# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration-knot.nix(5) man page # and in the NixOS manual (accessible by running 'nixos-help'). { config, pkgs, lib, ... }: let home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; in { # Home Manager Configuration imports = [ (import "${home-manager}/nixos") ]; ## Ensure that configuration is copied after installing this NixOS image system.copySystemConfiguration = true; # Use Lix instead of Nix nixpkgs.overlays = [ (final: prev: { inherit (prev. lixPackageSets.stable) nixpkgs-review nix-eval-jobs nix-fast-build colmena ; }) ]; nix. package = pkgs.lixPackageSets.stable. lix; # Bootloader - GRUB for Proxmox # Bootloader - systemd-boot with UEFI boot.loader.grub.enable = lib.mkForce false; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = false; boot.loader.efi.efiSysMountPoint = "/boot"; # Proxmox configuration proxmox.qemuConf = { bios = "ovmf"; # Use OVMF for UEFI }; boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"]; networking.hostName = "piholeprg"; # Define your hostname. #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Enable Rsymc services.rsync.enable = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.networkmanager. enable = true; networking. useDHCP = lib.mkDefault true; # Serial console for Proxmox boot.kernelParams = ["console=tty0" "console=ttyS0,115200"]; # Enable QEMU Guest for Proxmox integration services.qemuGuest.enable = true; services.spice-vdagentd.enable = true; # Enable SSH services.openssh = { enable = true; ports = [22]; settings = { PasswordAuthentication = false; AllowUsers = null; UseDns = true; PermitRootLogin = "no"; }; }; # Set your time zone. time. timeZone = "Europe/Copenhagen"; # Select internationalisation properties. i18n.defaultLocale = "en_GB.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "et_EE.UTF-8"; LC_IDENTIFICATION = "et_EE.UTF-8"; LC_MEASUREMENT = "et_EE.UTF-8"; LC_MONETARY = "et_EE.UTF-8"; LC_NAME = "et_EE.UTF-8"; LC_NUMERIC = "et_EE.UTF-8"; LC_PAPER = "et_EE.UTF-8"; LC_TELEPHONE = "et_EE.UTF-8"; LC_TIME = "et_EE.UTF-8"; }; # Configure keymap in X11 services.xserver. xkb = { layout = "us"; variant = ""; }; # Enable Seatd for Wayland sessions # IMPORTANT: Enable seatd service for River WM services.seatd = { enable = true; logLevel = "info"; }; # Enable the gnome-keyring secrets vault. # Will be exposed through DBus to programs willing to store secrets. services. gnome.gnome-keyring.enable = true; # Enable Sway window manager programs.sway = { enable = true; wrapperFeatures.gtk = true; }; services.greetd = { enable = true; settings = { default_session = { command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; user = "greeter"; }; }; }; # Configure security to allow seatd access security.polkit.enable = true; # Configure GPU support hardware.graphics = { enable = true; enable32Bit = true; }; # Define a user account. Don't forget to set a password with 'passwd'. # Copy this later to generate more custom users. users.users.piholeprg = { isNormalUser = true; description = "NixOS Playground"; extraGroups = ["networkmanager" "wheel" "seat"]; packages = with pkgs; []; initialPassword = "nixos"; # Simple, change on first login }; home-manager.users.piholeprg = {pkgs, ...}: { home.packages = [ pkgs.atool pkgs.httpie pkgs.alacritty # Terminal emulator pkgs. hyfetch # Add fetching packages pkgs.macchina pkgs.wayland # Wayland display server pkgs.wlroots # Wayland compositor library pkgs.maple-mono. NF # Font for better terminal appearance pkgs.wl-clipboard # Clipboard utilities for Wayland pkgs.mako # Wayland Sway Notification Daemon pkgs.btop # Resource monitor ]; # Configure LibreWolf browser programs.librewolf = { enable = true; # Enable WebGL, cookies and history settings = { "webgl.disabled" = false; "privacy.resistFingerprinting" = true; "privacy.clearOnShutdown. history" = false; "privacy.clearOnShutdown.cookies" = true; }; }; # Set Alacritty as the default terminal emulator home.sessionVariables = { TERMINAL = "alacritty"; }; # Use Zsh as the default shell programs.zsh. enable = true; # Configure Alacritty as the default terminal emulator programs.alacritty = { enable = true; settings = { # Window configuration window = { opacity = 1.0; padding = { x = 10; y = 10; }; }; # Font configuration - fixes spacing issues font = { normal = { family = "Maple Mono NF"; style = "Regular"; }; bold = { family = "Maple Mono NF"; style = "Bold"; }; italic = { family = "Maple Mono NF"; style = "Italic"; }; bold_italic = { family = "Maple Mono NF"; style = "Bold Italic"; }; size = 14.0; }; # Colors (optional - using default Alacritty colors) colors = { primary = { background = "#1e1e2e"; foreground = "#cdd6f4"; }; }; }; }; # Configure Hyfetch system info fetcher programs.hyfetch = { enable = true; settings = { preset = "lesbian"; # Use lesbian flag preset mode = "rgb"; # Use RGB color mode lightness = 0.55; # Set to 55% brightness backend = "macchina"; # Use macchina as the backend logo_size = "small"; # Make small logo pride_month_disable = false; # Enable pride month mode (or true to disable) pride_month_shown = []; # List of shown pride month flags color_align = { mode = "horizontal"; }; }; }; # The state version is required and should stay at the version you # originally installed. home.stateVersion = "25.11"; }; # Allow unfree packages nixpkgs.config.allowUnfree = true; # Passwordless sudo for wheel group security.sudo. wheelNeedsPassword = false; # Hardware U2F support - Passwordless sudo with hardware key security.pam.u2f = { enable = true; settings = { authfile = "/etc/u2f_keys"; cue = true; pinverification = 0; # No PIN verification userpresence = 1; # Require user presence (touch) }; }; # SSH Agent authentication security.pam.sshAgentAuth. enable = true; # Automatic upgrades system.autoUpgrade = { enable = true; # Set to true for automatic updates dates = "daily"; allowReboot = false; }; # System packages environment.systemPackages = with pkgs; [ # Network tools wget curl dig tcpdump ethtool iptables nftables iproute2 bridge-utils netcat-gnu traceroute mtr # Add the ability to create NixOS images nixos-generators # Monitoring btop htop iotop bandwhich # Editors micro vim helix # System info fastfetch lshw pciutils usbutils # Filesystem utilities btrfs-progs e2fsprogs ntfs3g dosfstools os-prober # Development tools knot-dns # Browser for web interface access librewolf ]; # Enable zram swap zramSwap = { enable = true; memoryPercent = 50; }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; networking = { hosts = { "10.1.1.1" = ["ipfire.server.prg" "ipfire"]; "10.1.1.2" = ["pi-hole.server.prg" "pi-hole"]; # "10.1.1.15" = ["nas.server.prg" "nas"]; }; }; # # Services # services = { # I'm not actually using the dnsmasq service. Pi-hole provides # it's own dnsmasq. I'm using Nix' ability to manage the # dnsmasq-style configuration file that Pi-hole utilizes. dnsmasq = { enable = false; settings = { address = [ #"/feelinsonice-hrd.appspot.com/ # Block Snapchat" #"/feelinsonice. appspot.com/ # Block Snapchat" #"/snapchat.com/ # Block Snapchat" ]; dhcp-name-match = [ #"set: hostname-ignore,wpad" #"set:hostname-ignore,localhost" ]; # Set DHCP option 6 to the DNS server you nodes should use. dhcp-option = [ "vendor: MSFT,2,1i" "6,10.1.1.2" ]; domain = [ "server.prg,192.168.33.0/24,local" ]; }; }; pihole-ftl = { enable = true; lists = [ { url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts"; type = "block"; enabled = true; description = "Steven Black's HOSTS - Usual, porn, gambling, fakenews etc. block"; } ]; openFirewallDNS = true; openFirewallDHCP = true; openFirewallWebserver = true; queryLogDeleter.enable = true; settings = { # See https://docs.pi-hole.net/ftldns/configfile/ dhcp = { active = true; # <-- SET TO TRUE ONLY WHEN YOU'RE READY! end = "10.1.1.254"; hosts = [ # Add new statics here ]; ipv6 = true; leaseTime = "24h"; multiDNS = true; # This ensures that DNS is there, because some people's computers might yeet the given DNS server still start = "10.1.1.122"; rapidCommit = true; resolver = { resolveIPv6 = false; }; router = "10.1.1.1"; }; ### COMMENT THIS AFTER INSTALLATION! misc. readOnly = false; dns = { cnameRecords = [ #"color-printer,office-printer" #"color-printer. homelab. me,office-printer.homelab.me" ]; domain = "server.prg"; domainNeeded = true; expandHosts = true; interface = "ens18"; hosts = [ "10.1.1.1 ipfire" "10.1.1.2 pi-hole" #"10.1.1.15 nas" ]; upstreams = ["127.0.0.1#5335"]; # Pointing to Unbound }; ntp = { ipv4.active = true; ipv6.active = true; sync.active = true; }; webserver = { api = { # To manage the web login: # 1) Temporarily set misc.readOnly to false in # configuration.nix and switch to it. # 2) Manually set a password: # Pi-hole web console > Settings > All settings > # Webserver and API > webserver. api.password > Value: ****** # 3) Read the generated hash: # sudo pihole-FTL --config webserver.api.pwhash }; session = { timeout = 43200; # 12h }; }; }; useDnsmasqConfig = true; }; pihole-web = { enable = true; ports = [80]; }; resolved = { extraConfig = '' DNSStubListener=no MulticastDNS=off ''; }; # Unbound recursive DNS server configuration # Based on Pi-hole + Unbound guide: https://docs.pi-hole.net/guides/dns/unbound/ unbound = { enable = true; package = pkgs.unbound-with-systemd; settings = { server = { # Listen only on localhost for Pi-hole queries interface = ["127.0.0.1"]; port = 5335; # Access control - only allow localhost access-control = [ "127.0.0.0/8 allow" "0.0.0.0/0 refuse" ]; # Enable both IPv4 and IPv6 do-ip4 = true; do-ip6 = true; do-udp = true; do-tcp = true; # Prefer IPv4 (recommended for most setups) prefer-ip6 = false; # Security enhancements harden-glue = true; harden-dnssec-stripped = true; use-caps-for-id = false; # Prevents DNSSEC issues # Performance optimizations from Pi-hole guide edns-buffer-size = 1232; # Prevents UDP fragmentation prefetch = true; # Prefetch expiring cache entries # Threading (1 thread sufficient for most home setups) num-threads = 1; # Increase socket buffer for high query rates so-rcvbuf = "1m"; # Privacy - ensure no queries leak to public IPs private-address = [ "192.168.0.0/16" "169.254.0.0/16" "172.16.0.0/12" "10.0.0.0/8" "fd00::/8" "fe80::/10" # RFC6303 addresses "192.0.2.0/24" "198.51.100.0/24" "203.0.113.0/24" "255.255.255.255/32" "2001:db8::/32" ]; # Logging configuration (set to 0 for production, higher for debugging) verbosity = 0; log-queries = false; # Additional security hide-identity = true; hide-version = true; # Cache settings cache-min-ttl = 0; cache-max-ttl = 86400; # Hardening options harden-below-nxdomain = true; harden-referral-path = false; harden-algo-downgrade = false; }; # Optional: Forward to encrypted DNS (comment out for pure recursive) # Uncomment below to use Quad9 with DNS-over-TLS # forward-zone = [ # { # name = ". "; # forward-addr = [ # "9.9.9.9@853#dns.quad9.net" # "149.112.112.112@853#dns.quad9.net" # ]; # forward-tls-upstream = true; # } # ]; }; }; }; # Systemd configuration for Unbound and Pi-hole integration systemd = { # Create necessary directories and files tmpfiles.rules = [ # Silence benign FTL. log warning "f /etc/pihole/versions 0644 pihole pihole - -" # Unbound directories (if needed for custom configs) "d /var/lib/unbound 0755 unbound unbound - -" ]; services = { # Ensure Unbound starts before Pi-hole FTL pihole-ftl = { after = ["unbound.service"]; wants = ["unbound.service"]; }; # Automatic root hints updater (runs monthly) unbound-root-hints-updater = { description = "Update Unbound Root Hints"; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.writeShellScript "update-root-hints" '' #!/usr/bin/env bash set -euo pipefail HINTS_FILE="/var/lib/unbound/root. hints" TEMP_FILE=$(mktemp) echo "Downloading latest root hints..." ${pkgs.curl}/bin/curl -sf https://www.internic.net/domain/named.root -o "$TEMP_FILE" if [ -s "$TEMP_FILE" ]; then mv "$TEMP_FILE" "$HINTS_FILE" chown unbound:unbound "$HINTS_FILE" chmod 644 "$HINTS_FILE" echo "Root hints updated successfully" systemctl restart unbound. service else echo "Failed to download root hints" rm -f "$TEMP_FILE" exit 1 fi ''}"; }; }; }; timers = { # Run root hints update monthly unbound-root-hints-updater = { description = "Monthly Unbound Root Hints Update"; wantedBy = ["timers.target"]; timerConfig = { OnCalendar = "monthly"; Persistent = true; RandomizedDelaySec = "1h"; }; }; }; }; # System activation scripts system.activationScripts = { print-pi-hole = { text = builtins.trace "Building the pi-hole configuration..." ""; }; # Initialize unbound root hints on first boot unbound-root-hints = { text = '' if [ ! -f /var/lib/unbound/root.hints ]; then echo "Initializing Unbound root hints..." ${pkgs.curl}/bin/curl -sf https://www.internic.net/domain/named.root \ -o /var/lib/unbound/root.hints || true if [ -f /var/lib/unbound/root.hints ]; then chown unbound:unbound /var/lib/unbound/root. hints chmod 644 /var/lib/unbound/root.hints fi fi ''; }; # Fix socket buffer size warning unbound-socket-buffer = { text = '' # Set kernel parameter for unbound socket buffer if [ "$(sysctl -n net. core.rmem_max)" -lt 1048576 ]; then echo "Setting net.core.rmem_max=1048576 for Unbound" sysctl -w net.core.rmem_max=1048576 || true fi ''; }; }; # Make socket buffer size permanent boot.kernel.sysctl = { "net.core.rmem_max" = 1048576; # 1MB for Unbound }; # Attach the system to the IPFire network: set a static IP on the Proxmox bridge (ens18) # Adjust `ens18` and the address below to your environment. networking.interfaces.ens18.ipv4.addresses = [ { address = "10.1.1.2"; prefixLength = 24; } # Using this IP for DNS server ]; networking.defaultGateway = "10.1.1.1"; # List services that you want to enable: # Enable the OpenSSH daemon. # services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration-knot. nix or on https://nixos.org/nixos/options.html). system.stateVersion = "25.11"; # Did you read the comment? }