put pihole password in secrets file and use systemd to auto change it

containers/pihole/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 let
   ip = "10.0.0.203";
   interface = "eno1";
@@ -22,13 +22,26 @@ in
     ];
     environment = {
       TZ = "America/Detroit";
-      WEBPASSWORD = "CHANGE_ME_PLEASE!";
       FTLCONF_LOCAL_IPV4 = ip;
       INTERFACE = interface;
     };
     extraOptions = [ "--network=host" ];
   };
 
+  age.secrets.piholeAdminPass = {
+    file = ../../secrets/piholeAdminPass.age;
+    mode = "770";
+    owner = "share";
+    group = "share";
+  };
+
+  systemd.services.podman-pihole.postStart =
+    let
+      password = config.age.secrets.piholeAdminPass.path;
+    in ''
+      podman exec -it pihole pihole -a -p ${password}
+    '';
+
   networking.firewall = {
     allowedTCPPorts = [ 53 80 ];
     allowedUDPPorts = [ 53 ];

secrets/piholeAdminPass.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 VoJMUA CGfkrC5LHa88XpHrxGJAELHXi+fcoSILipOJjxWPWhQ
+ZSlQrcKXSeaevABSk8Xf76PPZZGC3jp+fdhxvB2u60I
+--- m/rAZBuJimyZwQF5Q7AR3bmJoIcyekaprdxpZzZM0Go
+nT÷½(гÈwiÄVÆÍÄâÊÎq='*u<Ž=
ÃsO)iµ«
.p	cï®V¤1¹Ç]	JÅyà*®ÊnQ›v

secrets/secrets.nix

@@ -2,12 +2,14 @@ let
   systems = {
     eden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByi8x1IgXBC6iw6MJoO7xIkkU4bdIaQ3Mi6zEtm+IJh";
     oasis = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCvgPNEJrWjeCUmF/izLhIzaAwSNYHW9o5meYmGHGzj";
+    raindog = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINq0rMkFlizGPijlHKMYS9CGWJ2T1ZJHqaLozWdoySz2";
   };
   allSystems = builtins.attrValues systems;
 in
 {
   "forgejoAdminPass.age".publicKeys = [ systems.oasis ];
   "forgejoRunnerToken.age".publicKeys = [ systems.oasis ];
+  "piholeAdminPass.age".publicKeys = [ systems.raindog ];
   "pushoverAppToken.age".publicKeys = allSystems;
   "pushoverUserToken.age".publicKeys = allSystems;
 }