From 5d0ed567021173e372614b9dd96da45c150f8747 Mon Sep 17 00:00:00 2001
From: Johannes Rothe <mail@johannes-rothe.de>
Date: Mon, 17 Mar 2025 20:18:09 +0100
Subject: [PATCH] Enable blocky and unbound DNS on dalinar

---
 hosts/dalinar/default.nix | 66 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/hosts/dalinar/default.nix b/hosts/dalinar/default.nix
index 0bcd425..783c654 100644
--- a/hosts/dalinar/default.nix
+++ b/hosts/dalinar/default.nix
@@ -27,7 +27,17 @@
   };
 
   networking.hostName = "dalinar";
+  networking.firewall = {
+    enable = true;
+    allowedUDPPorts = [ 53 ];
+  };
   networking.useNetworkd = true;
+  services.resolved = {
+    enable = true;
+    extraConfig = ''
+      DNSStubListener=no
+    '';
+  };
 
   time.timeZone = "Europe/Berlin";
 
@@ -54,6 +64,62 @@
 
   services.tailscale.enable = true;
 
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        interface = [ "127.0.0.1" ];
+        port = 5335;
+        access-control = [ "127.0.0.1 allow" ];
+        harden-glue = true;
+        num-threads = 4;
+        harden-dnssec-stripped = true;
+        use-caps-for-id = false;
+        prefetch = true;
+        edns-buffer-size = 1232;
+        hide-identity = true;
+        hide-version = true;
+        private-address = [
+          "172.16.0.0/12"
+        ];
+      };
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "9.9.9.9#dns.quad9.net"
+            "149.112.112.112#dns.quad9.net"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  services.blocky = {
+    enable = true;
+    settings = {
+      upstreams.groups.default = [
+        "127.0.0.1:${builtins.toString config.services.unbound.settings.server.port}"
+      ];
+      blocking = {
+        denylists.ads = [
+            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+        ];
+        clientGroupsBlock.default = [ "ads" ];
+      };
+      ports = {
+        dns = 53;
+        http = 4000; # port for prometheus metrics
+      };
+      prometheus = {
+        enable = true;
+        path = "/metrics";
+      };
+      queryLog.type = "none";
+    };
+  };
+
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #