diff --git a/configs/unbound-local-block.conf b/configs/unbound-local-block.conf
new file mode 100644
index 0000000..9566b5b
--- /dev/null
+++ b/configs/unbound-local-block.conf
@@ -0,0 +1,5 @@
+server:
+  module-config: "respip validator iterator"
+rpz:
+  name: local.block
+  zonefile: /etc/unbound/ads.zone
\ No newline at end of file
diff --git a/configs/unbound-local.conf b/configs/unbound-local.conf
index 937775c..11e7a71 100644
--- a/configs/unbound-local.conf
+++ b/configs/unbound-local.conf
@@ -1,21 +1,22 @@
-private-address: 10.42.69.0/24
-local-zone: "icanttype.org." static
-local-data: "zeus.icanttype.org. IN A 10.42.69.100"
-local-data: "zeus.icanttype.org. IN AAAA fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01"
-local-data: "orangepihole.icanttype.org. IN A 10.42.69.2"
-local-data-ptr: "10.42.69.100 zeus.icanttype.org"
-local-data-ptr: "10.42.69.2 orangepihole.icanttype.org"
-local-data: "git.icanttype.org. IN A 10.42.69.100"
-local-data: "sonarr.icanttype.org. IN A 10.42.69.100"
-local-data: "homeassistant.icanttype.org. IN A 10.42.69.100"
-local-data: "www.icanttype.org. IN A 10.42.69.100"
-local-data: "radarr.icanttype.org. IN A 10.42.69.100"
-local-data: "jellyfin.icanttype.org. IN A 10.42.69.100"
-local-data: "zwave.icanttype.org. IN A 10.42.69.100"
-local-data: "dashboard.icanttype.org. IN A 10.42.69.100"
-local-data: "prowlarr.icanttype.org. IN A 10.42.69.100"
-local-data: "readarr.icanttype.org. IN A 10.42.69.100"
-local-data: "qbittorrent.icanttype.org. IN A 10.42.69.100"
-local-data: "calibre.icanttype.org. IN A 10.42.69.100"
-local-data: "calibre-web.icanttype.org. IN A 10.42.69.100"
-local-data: "romm.icanttype.org. IN A 10.42.69.100"
\ No newline at end of file
+server: 
+  private-address: 10.42.69.0/24
+  local-zone: "icanttype.org." static
+  local-data: "zeus.icanttype.org. IN A 10.42.69.100"
+  local-data: "zeus.icanttype.org. IN AAAA fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01"
+  local-data: "orangepihole.icanttype.org. IN A 10.42.69.2"
+  local-data-ptr: "10.42.69.100 zeus.icanttype.org"
+  local-data-ptr: "10.42.69.2 orangepihole.icanttype.org"
+  local-data: "git.icanttype.org. IN A 10.42.69.100"
+  local-data: "sonarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "homeassistant.icanttype.org. IN A 10.42.69.100"
+  local-data: "www.icanttype.org. IN A 10.42.69.100"
+  local-data: "radarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "jellyfin.icanttype.org. IN A 10.42.69.100"
+  local-data: "zwave.icanttype.org. IN A 10.42.69.100"
+  local-data: "dashboard.icanttype.org. IN A 10.42.69.100"
+  local-data: "prowlarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "readarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "qbittorrent.icanttype.org. IN A 10.42.69.100"
+  local-data: "calibre.icanttype.org. IN A 10.42.69.100"
+  local-data: "calibre-web.icanttype.org. IN A 10.42.69.100"
+  local-data: "romm.icanttype.org. IN A 10.42.69.100"
\ No newline at end of file
diff --git a/configs/unbound-threat-zone.conf b/configs/unbound-threat-zone.conf
new file mode 100644
index 0000000..6aa966f
--- /dev/null
+++ b/configs/unbound-threat-zone.conf
@@ -0,0 +1,6 @@
+server:
+  module-config: "respip validator iterator"
+rpz:
+  name: hagezi.tif
+  zonefile: hagezi.tif
+  url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/tif.txt
\ No newline at end of file
diff --git a/nixos-configurations/orangepihole.nix b/nixos-configurations/orangepihole.nix
index d362718..8d68bb7 100644
--- a/nixos-configurations/orangepihole.nix
+++ b/nixos-configurations/orangepihole.nix
@@ -64,12 +64,13 @@
     };
   };
   mainInterface = "end0";
+  mainInterfaceConfig = "40-end0";
 
