New blocklist layout

2024-12-31 13:28:56 -05:00 · 2024-12-31 13:28:56 -05:00 · ae10b6ff92
commit ae10b6ff92
parent 45a4a8820d
7 changed files with 82 additions and 65 deletions
--- a/configs/unbound-local-block.conf
+++ b/configs/unbound-local-block.conf
@ -0,0 +1,5 @@
 server:
  module-config: "respip validator iterator"
 rpz:
  name: local.block
  zonefile: /etc/unbound/ads.zone
--- a/configs/unbound-local.conf
+++ b/configs/unbound-local.conf
@ -1,21 +1,22 @@
-private-address: 10.42.69.0/24
+server: 
-local-zone: "icanttype.org." static
+  private-address: 10.42.69.0/24
-local-data: "zeus.icanttype.org. IN A 10.42.69.100"
+  local-zone: "icanttype.org." static
-local-data: "zeus.icanttype.org. IN AAAA fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01"
+  local-data: "zeus.icanttype.org. IN A 10.42.69.100"
-local-data: "orangepihole.icanttype.org. IN A 10.42.69.2"
+  local-data: "zeus.icanttype.org. IN AAAA fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01"
-local-data-ptr: "10.42.69.100 zeus.icanttype.org"
+  local-data: "orangepihole.icanttype.org. IN A 10.42.69.2"
-local-data-ptr: "10.42.69.2 orangepihole.icanttype.org"
+  local-data-ptr: "10.42.69.100 zeus.icanttype.org"
-local-data: "git.icanttype.org. IN A 10.42.69.100"
+  local-data-ptr: "10.42.69.2 orangepihole.icanttype.org"
-local-data: "sonarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "git.icanttype.org. IN A 10.42.69.100"
-local-data: "homeassistant.icanttype.org. IN A 10.42.69.100"
+  local-data: "sonarr.icanttype.org. IN A 10.42.69.100"
-local-data: "www.icanttype.org. IN A 10.42.69.100"
+  local-data: "homeassistant.icanttype.org. IN A 10.42.69.100"
-local-data: "radarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "www.icanttype.org. IN A 10.42.69.100"
-local-data: "jellyfin.icanttype.org. IN A 10.42.69.100"
+  local-data: "radarr.icanttype.org. IN A 10.42.69.100"
-local-data: "zwave.icanttype.org. IN A 10.42.69.100"
+  local-data: "jellyfin.icanttype.org. IN A 10.42.69.100"
-local-data: "dashboard.icanttype.org. IN A 10.42.69.100"
+  local-data: "zwave.icanttype.org. IN A 10.42.69.100"
-local-data: "prowlarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "dashboard.icanttype.org. IN A 10.42.69.100"
-local-data: "readarr.icanttype.org. IN A 10.42.69.100"
+  local-data: "prowlarr.icanttype.org. IN A 10.42.69.100"
-local-data: "qbittorrent.icanttype.org. IN A 10.42.69.100"
+  local-data: "readarr.icanttype.org. IN A 10.42.69.100"
-local-data: "calibre.icanttype.org. IN A 10.42.69.100"
+  local-data: "qbittorrent.icanttype.org. IN A 10.42.69.100"
-local-data: "calibre-web.icanttype.org. IN A 10.42.69.100"
+  local-data: "calibre.icanttype.org. IN A 10.42.69.100"
-local-data: "romm.icanttype.org. IN A 10.42.69.100"
+  local-data: "calibre-web.icanttype.org. IN A 10.42.69.100"
  local-data: "romm.icanttype.org. IN A 10.42.69.100"
--- a/configs/unbound-threat-zone.conf
+++ b/configs/unbound-threat-zone.conf
@ -0,0 +1,6 @@
 server:
  module-config: "respip validator iterator"
 rpz:
  name: hagezi.tif
  zonefile: hagezi.tif
  url: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/tif.txt
--- a/nixos-configurations/orangepihole.nix
+++ b/nixos-configurations/orangepihole.nix
@ -64,12 +64,13 @@
    };
  };
  mainInterface = "end0";
  mainInterfaceConfig = "40-end0";
  networking = {
    hostName = "orangepihole"; # Define your hostname.
