services/unbound: init

2022-02-24 13:07:46 +07:00 · 2022-02-24 13:07:46 +07:00 · 40f3f9b11f
commit 40f3f9b11f
parent 5bd03881e0
5 changed files with 47 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -234,6 +234,22 @@
        "type": "github"
      }
    },
+    "hosts-blocklists": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1645608170,
+        "narHash": "sha256-fOOmZyagbl5JYp+YYBqeE8uJqr+a3zjoHlW7DQ9ZRK8=",
+        "owner": "notracking",
+        "repo": "hosts-blocklists",
+        "rev": "c5371d52040ef76a54b607fadcd18ece2d18301f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "notracking",
+        "repo": "hosts-blocklists",
+        "type": "github"
+      }
+    },
    "linux-tkg": {
      "flake": false,
      "locked": {
@ -553,6 +569,7 @@
        "fix-user-popouts": "fix-user-popouts",
        "home-manager": "home-manager",
        "home-manager-porcupine": "home-manager-porcupine",
+        "hosts-blocklists": "hosts-blocklists",
        "linux-tkg": "linux-tkg",
        "multitask": "multitask",
        "neovim-nightly": "neovim-nightly",
--- a/flake.nix
+++ b/flake.nix
@ -18,6 +18,7 @@
    powercord-overlay.inputs.nixpkgs.follows = "nixpkgs";

    # services
+    hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
    website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };

    # zsh plugins
--- a/hosts/caramel/default.nix
+++ b/hosts/caramel/default.nix
@ -31,5 +31,6 @@
      postgres
      synapse
      tmptsync
+      unbound
    ]);
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -19,6 +19,7 @@ in {
    ./services/postgres.nix
    ./services/synapse.nix
    ./services/tmptsync.nix
+    ./services/unbound.nix
  ];
  system = mkAttrsFromPaths [
    ./system/audio.nix
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@ -0,0 +1,27 @@
+{ inputs, ... }: {
+  networking.firewall.interfaces.wlan0 = {
+    allowedUDPPorts = [ 53 ];
+    allowedTCPPorts = [ 53 ];
+  };
+  services.unbound = {
+    enable = true;
+    stateDir = "/persist/unbound";
+    settings = {
+      forward-zone = [{
+        name = ".";
+        forward-tls-upstream = true;
+        forward-addr = [
+          "1.1.1.1@853#cloudflare-dns.com"
+          "1.0.0.1@853#cloudflare-dns.com"
+        ];
+      }];
+
+      server = {
+        interface = [ "0.0.0.0" ];
+        access-control = [ "192.168.100.0/24 allow" ];
+      };
+
+      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+    };
+  };
+}