Sharing a project I’ve been working on: finite, a NixOS flake for running Pi-hole + Unbound on Raspberry Pi.
Motivation:
Using NixOS on my desktop has been great, but it got me thinking - what if someone who’s never touched Linux wants network-wide ad blocking? My goal with finite is to make that possible: a setup simple enough that you can hand a
pre-flashed SD card to a friend and say “plug it in, it just works.”
Also hoping to bring more people from the Raspberry Pi community into NixOS. Pi projects are a natural gateway.
What it does:
Turns a Raspberry Pi into a network-wide ad blocker and private DNS server. Flash the SD card, boot, done.
Features
- Pre-configured for Pi 3B+ and newer (aarch64)
- Pi-hole in rootless podman container
- Unbound as local recursive resolver (no Google/Cloudflare dependency)
- Time sync pre-configured (prevents Unbound DNSSEC bootstrap errors)
- SSH hardening out of the box
- Config change? Build locally, deploy over SSH in ~10 mins
Would appreciate input from experienced Nix users on:
- Flake structure – is the module organization idiomatic?
- Settings pattern – using a settings.nix for user config, is there a better approach?
- Secrets management – I initially used SOPS but decided to ditch it because it’s too complicated for new users
- Security hardening – LUKS disabled and logging off by default (home LAN assumption, no internet exposure). Any low-hanging fruit I’m missing?
PRs welcome. Happy to answer questions.