From 40f3f9b11f20829c62b4df31f8655e9d856af02a Mon Sep 17 00:00:00 2001
From: LavaDesu <me@lava.moe>
Date: Thu, 24 Feb 2022 13:07:46 +0700
Subject: [PATCH] services/unbound: init

---
 flake.lock                   | 17 +++++++++++++++++
 flake.nix                    |  1 +
 hosts/caramel/default.nix    |  1 +
 modules/default.nix          |  1 +
 modules/services/unbound.nix | 27 +++++++++++++++++++++++++++
 5 files changed, 47 insertions(+)
 create mode 100644 modules/services/unbound.nix

diff --git a/flake.lock b/flake.lock
index fa40167..1514dd8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -234,6 +234,22 @@
         "type": "github"
       }
     },
+    "hosts-blocklists": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1645608170,
+        "narHash": "sha256-fOOmZyagbl5JYp+YYBqeE8uJqr+a3zjoHlW7DQ9ZRK8=",
+        "owner": "notracking",
+        "repo": "hosts-blocklists",
+        "rev": "c5371d52040ef76a54b607fadcd18ece2d18301f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "notracking",
+        "repo": "hosts-blocklists",
+        "type": "github"
+      }
+    },
     "linux-tkg": {
       "flake": false,
       "locked": {
@@ -553,6 +569,7 @@
         "fix-user-popouts": "fix-user-popouts",
         "home-manager": "home-manager",
         "home-manager-porcupine": "home-manager-porcupine",
+        "hosts-blocklists": "hosts-blocklists",
         "linux-tkg": "linux-tkg",
         "multitask": "multitask",
         "neovim-nightly": "neovim-nightly",
diff --git a/flake.nix b/flake.nix
index 4df950d..7a0dbdb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,6 +18,7 @@
     powercord-overlay.inputs.nixpkgs.follows = "nixpkgs";
 
     # services
+    hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
     website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
 
     # zsh plugins
diff --git a/hosts/caramel/default.nix b/hosts/caramel/default.nix
index 44d7b7d..64c5fe7 100644
--- a/hosts/caramel/default.nix
+++ b/hosts/caramel/default.nix
@@ -31,5 +31,6 @@
       postgres
       synapse
       tmptsync
+      unbound
     ]);
 }
diff --git a/modules/default.nix b/modules/default.nix
index 0cf77f3..7a1b111 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -19,6 +19,7 @@ in {
     ./services/postgres.nix
     ./services/synapse.nix
     ./services/tmptsync.nix
+    ./services/unbound.nix
   ];
   system = mkAttrsFromPaths [
     ./system/audio.nix
diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix
new file mode 100644
index 0000000..4f135ff
--- /dev/null
+++ b/modules/services/unbound.nix
@@ -0,0 +1,27 @@
+{ inputs, ... }: {
+  networking.firewall.interfaces.wlan0 = {
+    allowedUDPPorts = [ 53 ];
+    allowedTCPPorts = [ 53 ];
+  };
+  services.unbound = {
+    enable = true;
+    stateDir = "/persist/unbound";
+    settings = {
+      forward-zone = [{
+        name = ".";
+        forward-tls-upstream = true;
+        forward-addr = [
+          "1.1.1.1@853#cloudflare-dns.com"
+          "1.0.0.1@853#cloudflare-dns.com"
+        ];
+      }];
+
+      server = {
+        interface = [ "0.0.0.0" ];
+        access-control = [ "192.168.100.0/24 allow" ];
+      };
+
+      include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
+    };
+  };
+}