   networking = {
     hostName = "orangepihole"; # Define your hostname.
     useDHCP = lib.mkDefault true;
   };
-  systemd.network.networks."end0" = {
+  systemd.network.networks."40-end0" = {
     matchConfig.Name = "end0";
     address = [
       "10.42.69.2/24"
diff --git a/nixos-configurations/zeus.nix b/nixos-configurations/zeus.nix
index 0144120..020e469 100644
--- a/nixos-configurations/zeus.nix
+++ b/nixos-configurations/zeus.nix
@@ -136,6 +136,7 @@ in
     { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
   ];
   mainInterface = "lan-shim";
+  mainInterfaceConfig = "lan-shim";
   networking = {
     hostName = "zeus"; # Define your hostname.
     hostId = "9e95b576";
@@ -182,7 +183,10 @@ in
         "10.42.69.100/24"
         "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64"
       ];
-      dns = [ "10.42.69.100" "10.42.69.2" ];
+      dns = [
+        "10.42.69.100"
+        "10.42.69.2"
+      ];
       domains = [ "icanttype.org" ];
       gateway = [ "10.42.69.1" ];
       dhcpServerConfig = {
diff --git a/nixos-modules/dhcp.nix b/nixos-modules/dhcp.nix
index 8f31230..e280e50 100644
--- a/nixos-modules/dhcp.nix
+++ b/nixos-modules/dhcp.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }:
 {
   options = {
-    mainInterface = lib.mkOption {
+    mainInterfaceConfig = lib.mkOption {
       type = lib.types.str;
     };
   };
@@ -10,7 +10,7 @@
       67
       68
     ];
-    systemd.network.networks.${config.mainInterface} = {
+    systemd.network.networks.${config.mainInterfaceConfig} = {
       networkConfig = {
         DHCPServer = true;
         IPv6SendRA = true;
diff --git a/nixos-modules/unbound.nix b/nixos-modules/unbound.nix
index 7f5940f..50e383b 100644
--- a/nixos-modules/unbound.nix
+++ b/nixos-modules/unbound.nix
@@ -1,51 +1,51 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
-  systemd = {
-    services.adblock = {
-      startAt = "daily";
-      postStop = "systemctl try-reload-or-restart unbound";
-      path = [
-        pkgs.gawk
-        pkgs.wget
-      ];
-      script = ''
-        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/tif.txt > /tmp/new.conf
-                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
-        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
-        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
-                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
-                rm /tmp/new.conf
-      '';
+
+  options = {
+    mainInterface = lib.mkOption {
+      type = lib.types.str;
     };
   };
+  config = {
+    environment.etc."unbound/ads.zone".text = ''
+      $ORIGIN local.
+      tiktock.com CNAME .
+      *.tiktock.com CNAME .
+      iogames.space CNAME .
+      *.iogames.space CNAME .
+      taming.io CNAME .
+      *.taming.io CNAME .
+    '';
 
-  networking = {
-    firewall = {
-      allowedUDPPorts = [
-        53
-      ];
-      allowedTCPPorts = [ 53 ];
+    networking = {
+      firewall = {
+        allowedUDPPorts = [
+          53
+        ];
+        allowedTCPPorts = [ 53 ];
+      };
     };
-  };
 
-  services = {
-    unbound = {
-      enable = true;
-      localControlSocketPath = "/var/lib/unbound/control.sock";
-      settings = {
-        server = {
-          do-ip6 = "no";
-          qname-minimisation = "yes";
-          interface = [ config.mainInterface ];
-          access-control = [
-            "10.0.0.0/8 allow"
-            "fc::/7 allow"
+    services = {
+      unbound = {
+        enable = true;
+        localControlSocketPath = "/var/lib/unbound/control.sock";
+        settings = {
+          server = {
+            do-ip6 = "no";
+            qname-minimisation = "yes";
+            interface = [ config.mainInterface ];
+            access-control = [
+              "10.0.0.0/8 allow"
+              "fc::/7 allow"
+            ];
+          };
+          include = [
+            "${../configs/unbound-local.conf}"
+            "${../configs/unbound-threat-zone.conf}"
+            "${../configs/unbound-local-block.conf}"
           ];
         };
-        include = [
-          "/etc/unbound/ads.conf"
-          "${../configs/unbound-local.conf}"
-        ];
       };
     };
   };