New blocklist layout

configs/unbound-local-block.conf

@@ -0,0 +1,5 @@
+server:
+  module-config: "respip validator iterator"
+rpz:
+  name: local.block
+  zonefile: /etc/unbound/ads.zone

configs/unbound-local.conf

@@ -1,21 +1,22 @@
-private-address: 10.42.69.0/24
+server: 
-local-zone: "icanttype.org." static
+  private-address: 10.42.69.0/24
-local-data: "zeus.icanttype.org. IN A 10.42.69.100"
+  local-zone: "icanttype.org." static
-local-data: "zeus.icanttype.org. IN AAAA fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01"
+  local-data: "zeus.icanttype.org. IN A 10.42.69.100"
-local-data: "orangepihole.icanttype.org. IN A 10.42.69.2"
+  local-data: "zeus.icanttype.org. IN AAAA fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01"
-local-data-ptr: "10.42.69.100 zeus.icanttype.org"
+  local-data: "orangepihole.icanttype.org. IN A 10.42.69.2"
-local-data-ptr: "10.42.69.2 orangepihole.icanttype.org"
+  local-data-ptr: "10.42.69.100 zeus.icanttype.org"
-local-data: "git.icanttype.org. IN A 10.42.69.100"
+  local-data-ptr: "10.42.69.2 orangepihole.icanttype.org"
-local-data: "sonarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "git.icanttype.org. IN A 10.42.69.100"
-local-data: "homeassistant.icanttype.org. IN A 10.42.69.100"
+  local-data: "sonarr.icanttype.org. IN A 10.42.69.100"
-local-data: "www.icanttype.org. IN A 10.42.69.100"
+  local-data: "homeassistant.icanttype.org. IN A 10.42.69.100"
-local-data: "radarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "www.icanttype.org. IN A 10.42.69.100"
-local-data: "jellyfin.icanttype.org. IN A 10.42.69.100"
+  local-data: "radarr.icanttype.org. IN A 10.42.69.100"
-local-data: "zwave.icanttype.org. IN A 10.42.69.100"
+  local-data: "jellyfin.icanttype.org. IN A 10.42.69.100"
-local-data: "dashboard.icanttype.org. IN A 10.42.69.100"
+  local-data: "zwave.icanttype.org. IN A 10.42.69.100"
-local-data: "prowlarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "dashboard.icanttype.org. IN A 10.42.69.100"
-local-data: "readarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "prowlarr.icanttype.org. IN A 10.42.69.100"
-local-data: "qbittorrent.icanttype.org. IN A 10.42.69.100"
+  local-data: "readarr.icanttype.org. IN A 10.42.69.100"
-local-data: "calibre.icanttype.org. IN A 10.42.69.100"
+  local-data: "qbittorrent.icanttype.org. IN A 10.42.69.100"
-local-data: "calibre-web.icanttype.org. IN A 10.42.69.100"
+  local-data: "calibre.icanttype.org. IN A 10.42.69.100"
-local-data: "romm.icanttype.org. IN A 10.42.69.100"
+  local-data: "calibre-web.icanttype.org. IN A 10.42.69.100"
+  local-data: "romm.icanttype.org. IN A 10.42.69.100"

configs/unbound-threat-zone.conf

@@ -0,0 +1,6 @@
+server:
+  module-config: "respip validator iterator"
+rpz:
+  name: hagezi.tif
+  zonefile: hagezi.tif
+  url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/tif.txt

nixos-configurations/orangepihole.nix

@@ -64,12 +64,13 @@
     };
   };
   mainInterface = "end0";
+  mainInterfaceConfig = "40-end0";
 
   networking = {
     hostName = "orangepihole"; # Define your hostname.
     useDHCP = lib.mkDefault true;
   };
-  systemd.network.networks."end0" = {
+  systemd.network.networks."40-end0" = {
     matchConfig.Name = "end0";
     address = [
       "10.42.69.2/24"

nixos-configurations/zeus.nix

@@ -136,6 +136,7 @@ in
     { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
   ];
   mainInterface = "lan-shim";
+  mainInterfaceConfig = "lan-shim";
   networking = {
     hostName = "zeus"; # Define your hostname.
     hostId = "9e95b576";
@@ -182,7 +183,10 @@ in
         "10.42.69.100/24"
         "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64"
       ];
-      dns = [ "10.42.69.100" "10.42.69.2" ];
+      dns = [
+        "10.42.69.100"
+        "10.42.69.2"
+      ];
       domains = [ "icanttype.org" ];
       gateway = [ "10.42.69.1" ];
       dhcpServerConfig = {

nixos-modules/dhcp.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 {
   options = {
-    mainInterface = lib.mkOption {
+    mainInterfaceConfig = lib.mkOption {
       type = lib.types.str;
     };
   };
@@ -10,7 +10,7 @@
       67
       68
     ];
-    systemd.network.networks.${config.mainInterface} = {
+    systemd.network.networks.${config.mainInterfaceConfig} = {
       networkConfig = {
         DHCPServer = true;
         IPv6SendRA = true;

nixos-modules/unbound.nix

@@ -1,23 +1,21 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
-  systemd = {
+
-    services.adblock = {
+  options = {
-      startAt = "daily";
+    mainInterface = lib.mkOption {
-      postStop = "systemctl try-reload-or-restart unbound";
+      type = lib.types.str;
-      path = [
+    };
-        pkgs.gawk
+  };
-        pkgs.wget
+  config = {
-      ];
+    environment.etc."unbound/ads.zone".text = ''
-      script = ''
+      $ORIGIN local.
-        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/tif.txt > /tmp/new.conf
+      tiktock.com CNAME .
-                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
+      *.tiktock.com CNAME .
-        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
+      iogames.space CNAME .
-        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
+      *.iogames.space CNAME .
-                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
+      taming.io CNAME .
-                rm /tmp/new.conf
+      *.taming.io CNAME .
     '';
-    };
-  };
 
     networking = {
       firewall = {
@@ -43,10 +41,12 @@
             ];
           };
           include = [
-          "/etc/unbound/ads.conf"
             "${../configs/unbound-local.conf}"
+            "${../configs/unbound-threat-zone.conf}"
+            "${../configs/unbound-local-block.conf}"
           ];
         };
       };
     };
+  };
 }