolverr.nix
    ./caddy.nix
    ./monitoring.nix
+    ./pihole.nix
+    ./resolved.nix
  ];
 }
--- a/nixos/tsuba/services/pihole.nix
+++ b/nixos/tsuba/services/pihole.nix
@@ -0,0 +1,70 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  sops = {
+    secrets."pihole/password" = {};
+    templates."pihole.env".content = ''
+      FTLCONF_webserver_api_password=${config.sops.placeholder."pihole/password"}
+    '';
+  };
+  virtualisation.oci-containers = {
+    containers = {
+      pihole = {
+        image = "pihole/pihole:latest";
+        ports = [
+          "53:53/tcp"
+          "53:53/udp"
+          "127.0.0.1:8053:80/tcp"
+        ];
+        privileged = true;
+        environment = {
+          TZ = config.time.timeZone;
+          FTLCONF_dns_listeningMode = "ALL";
+        };
+        environmentFiles = [
+          config.sops.templates."pihole.env".path
+        ];
+        volumes = [
+          "/etc/pihole:/etc/pihole"
+        ];
+        capabilities = {
+          "NET_ADMIN" = true;
+          "SYS_TIME" = true;
+          "SYS_NICE" = true;
+        };
+      };
+    };
+  };
+
+  services.caddy = {
+    virtualHosts."pihole.darksailor.dev".extraConfig = ''
+      import cloudflare
+      redir / /admin permanent
+      reverse_proxy localhost:8053
+    '';
+  };
+
+  # Systemd service to pull latest Home Assistant image
+  systemd.services.pihole-image-update = {
+    description = "Pull latest Pi Hole Docker image";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.docker}/bin/docker pull pihole/pihole:latest";
+      ExecStartPost = "${pkgs.systemd}/bin/systemctl restart docker-pihole.service";
+    };
+  };
+
+  # Systemd timer to run the update service every 5 days
+  systemd.timers.pihole-image-update = {
+    description = "Timer for Pi-Hole image updates";
+    wantedBy = ["timers.target"];
+    timerConfig = {
+      OnCalendar = "Mon *-*-* 02:00:00";
+      OnUnitInactiveSec = "5d";
+      Persistent = true;
+      RandomizedDelaySec = "1h";
+    };
+  };
+}
--- a/nixos/tsuba/services/resolved.nix
+++ b/nixos/tsuba/services/resolved.nix
@@ -1,9 +1,11 @@
-{...}: {
+{lib, ...}: {
  services.resolved = {
-    enable = true;
-    dnssec = "true";
-    domains = ["~." "lemur-newton.ts.net"];
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    dnsovertls = "true";
+    enable = false;
+    # dnssec = "true";
+    # domains = ["~." "lemur-newton.ts.net"];
+    # fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+    fallbackDns = [];
+    # dnsovertls = "true";
  };
+  networking.nameservers = [];
 }