From 17164b05b9b04ce2ac161454bf5357c875e29f08 Mon Sep 17 00:00:00 2001
From: LavaDesu <me@lava.moe>
Date: Thu, 22 May 2025 22:57:47 +1000
Subject: [PATCH] services/unbound: bring back

---
 flake.lock                   | 17 +++++++++++++++++
 flake.nix                    |  2 +-
 hosts/dandelion/default.nix  |  1 +
 modules/services/unbound.nix | 15 +++++++++++----
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/flake.lock b/flake.lock
index e6a52d4..e69dca7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -722,6 +722,7 @@
         "pure": "pure",
         "spicetify-nix": "spicetify-nix",
         "spotify-adblock": "spotify-adblock",
+        "stevenblack-hosts": "stevenblack-hosts",
         "tree-sitter-jsonc": "tree-sitter-jsonc",
         "website": "website",
         "wine-discord-ipc-bridge": "wine-discord-ipc-bridge",
@@ -766,6 +767,22 @@
         "type": "github"
       }
     },
+    "stevenblack-hosts": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747792192,
+        "narHash": "sha256-HeWotX8CVc3vDlvAGq99FaeAT9JRSWtx4N/NhtjPwtg=",
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "rev": "dbdcb032706dfe548745266218501afa93c14ad5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index 9f5e51d..98a4505 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
 
     # services
-    # hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
+    stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
     website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
 
     # zsh plugins
diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 55a46bc..2e915a3 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -21,6 +21,7 @@
 
     modules.services.nginx
     modules.services.postgres
+    modules.services.unbound
 
     ./filesystem.nix
     ./kernel.nix
diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix
index a9cf3bc..5ee9cc7 100644
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@@ -1,8 +1,12 @@
-{ inputs, ... }:
+{ inputs, pkgs, gcSecrets, ... }:
 let
   dir = "/persist/unbound";
+
+  converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
+    grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' > "$out"
+  '';
 in {
-  networking.firewall.interfaces.wlan0 = {
+  networking.firewall.interfaces.wg0 = {
     allowedUDPPorts = [ 53 853 ];
     allowedTCPPorts = [ 53 853 ];
   };
@@ -16,17 +20,20 @@ in {
         name = ".";
         forward-tls-upstream = true;
         forward-addr = [
+          "2606:4700:4700::1111@853#cloudflare-dns.com"
+          "2606:4700:4700::1001@853#cloudflare-dns.com"
           "1.1.1.1@853#cloudflare-dns.com"
           "1.0.0.1@853#cloudflare-dns.com"
         ];
       }];
 
       server = {
-        interface = [ "0.0.0.0" ];
+        interface = [ "0.0.0.0" "::0" ];
         access-control = [
           "127.0.0.1/8      allow"
           "10.0.0.0/8       allow"
           "192.168.100.0/24 allow"
+          "${gcSecrets.wireguard.ipv6Subnet}/80 allow"
         ];
         domain-insecure = [ "\"local.lava.moe\"" ];
         local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@@ -35,7 +42,7 @@ in {
         ];
       };
 
-      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+      include = "${converted}";
     };
   };