root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add NixOS configuration files. This is a foundation git commit that has now been deployed and working

Browse source
This commit is contained in:
Root User 2026-02-06 00:00:00 +01:00
parent d09ab1d526
commit 5b980771d9
Signed by: root
GPG key ID: 087F0A95E5766D72
15 changed files with 4842 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

687
nix-system-configs/dns/configuration-pihole-green.nix Normal file
View file

@ -0,0 +1,687 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration-knot.nix(5) man page
# and in the NixOS manual (accessible by running 'nixos-help').
{
config,
pkgs,
lib,
...
}: let
home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz";
in {
# Home Manager Configuration
imports = [
(import "${home-manager}/nixos")
];
## Ensure that configuration is copied after installing this NixOS image
system.copySystemConfiguration = true;
# Use Lix instead of Nix
nixpkgs.overlays = [
(final: prev: {
inherit
(prev. lixPackageSets.stable)
nixpkgs-review
nix-eval-jobs
nix-fast-build
colmena
;
})
];
nix. package = pkgs.lixPackageSets.stable. lix;
# Bootloader - GRUB for Proxmox
# Bootloader - systemd-boot with UEFI
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.efi.efiSysMountPoint = "/boot";
# Proxmox configuration
proxmox.qemuConf = {
bios = "ovmf"; # Use OVMF for UEFI
};
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"];
networking.hostName = "piholeprg"; # Define your hostname.
#networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Enable Rsymc
services.rsync.enable = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable networking
networking.networkmanager. enable = true;
networking. useDHCP = lib.mkDefault true;
# Serial console for Proxmox
boot.kernelParams = ["console=tty0" "console=ttyS0,115200"];
# Enable QEMU Guest for Proxmox integration
services.qemuGuest.enable = true;
services.spice-vdagentd.enable = true;
# Enable SSH
services.openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = false;
AllowUsers = null;
UseDns = true;
PermitRootLogin = "no";
};
};
# Set your time zone.
time. timeZone = "Europe/Copenhagen";
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "et_EE.UTF-8";
LC_IDENTIFICATION = "et_EE.UTF-8";
LC_MEASUREMENT = "et_EE.UTF-8";
LC_MONETARY = "et_EE.UTF-8";
LC_NAME = "et_EE.UTF-8";
LC_NUMERIC = "et_EE.UTF-8";
LC_PAPER = "et_EE.UTF-8";
LC_TELEPHONE = "et_EE.UTF-8";
LC_TIME = "et_EE.UTF-8";
};
# Configure keymap in X11
services.xserver. xkb = {
layout = "us";
variant = "";
};
# Enable Seatd for Wayland sessions
# IMPORTANT: Enable seatd service for River WM
services.seatd = {
enable = true;
logLevel = "info";
};
# Enable the gnome-keyring secrets vault.
# Will be exposed through DBus to programs willing to store secrets.
services. gnome.gnome-keyring.enable = true;
# Enable Sway window manager
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
};
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
};
};
};
# Configure security to allow seatd access
security.polkit.enable = true;
# Configure GPU support
hardware.graphics = {
enable = true;
enable32Bit = true;
};
# Define a user account. Don't forget to set a password with 'passwd'.
# Copy this later to generate more custom users.
users.users.piholeprg = {
isNormalUser = true;
description = "NixOS Playground";
extraGroups = ["networkmanager" "wheel" "seat"];
packages = with pkgs; [];
initialPassword = "nixos"; # Simple, change on first login
};
home-manager.users.piholeprg = {pkgs, ...}: {
home.packages = [
pkgs.atool
pkgs.httpie
pkgs.alacritty # Terminal emulator
pkgs. hyfetch # Add fetching packages
pkgs.macchina
pkgs.wayland # Wayland display server
pkgs.wlroots # Wayland compositor library
pkgs.maple-mono. NF # Font for better terminal appearance
pkgs.wl-clipboard # Clipboard utilities for Wayland
pkgs.mako # Wayland Sway Notification Daemon
pkgs.btop # Resource monitor
];
# Configure LibreWolf browser
programs.librewolf = {
enable = true;
# Enable WebGL, cookies and history
settings = {
"webgl.disabled" = false;
"privacy.resistFingerprinting" = true;
"privacy.clearOnShutdown. history" = false;
"privacy.clearOnShutdown.cookies" = true;
};
};
# Set Alacritty as the default terminal emulator
home.sessionVariables = {
TERMINAL = "alacritty";
};
# Use Zsh as the default shell
programs.zsh. enable = true;
# Configure Alacritty as the default terminal emulator
programs.alacritty = {
enable = true;
settings = {
# Window configuration
window = {
opacity = 1.0;
padding = {
x = 10;
y = 10;
};
};
# Font configuration - fixes spacing issues
font = {
normal = {
family = "Maple Mono NF";
style = "Regular";
};
bold = {
family = "Maple Mono NF";
style = "Bold";
};
italic = {
family = "Maple Mono NF";
style = "Italic";
};
bold_italic = {
family = "Maple Mono NF";
style = "Bold Italic";
};
size = 14.0;
};
# Colors (optional - using default Alacritty colors)
colors = {
primary = {
background = "#1e1e2e";
foreground = "#cdd6f4";
};
};
};
};
# Configure Hyfetch system info fetcher
programs.hyfetch = {
enable = true;
settings = {
preset = "lesbian"; # Use lesbian flag preset
mode = "rgb"; # Use RGB color mode
lightness = 0.55; # Set to 55% brightness
backend = "macchina"; # Use macchina as the backend
logo_size = "small"; # Make small logo
pride_month_disable = false; # Enable pride month mode (or true to disable)
pride_month_shown = []; # List of shown pride month flags
color_align = {
mode = "horizontal";
};
};
};