    useDHCP = lib.mkDefault true;
  };
-  systemd.network.networks."end0" = {
+  systemd.network.networks."40-end0" = {
    matchConfig.Name = "end0";
    address = [
      "10.42.69.2/24"
--- a/nixos-configurations/zeus.nix
+++ b/nixos-configurations/zeus.nix
@ -136,6 +136,7 @@ in
    { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
  ];
  mainInterface = "lan-shim";
  mainInterfaceConfig = "lan-shim";
  networking = {
    hostName = "zeus"; # Define your hostname.
    hostId = "9e95b576";
@ -182,7 +183,10 @@ in
        "10.42.69.100/24"
        "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64"
      ];
-      dns = [ "10.42.69.100" "10.42.69.2" ];
+      dns = [
        "10.42.69.100"
        "10.42.69.2"
      ];
      domains = [ "icanttype.org" ];
      gateway = [ "10.42.69.1" ];
      dhcpServerConfig = {
--- a/nixos-modules/dhcp.nix
+++ b/nixos-modules/dhcp.nix
@ -1,7 +1,7 @@
 { config, lib, ... }:
 {
  options = {
-    mainInterface = lib.mkOption {
+    mainInterfaceConfig = lib.mkOption {
      type = lib.types.str;
    };
  };
@ -10,7 +10,7 @@
      67
      68
    ];
-    systemd.network.networks.${config.mainInterface} = {
+    systemd.network.networks.${config.mainInterfaceConfig} = {
      networkConfig = {
        DHCPServer = true;
        IPv6SendRA = true;
--- a/nixos-modules/unbound.nix
+++ b/nixos-modules/unbound.nix
@ -1,51 +1,51 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
-  systemd = {
+
-    services.adblock = {
+  options = {
-      startAt = "daily";
+    mainInterface = lib.mkOption {
-      postStop = "systemctl try-reload-or-restart unbound";
+      type = lib.types.str;
      path = [
        pkgs.gawk
        pkgs.wget
      ];
      script = ''
        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/tif.txt > /tmp/new.conf
                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
                rm /tmp/new.conf
      '';
    };
  };
  config = {
    environment.etc."unbound/ads.zone".text = ''
      $ORIGIN local.
      tiktock.com CNAME .
      *.tiktock.com CNAME .
      iogames.space CNAME .
      *.iogames.space CNAME .
      taming.io CNAME .
      *.taming.io CNAME .
    '';
-  networking = {
+    networking = {
-    firewall = {
+      firewall = {
-      allowedUDPPorts = [
+        allowedUDPPorts = [
-        53
+          53
-      ];
+        ];
-      allowedTCPPorts = [ 53 ];
+        allowedTCPPorts = [ 53 ];
      };
    };
  };
-  services = {
+    services = {
-    unbound = {
+      unbound = {
-      enable = true;
+        enable = true;
-      localControlSocketPath = "/var/lib/unbound/control.sock";
+        localControlSocketPath = "/var/lib/unbound/control.sock";
-      settings = {
+        settings = {
-        server = {
+          server = {
-          do-ip6 = "no";
+            do-ip6 = "no";
-          qname-minimisation = "yes";
+            qname-minimisation = "yes";
-          interface = [ config.mainInterface ];
+            interface = [ config.mainInterface ];
-          access-control = [
+            access-control = [
-            "10.0.0.0/8 allow"
+              "10.0.0.0/8 allow"
-            "fc::/7 allow"
+              "fc::/7 allow"
            ];
          };
          include = [
            "${../configs/unbound-local.conf}"
            "${../configs/unbound-threat-zone.conf}"
            "${../configs/unbound-local-block.conf}"
          ];
        };
        include = [
          "/etc/unbound/ads.conf"
          "${../configs/unbound-local.conf}"
        ];
      };
    };
  };