{ pkgs, lib, inputs, configVars, ... }: let containerName = "pihole"; containerIp = configVars.networking.addresses.pihole.ip; gatewayIp = configVars.networking.addresses.gateway.ip; piholeContainerData = configVars.locations.piholeContainerData; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; arion = inputs.arion; in { networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; containers."${containerName}" = { enableTun = true; # configuration to run docker/podman in systemd-nspawn container # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12 additionalCapabilities = [ ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' ]; extraFlags = ["--private-users-ownership=chown"]; allowedDevices = [ ]; ###### autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/srv/docker/pihole" = { hostPath = piholeContainerData; isReadOnly = false; }; }; config = { pkgs, lib, ... }: { networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = false; imports = [ arion.nixosModules.arion ../arion-containers/pihole.nix ]; environment.systemPackages = [ pkgs.vim pkgs.git pkgs.arion pkgs.lsof pkgs.podman-compose ]; virtualisation = { podman = { enable = true; dockerSocket.enable = true; defaultNetwork.settings.dns_enabled = true; dockerCompat = true; }; }; networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; services.prometheus = { exporters = { node = { enable = true; enabledCollectors = ["systemd"]; openFirewall = true; }; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users = { root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; }; system.stateVersion = "24.05"; }; }; }