{pkgs, ...}: { project.name = "dns"; networks.dmz = { name = "dmz"; external = true; }; networks.dns = { name = "dns"; driver = "bridge"; ipam.config = [ { subnet = "172.28.1.0/24"; ip_range = "172.28.1.5/30"; gateway = "172.28.1.1"; } ]; }; services = { pihole.service = { image = "pihole/pihole:2024.03.1"; container_name = "pihole"; hostname = "pihole"; environment = { IPv6 = "True"; TZ = "Europe/Berlin"; SKIPGRAVITYONBOOT = 1; VIRTUAL_HOST = "pihole.ghoscht.com"; }; volumes = [ "/storage/dataset/docker/dns/pihole_data:/etc/pihole" "/storage/dataset/docker/dns/pihole_dnsmasq:/etc/dnsmasq.d" ]; labels = { "traefik.enable" = "true"; "traefik.http.routers.pihole.entrypoints" = "websecure"; "traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)"; "traefik.http.services.pihole.loadbalancer.server.port" = "80"; "traefik.docker.network" = "dmz"; "traefik.http.routers.pihole.tls" = "true"; "traefik.http.routers.pihole.tls.certresolver" = "letsencrypt"; }; restart = "always"; networks = { dmz = {}; dns = { ipv4_address = "172.28.1.6"; }; }; dns = [ "1.1.1.1" ]; capabilities = { NET_ADMIN = true; }; ports = [ "8420:80" "53:53/tcp" "53:53/udp" ]; }; unbound.service = { image = "mvance/unbound:1.19.3"; container_name = "unbound"; useHostStore = true; volumes = [ "/storage/dataset/docker/dns/unbound_data:/opt/unbound/etc/unbound" ]; restart = "always"; networks = { dns = { ipv4_address = "172.28.1.5"; }; }; dns = [ "1.1.1.1" ]; }; }; }