# The state version is required and should stay at the version you
# originally installed.
home.stateVersion = "25.11";
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Passwordless sudo for wheel group
security.sudo. wheelNeedsPassword = false;
# Hardware U2F support - Passwordless sudo with hardware key
security.pam.u2f = {
enable = true;
settings = {
authfile = "/etc/u2f_keys";
cue = true;
pinverification = 0; # No PIN verification
userpresence = 1; # Require user presence (touch)
};
};
# SSH Agent authentication
security.pam.sshAgentAuth. enable = true;
# Automatic upgrades
system.autoUpgrade = {
enable = true; # Set to true for automatic updates
dates = "daily";
allowReboot = false;
};
# System packages
environment.systemPackages = with pkgs; [
# Network tools
wget
curl
dig
tcpdump
ethtool
iptables
nftables
iproute2
bridge-utils
netcat-gnu
traceroute
mtr
# Add the ability to create NixOS images
nixos-generators
# Monitoring
btop
htop
iotop
bandwhich
# Editors
micro
vim
helix
# System info
fastfetch
lshw
pciutils
usbutils
# Filesystem utilities
btrfs-progs
e2fsprogs
ntfs3g
dosfstools
os-prober
# Development tools
knot-dns
# Browser for web interface access
librewolf
];
# Enable zram swap
zramSwap = {
enable = true;
memoryPercent = 50;
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
networking = {
hosts = {
"10.1.123.1" = ["ipfire.server.prg" "ipfire"];
"10.1.123.2" = ["pi-hole.server.prg" "pi-hole"];
# "10.1.123.15" = ["nas.server.prg" "nas"];
};
};
#
# Services
#
services = {
# I'm not actually using the dnsmasq service. Pi-hole provides
# it's own dnsmasq. I'm using Nix' ability to manage the
# dnsmasq-style configuration file that Pi-hole utilizes.
dnsmasq = {
enable = false;
settings = {
address = [
#"/feelinsonice-hrd.appspot.com/ # Block Snapchat"
#"/feelinsonice. appspot.com/ # Block Snapchat"
#"/snapchat.com/ # Block Snapchat"
];
dhcp-name-match = [
#"set: hostname-ignore,wpad"
#"set:hostname-ignore,localhost"
];
# Set DHCP option 6 to the DNS server you nodes should use.
dhcp-option = [
"vendor: MSFT,2,1i"
"6,10.1.123.2"
];
domain = [
"server.prg,192.168.33.0/24,local"
];
};
};
pihole-ftl = {
enable = true;
lists = [
{
url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts";
type = "block";
enabled = true;
description = "Steven Black's HOSTS - Usual, porn, gambling, fakenews etc. block";
}
];
openFirewallDNS = true;
openFirewallDHCP = true;
openFirewallWebserver = true;
queryLogDeleter.enable = true;
settings = {
# See https://docs.pi-hole.net/ftldns/configfile/
dhcp = {
active = true; # <-- SET TO TRUE ONLY WHEN YOU'RE READY!
end = "10.1.123.254";
hosts = [
# Add new statics here
];
ipv6 = true;
leaseTime = "1h";
start = "10.1.123.122";
rapidCommit = true;
multiDNS = true; # This ensures that DNS is there, because some people's computers might yeet the given DNS server still
resolver = {
resolveIPv6 = false;
};
router = "10.1.123.1";
};
### COMMENT THIS AFTER INSTALLATION!
misc. readOnly = false;
dns = {
cnameRecords = [
#"color-printer,office-printer"
#"color-printer. homelab. me,office-printer.homelab.me"
];
domain = "server.prg";
domainNeeded = true;
expandHosts = true;
interface = "ens18";
hosts = [
"10.1.123.1 ipfire"
"10.1.123.2 pi-hole"
#"10.1.123.15 nas"
];
upstreams = ["127.0.0.1#5335"]; # Pointing to Unbound
};
ntp = {
ipv4.active = true;
ipv6.active = true;
sync.active = true;
};
