From 5b0d12ad401484afe62e2bcd5e7d57dc0f3e73bb Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 21 Apr 2021 19:35:01 +0000
Subject: [PATCH] services: add adblock

This is a self-hosted DNS server with hosts-based adblocking.

I should probably have it update the hosts file more often than I will
probably end up doing myself with a package... We'll see if it ends up
being necessary.
---
 services/adblock.nix | 63 ++++++++++++++++++++++++++++++++++++++++++++
 services/default.nix |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 services/adblock.nix

diff --git a/services/adblock.nix b/services/adblock.nix
new file mode 100644
index 0000000..e4ee718
--- /dev/null
+++ b/services/adblock.nix
@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+let
+  wgCfg = config.my.services.wireguard;
+  cfg = config.my.services.adblock;
+in
+{
+  options.my.services.adblock = with lib; {
+    enable = mkEnableOption "Hosts-based adblock using unbound";
+
+    forwardAddresses = mkOption {
+      type = with types; listOf str;
+      default = [
+        "1.0.0.1@853#cloudflare-dns.com"
+        "1.1.1.1@853#cloudflare-dns.com"
+      ];
+      example = [
+        "8.8.4.4"
+        "8.8.8.8"
+      ];
+      description = "Which DNS servers to forward queries to";
+    };
+
+    interfaces = mkOption {
+      type = with types; listOf str;
+      default = [
+        "0.0.0.0"
+        "::"
+      ];
+      example = literalExample ''
+        [
+          "127.0.0.1"
+        ]
+      '';
+      description = "Which addresses to listen on";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Needed when connecting from Wireguard clients
+    networking.firewall.allowedUDPPorts = [ 53 ];
+    networking.firewall.allowedTCPPorts = [ 53 ];
+
+    services.unbound = {
+      enable = true;
+
+      allowedAccess = [
+        "127.0.0.0/24"
+        "${wgCfg.net.v4.subnet}.0/${toString wgCfg.net.v4.mask}"
+        "${wgCfg.net.v6.subnet}::0/${toString wgCfg.net.v6.mask}"
+      ];
+
+      inherit (cfg) forwardAddresses interfaces;
+
+      extraConfig = ''
+        so-reuseport: yes
+        tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+        tls-upstream: yes
+
+        include: "${pkgs.ambroisie.unbound-zones-adblock}/hosts"
+      '';
+    };
+  };
+}
diff --git a/services/default.nix b/services/default.nix
index 346d4f5..fc377d9 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./adblock.nix
     ./backup.nix
     ./blog.nix
     ./calibre-web.nix