nix-configs/systems/orangepihole/configuration.nix

{ config, pkgs, ... }:

{
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../modules/common.nix
    ../../modules/networkd-base.nix
  ];

  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.timeout = 1;
  boot.tmp.cleanOnBoot = true;
  networking = {
    hostName = "orangepihole"; # Define your hostname.
  };
  systemd.network.networks."40-end0" = {
    matchConfig.Name = "end0";
    address = [
      "10.42.69.2/24"
      "fd72:3dd5:21ae:3c97::2/64"
    ];
    dns = [
      "10.42.69.2"
      "fd72:3dd5:21ae:3c97::2"
    ];
    domains = [ "icanttype.org" ];
    gateway = [ "10.42.69.1" ];
    networkConfig.DHCPServer = true;
    dhcpServerConfig = {
      PoolOffset = 150;
      EmitDNS = true;
      DNS = "10.42.69.2";
      EmitRouter = true;
      Router = "10.42.69.1";
      SendOption = [
        "15:string:icanttype.org"
        "119:string:icanttype.org"
      ];
    };
    networkConfig.IPv6SendRA = true;
    ipv6SendRAConfig.RouterLifetimeSec = 0;
    ipv6SendRAConfig.EmitDNS = false;
    ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
  };
  zramSwap.enable = true;
  swapDevices = [
    {
      device = "/persist/swapfile";
      size = 1024;
    }
  ];
  services = {
    unbound = {
      enable = true;
      localControlSocketPath = "/var/lib/unbound/control.sock";
      settings = {
        server = {
          do-ip6 = "no";
          qname-minimisation = "yes";
          interface = [ "end0" ];
          access-control = [
            "10.0.0.0/8 allow"
            "fc::/7 allow"
          ];
        };
        include = [
          "/etc/unbound/ads.conf"
          "${./unbound-local.conf}"
        ];
      };
    };
    journald.storage = "volatile";
  };

  systemd = {
    services.adblock = {
      startAt = "daily";
      postStop = "systemctl try-reload-or-restart unbound";
      path = with pkgs; [
        gawk
        wget
      ];
      script = ''
        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
                rm /tmp/new.conf
      '';
    };
  };

  environment = {
    systemPackages = with pkgs; [
      vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
      wget
    ];
    persistence."/persist" = {
      hideMounts = true;
      directories = [
        "/var/lib/nixos"
        "/var/lib/systemd"
        "/tmp"
      ];
      files = [
        "/etc/machine-id"
        "/etc/adjtime"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/unbound/ads.conf"
      ];
    };
  };

  networking.firewall = {
    allowedUDPPorts = [
      53
      67
      68
    ];
    allowedTCPPorts = [ 53 ];
  };

  system.stateVersion = "23.11"; # Did you read the comment?
  sops.secrets."nixremote/sshkey" = { };
  nix.buildMachines = [
    {
      hostName = "zeus";
      systems = [
        "x86_64-linux"
        "aarch64-linux"
      ];
      protocol = "ssh-ng";
      sshKey = config.sops.secrets."nixremote/sshkey".path;
      sshUser = "nixremote";
      supportedFeatures = [
        "nixos-test"
        "benchmark"
        "big-parallel"
        "kvm"
      ];
    }
  ];
  programs.ssh.extraConfig = ''
    Host zeus
    User nixremote
    StrictHostKeyChecking accept-new
    IdentitiesOnly yes
    IdentityFile ${config.sops.secrets."nixremote/sshkey".path}
  '';
  nix.distributedBuilds = false;
  #nix.settings.max-jobs = 0;
}