webserver = {
api = {
# To manage the web login:
# 1) Temporarily set misc.readOnly to false in
# configuration.nix and switch to it.
# 2) Manually set a password:
# Pi-hole web console > Settings > All settings >
# Webserver and API > webserver. api.password > Value: ******
# 3) Read the generated hash:
# sudo pihole-FTL --config webserver.api.pwhash
};
session = {
timeout = 43200; # 12h
};
};
};
useDnsmasqConfig = true;
};
pihole-web = {
enable = true;
ports = [80];
};
resolved = {
extraConfig = ''
DNSStubListener=no
MulticastDNS=off
'';
};
# Unbound recursive DNS server configuration
# Based on Pi-hole + Unbound guide: https://docs.pi-hole.net/guides/dns/unbound/
unbound = {
enable = true;
package = pkgs.unbound-with-systemd;
settings = {
server = {
# Listen only on localhost for Pi-hole queries
interface = ["127.0.0.1"];
port = 5335;
# Access control - only allow localhost
access-control = [
"127.0.0.0/8 allow"
"0.0.0.0/0 refuse"
];
# Enable both IPv4 and IPv6
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
# Prefer IPv4 (recommended for most setups)
prefer-ip6 = false;
# Security enhancements
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false; # Prevents DNSSEC issues
# Performance optimizations from Pi-hole guide
edns-buffer-size = 1232; # Prevents UDP fragmentation
prefetch = true; # Prefetch expiring cache entries
# Threading (1 thread sufficient for most home setups)
num-threads = 1;
# Increase socket buffer for high query rates
so-rcvbuf = "1m";
# Privacy - ensure no queries leak to public IPs
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
# RFC6303 addresses
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"255.255.255.255/32"
"2001:db8::/32"
];
# Logging configuration (set to 0 for production, higher for debugging)
verbosity = 0;
log-queries = false;
# Additional security
hide-identity = true;
hide-version = true;
# Cache settings
cache-min-ttl = 0;
cache-max-ttl = 86400;
# Hardening options
harden-below-nxdomain = true;
harden-referral-path = false;
harden-algo-downgrade = false;
};
# Optional: Forward to encrypted DNS (comment out for pure recursive)
# Uncomment below to use Quad9 with DNS-over-TLS
# forward-zone = [
# {
# name = ". ";
# forward-addr = [
# "9.9.9.9@853#dns.quad9.net"
# "149.112.112.112@853#dns.quad9.net"
# ];
# forward-tls-upstream = true;
# }
# ];
};
};
};
# Systemd configuration for Unbound and Pi-hole integration
systemd = {
# Create necessary directories and files
tmpfiles.rules = [
# Silence benign FTL. log warning
"f /etc/pihole/versions 0644 pihole pihole - -"
# Unbound directories (if needed for custom configs)
"d /var/lib/unbound 0755 unbound unbound - -"
];
services = {
# Ensure Unbound starts before Pi-hole FTL
pihole-ftl = {
after = ["unbound.service"];
wants = ["unbound.service"];
};
# Automatic root hints updater (runs monthly)
unbound-root-hints-updater = {
description = "Update Unbound Root Hints";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.writeShellScript "update-root-hints" ''
#!/usr/bin/env bash
set -euo pipefail
HINTS_FILE="/var/lib/unbound/root. hints"
TEMP_FILE=$(mktemp)
echo "Downloading latest root hints..."
${pkgs.curl}/bin/curl -sf https://www.internic.net/domain/named.root -o "$TEMP_FILE"
if [ -s "$TEMP_FILE" ]; then
mv "$TEMP_FILE" "$HINTS_FILE"
chown unbound:unbound "$HINTS_FILE"
chmod 644 "$HINTS_FILE"
echo "Root hints updated successfully"
systemctl restart unbound. service
else
echo "Failed to download root hints"
rm -f "$TEMP_FILE"
exit 1
fi
''}";
};
};
};
timers = {
# Run root hints update monthly
unbound-root-hints-updater = {
description = "Monthly Unbound Root Hints Update";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "monthly";
Persistent = true;
RandomizedDelaySec = "1h";
};
};
};
};
# System activation scripts
system.activationScripts = {
print-pi-hole = {
text = builtins.trace "Building the pi-hole configuration..." "";
};
# Initialize unbound root hints on first boot
unbound-root-hints = {
text = ''
if [ ! -f /var/lib/unbound/root.hints ]; then
echo "Initializing Unbound root hints..."
${pkgs.curl}/bin/curl -sf https://www.internic.net/domain/named.root \
-o /var/lib/unbound/root.hints || true
if [ -f /var/lib/unbound/root.hints ]; then
chown unbound:unbound /var/lib/unbound/root. hints
chmod 644 /var/lib/unbound/root.hints
fi
fi
'';
};
# Fix socket buffer size warning
unbound-socket-buffer = {
text = ''
# Set kernel parameter for unbound socket buffer
if [ "$(sysctl -n net. core.rmem_max)" -lt 1048576 ]; then
echo "Setting net.core.rmem_max=1048576 for Unbound"
sysctl -w net.core.rmem_max=1048576 || true
fi
'';
};
};
# Make socket buffer size permanent
boot.kernel.sysctl = {
"net.core.rmem_max" = 1048576; # 1MB for Unbound
};
# Attach the system to the IPFire network: set a static IP on the Proxmox bridge (ens18)
# Adjust `ens18` and the address below to your environment.
networking.interfaces.ens18.ipv4.addresses = [
{
address = "10.1.123.2";
prefixLength = 24;
} # Using this IP for DNS server
];
networking.defaultGateway = "10.1.123.1";
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration-knot. nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.11"; # Did you read the comment?
}