Add extraHosts on cj to set /etc/hosts

Set nameservers for cj (bypass circular pihole), enable ipv6 temp addrs
Black hole 80/443 in firewall.nix CJ
2023-06-13 07:11:22 -04:00 · 2023-06-13 07:07:18 -04:00 · 2023-06-13 07:06:44 -04:00 · 2023-06-13 07:05:29 -04:00 · 2023-06-13 07:04:11 -04:00 · 2023-06-13 07:01:45 -04:00
5 changed files with 24 additions and 7 deletions
--- a/machines/cj/configuration.nix
+++ b/machines/cj/configuration.nix
@ -54,14 +54,23 @@
    # networking.hostId is required for ZFS
    hostId = "d9aef7b3";
    # Aliases subdomains we serve here. Since we bypass pihole locally to avoid
    # circular lookups, we can set local addresses here instead of using local
    # dns in pihole (or global dns which would resolve to our WAN ips).
    extraHosts = ''
      127.0.0.1 git.jhink.org vault.jhink.org home.jhink.org
      '';
    # The global useDHCP flag is deprecated, therefore explicitly set to false here. Per-interface useDHCP will be mandatory in the future, so this generated config replicates the default behaviour.
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
-    interfaces.wlan0.useDHCP = true;
+    #interfaces.wlan0.useDHCP = true;
    nameservers = ["1.1.1.1" "9.9.9.9" "8.8.8.8" "1.0.0.1"];
    enableIPv6 = true;
-    tempAddresses = "disabled";  # do not create temporary ipv6 addresses
+    #tempAddresses = "disabled";  # do not create temporary ipv6 addresses
    wireless = {
      enable = false; # turn of wifi until needed
--- a/machines/cj/firewall.nix
+++ b/machines/cj/firewall.nix
@ -7,13 +7,20 @@
    #8123  # home-assistant
    #3000  # gitea
    8081  # vaultwarden
-    80 443  # reverse proxy
+    # If we are reverse proxying we should map to a different port than 443 or
    # 80. Here we blackhole those ports so that pihole will be more efficient.
    # When pihole "blocks" a site, depending on configuration what it may really
    # does is returns its own IP, so the client then requests the content from
    # this node at whichever port it needs. That is usually 80 or 443 for http
    # and https, so it's better to block these fast than to pass all that
    # traffic to some actual service.
    #80 443  # reverse proxy
  ];
  allowedUDPPorts = [
    22000 21027  # syncthing
    3478 5514 10001 1900 123 # unifi
    53  # pihole
-    80 443  # reverse proxy
+    #80 443  # reverse proxy
  ];
  allowedUDPPortRanges = [
    { from = 5656; to = 5699; }  # unifi
--- a/machines/cj/hardware-configuration-zfs.nix
+++ b/machines/cj/hardware-configuration-zfs.nix
@ -28,8 +28,9 @@
  };
  fileSystems."/boot" = {
-    device = "/dev/disk/by-partuuid/e7ebac1e-eb4c-4a7d-8893-49a95f6014d4";
+    device = "/dev/disk/by-partuuid/bfe1047f-b850-8745-80fb-f671ffe91387";
    fsType = "vfat";
    neededForBoot = false;
  };
  fileSystems."/nix" =
--- a/machines/cj/home-assistant.nix
+++ b/machines/cj/home-assistant.nix
@ -1,6 +1,6 @@
 serverIP :
 {
-  image = "ghcr.io/home-assistant/home-assistant:2022.11.2";
+  image = "ghcr.io/home-assistant/home-assistant:2023.06.0";
  #ports = [
    #"8123:8123"
  #];
--- a/machines/cj/pihole.nix
+++ b/machines/cj/pihole.nix
@ -1,5 +1,5 @@
 { serverIP, serverIP6 } : {
-  image = "pihole/pihole:2022.10";
+  image = "pihole/pihole:2023.05.2";
  ports = [
    "53:53/tcp"
    "53:53/udp"
Author	SHA1	Message	Date
Jacob Hinkle	276cd1ae5d	Add extraHosts on cj to set /etc/hosts	2023-06-13 07:11:22 -04:00
Jacob Hinkle	67080d07bc	Set nameservers for cj (bypass circular pihole), enable ipv6 temp addrs	2023-06-13 07:07:18 -04:00
Jacob Hinkle	b7c65ba37d	Black hole 80/443 in firewall.nix CJ	2023-06-13 07:06:44 -04:00
Jacob Hinkle	d436285423	Change UUID of boot partition and set neededForBoot=false	2023-06-13 07:05:29 -04:00
Jacob Hinkle	4a216565fc	Bump home assistant to 2023.06.0	2023-06-13 07:04:11 -04:00
Jacob Hinkle	5408848bfa	Bump pihole container to 2023.05.2	2023-06-13 07:01:45 -04:00
Jacob Hinkle	bfe0a585df	Update pihole image from 2022.10 to 2023.03.1 This is not currently activated due to /boot/EFI/nixos filling up	2023-05-12 08:09:49 -04:00