numbus-server/templates/nix-config/podman/pi-hole.nix

{ config, pkgs, ... }:

let
  container_name = "pihole";
  compose_file = "podman/pihole/compose.yaml";
  config_dir = "/mnt/config/pihole";
in

{
  config = {
    environment.etc."${compose_file}".text =
      /*
      yaml
      */
      ''
        services:
          pihole:
            image: pihole/pihole:latest
            container_name: ${container_name}
            networks:
              pihole:
            ports:
              # DNS Ports
              - "53:53/tcp"
              - "53:53/udp"
            environment:
              TZ: $TZ
              FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password
              FTLCONF_dns_listeningMode: all
              FTLCONF_dns_revServers: true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,home
              FTLCONF_dns_domain_name: home
              FTLCONF_dns_domain_local: true
              FTLCONF_dns_hosts: |
                $HOME_SERVER_IP dns.$DOMAIN_NAME
                $HOME_SERVER_IP reverse.$DOMAIN_NAME
                $HOME_SERVER_IP nextcloud.$DOMAIN_NAME
                $HOME_SERVER_IP nextcloud-aio.$DOMAIN_NAME
                $HOME_SERVER_IP hass.$DOMAIN_NAME
                $HOME_SERVER_IP passbolt.$DOMAIN_NAME
              FTLCONF_dhcp_active: false
              FTLCONF_dns_upstreams: 9.9.9.11;149.112.112.11
              PIHOLE_UID: 1000
              PIHOLE_GID: 1000
            volumes:
              - ${config_dir}:/etc/pihole
            cap_add:
              - SYS_TIME
              - SYS_NICE
            labels:
              - traefik.enable=true
              - traefik.http.services.pihole.loadbalancer.server.port=443
              - traefik.http.services.pihole.loadbalancer.server.scheme=https
              - traefik.http.routers.pihole-https.entrypoints=websecure
              - traefik.http.routers.pihole-https.rule=Host(`${container_name}.$DOMAIN_NAME`)
              - traefik.http.routers.pihole-https.tls=true
              - traefik.http.routers.pihole-https.tls.certresolver=cloudflare
            restart: unless-stopped

        networks:
          pihole:
            external: true
      '';

    systemd.services.pihole = {
      description = "Podman container : ${container_name}";
      after = [ "network.target" "traefik.service" ];
      requires = [ "network.target" ];
      wantedBy = ["multi-user.target"];
      path = [ pkgs.podman-compose ];

      serviceConfig = {
        Type = "exec";
        # Pull the latest image before running
        ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
        # Bring the service up
        ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
        # Take it down gracefully
        ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";

        Restart = "on-failure";
      };
    };
  };
}