Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pihole's AdminLTE is a web app which visualises statistics from pihole-FTL (i.e. dnsmasq), shows query logs, and allows configuration. With this module, configuration is largely declarative and immutable, so settings can't be changed, but they can be viewed from the webpage. The admin page also allows regenerating the DNS ("gravity") database, which requires write access to the pihole state directory, as well as being able to signal pihole-FTL to reload its DNS cache. For the latter, a polkit rule is optionally enabled.
- Loading branch information
1 parent
3c193ef
commit f1a9471
Showing
5 changed files
with
154 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Pi-hole AdminLTE {#module-services-web-apps-pihole-adminlte} | ||
|
||
The Pi-hole suite provides a web GUI for controlling and monitoring | ||
[pihole-FTL](#module-services-networking-pihole-ftl). | ||
|
||
## Configuration {#module-services-web-apps-pihole-adminlte-configuration} | ||
|
||
AdminLTE requires little configuration, because it is largely is largely parsed | ||
from [the Dnsmasq configuration](https://search.nixos.org/options?from=0&size=50&sort=relevance&type=packages&query=services.dnsmasq). | ||
|
||
Note that most settings on the *Settings* page are Dnsmasq options. Since the | ||
configuration is immutable and comes from NixOS options, most settings cannot be | ||
changed. | ||
|
||
Example configuration: | ||
|
||
``` | ||
services.pihole-adminlte = { | ||
enable = true; | ||
theme = "default-darker"; | ||
}; | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
{ pkgs | ||
, lib | ||
, config | ||
, ... | ||
}: | ||
|
||
with lib; | ||
|
||
let | ||
cfg = config.services.pihole-adminlte; | ||
ftlCfg = config.services.pihole-ftl; | ||
user = ftlCfg.user; | ||
group = ftlCfg.group; | ||
in | ||
{ | ||
options.services.pihole-adminlte = { | ||
enable = mkEnableOption (mdDoc "Pi-hole admin dashboard"); | ||
hostName = mkOption { | ||
type = types.str; | ||
description = mdDoc "Domain name for the website."; | ||
default = "pi.hole"; | ||
}; | ||
package = mkPackageOptionMD pkgs "pihole-adminlte" {}; | ||
dnsServers = mkOption { | ||
type = types.str; | ||
description = mdDoc '' | ||
DNS providers list. | ||
The default value is extracted from the pihole installation script. | ||
''; | ||
default = '' | ||
Google (ECS);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844 | ||
OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53 | ||
Level3;4.2.2.1;4.2.2.2;; | ||
Comodo;8.26.56.26;8.20.247.20;; | ||
DNS.WATCH;84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b | ||
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9 | ||
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10 | ||
Quad9 (filtered + ECS);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11 | ||
Cloudflare;1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001 | ||
''; | ||
}; | ||
theme = mkOption { | ||
type = types.enum [ "default-light" "default-dark" "default-darker" "default-auto" "lcars" ]; | ||
description = mdDoc "Website theme"; | ||
default = "default-light"; | ||
example = "default-dark"; | ||
}; | ||
temperatureUnit = mkOption { | ||
type = types.enum [ "C" "F" ]; | ||
description = mdDoc "Temperature display unit"; | ||
default = "C"; | ||
example = "F"; | ||
}; | ||
enablePolkitRule = mkOption { | ||
type = types.bool; | ||
description = mdDoc '' | ||
Enable a Polkit rule which allows users to restart the pihole-FTL daemon | ||
from the website. This can be done from the Update Gravity page. | ||
''; | ||
default = true; | ||
}; | ||
}; | ||
|
||
config = mkIf cfg.enable { | ||
services.phpfpm.pools.pihole = { | ||
inherit user group; | ||
phpPackage = pkgs.php; | ||
settings = mapAttrs (name: mkDefault) { | ||
"listen.owner" = config.services.nginx.user; | ||
"listen.group" = config.services.nginx.group; | ||
"pm" = "ondemand"; | ||
"pm.max_children" = 5; | ||
}; | ||
}; | ||
|
||
services.nginx.virtualHosts.${cfg.hostName} = { | ||
root = "${cfg.package}/share"; | ||
locations = { | ||
"/".extraConfig = "index index.php;"; | ||
"~ \\.php$".extraConfig = '' | ||
include ${config.services.nginx.package}/conf/fastcgi.conf; | ||
fastcgi_param SERVER_NAME $host; | ||
fastcgi_pass unix:${config.services.phpfpm.pools.pihole.socket}; | ||
fastcgi_intercept_errors on; | ||
fastcgi_request_buffering off; | ||
''; | ||
"= /favicon.ico".extraConfig = "access_log off; log_not_found off;"; | ||
"~ /\\.".extraConfig = "access_log off; log_not_found off; deny all;"; | ||
"~ ~$ ".extraConfig = "access_log off; log_not_found off; deny all;"; | ||
}; | ||
extraConfig = '' | ||
add_header X-Pi-hole "The Pi-hole Web interface is working!"; | ||
add_header X-Frame-Options "SAMEORIGIN"; | ||
add_header X-XSS-Protection "0"; | ||
add_header X-Content-Type-Options "nosniff"; | ||
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';"; | ||
add_header X-Permitted-Cross-Domain-Policies "none"; | ||
add_header Referrer-Policy "same-origin"; | ||
''; | ||
}; | ||
|
||
# The Update Gravity page requires writing to pihole's state directory | ||
systemd.services.phpfpm-pihole.serviceConfig = { | ||
ReadWritePaths = [ config.services.pihole-ftl.stateDirectory ]; | ||
}; | ||
|
||
environment.etc."pihole/dns-servers.conf" = { | ||
inherit user group; | ||
text = cfg.dnsServers; | ||
mode = "644"; | ||
}; | ||
|
||
# The Update Gravity page needs to restart pihole-ftl | ||
security.polkit.extraConfig = mkIf cfg.enablePolkitRule '' | ||
polkit.addRule(function(action, subject) { | ||
if (action.id == "org.freedesktop.systemd1.manage-units" && | ||
action.lookup("unit") == "pihole-ftl.service" && | ||
action.lookup("verb") == "restart" && | ||
subject.user == "${user}") { | ||
return polkit.Result.YES; | ||
} | ||
}); | ||
''; | ||
}; | ||
|
||
meta.doc = ./pihole-adminlte.md; | ||
} |