7 files changed, 161 insertions, 4 deletions

diff --git a/archetypes/default.nix b/archetypes/default.nix
index 3db8900..ad078ce 100644
--- a/archetypes/default.nix
+++ b/archetypes/default.nix
@@ -11,5 +11,6 @@
 		./profiles/desktop
 		./profiles/headless
 		./profiles/pi
+		./profiles/router
 	];
 }
diff --git a/archetypes/profiles/router/default.nix b/archetypes/profiles/router/default.nix
new file mode 100644
index 0000000..0818a6b
--- /dev/null
+++ b/archetypes/profiles/router/default.nix
@@ -0,0 +1,15 @@
+{ lib, pkgs, ... }: let
+	mkRouter = lib.mkOverride 800;
+
+	# TODO pass mkRouter
+	#imports = [
+	#	./unbound.nix
+	#];
+
+	nixosConfig = {};
+
+	homeConfig = {};
+in {
+	imports = [ (lib._mkProfileArchetype "router" nixosConfig homeConfig) ];
+}
+
diff --git a/archetypes/profiles/router/unbound.nix b/archetypes/profiles/router/unbound.nix
new file mode 100644
index 0000000..1322193
--- /dev/null
+++ b/archetypes/profiles/router/unbound.nix
@@ -0,0 +1,70 @@
+{
+	services.unbound = {
+		enable = true;
+		_blocklists = {
+			enable = true;
+			blocklists = {
+				hageziNSFW = [
+					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
+					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
+					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
+				];
+				hageziPro = [
+					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
+					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
+					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
+				];
+			};
+		};
+		settings = {
+			server = {
+				# Listen on all interfaces (or specify specific IPs)
+				interface = [ "0.0.0.0" "::0" ];
+
+				# Allow queries from local networks
+				access-control = [
+					"127.0.0.0/8 allow"
+					"192.168.0.0/16 allow"
+					"10.0.0.0/8 allow"
+					"172.16.0.0/12 allow"
+				];
+
+				## Enable DNSSEC validation
+				#auto-trust-anchor-file: "/var/unbound/root.key"
+
+				# Harden against out-of-zone data
+				harden-referral-path = true;
+				harden-dnssec-stripped = true;
+
+				# Privacy options
+				qname-minimisation = true;
+
+				# Cache settings
+				cache-min-ttl = 300;
+				cache-max-ttl = 86400;
+
+				# Hide version
+				hide-identity = true;
+				hide-version = true;
+
+				# Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
+				harden-glue = true;
+				use-caps-for-id = false;
+				prefetch = true;
+				edns-buffer-size = 1232;
+			};
+			# Forward unknown to public resolver via DoT
+			forward-zone = [
+				{
+					name = ".";
+					forward-addr = [
+						"9.9.9.9#dns.quad9.net"
+						"149.112.112.112#dns.quad9.net"
+					];
+					forward-tls-upstream = true;	# Encrypted DNS
+				}
+			];
+			remote-control.control-enable = true;
+		};
+	};
+}
diff --git a/nixos/default.nix b/nixos/default.nix
index e934431..4b87741 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -23,6 +23,7 @@
 		./ssh.nix
 		./sudo.nix
 		./suspend.nix
+		./unbound-blocklist.nix
 		./zshenv.nix
 	];
 }
diff --git a/nixos/unbound-blocklist.nix b/nixos/unbound-blocklist.nix
new file mode 100644
index 0000000..153f2c0
--- /dev/null
+++ b/nixos/unbound-blocklist.nix
@@ -0,0 +1,68 @@
+{ lib, config, pkgs, ... }: let
+	cfg = config.services.unbound._blocklists;
+in {
+	options.services.unbound._blocklists = {
+		enable = lib.mkEnableOption "enable rpz blocklist generation in unbound";
+		blocklists = lib.mkOption {
+			type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+			example = {
+				hageziNSFW = [
+					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
+					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
+					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
+				];
+				hageziPro = [
+					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
+					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
+					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
+				];
+			};
+			default = {};
+			description = "blocklist urls in response policy zone (rpz) format";
+		};
+		# TODO
+		#extraBlacklistedDomains = lib.mkOption {
+		#	type = lib.types.listOf lib.types.str;
+		#	example = [
+		#		"example.com"
+		#		"*.example.com"
+		#		"elpmaxe.com"
+		#		"*.elpmaxe.com"
+		#	];
+		#	default = [];
+		#	description = "additional domains to block";
+		#};
+		#extraWhitelistedDomains = lib.mkOption {
+		#	type = lib.types.listOf lib.types.str;
+		#	example = [
+		#		"example.com"
+		#		"*.example.com"
+		#		"elpmaxe.com"
+		#		"*.elpmaxe.com"
+		#	];
+		#	default = [];
+		#	description = "whitelist domains that would otherwise be blocked";
+		#};
+	};
+
+	config = lib.mkIf (cfg.enable && config.services.unbound.enable) {
+		# Configure rpz + blocklists in unbound
+		services.unbound.settings = let
+			# https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html
+			rpzEntry = name: url: { inherit name url; rpz-action-override = "nxdomain"; };  # TODO extra attrs option instead of adding rpz-action-override by default
+			## Generate extraBlockedDomains
+			#extraBlockedDomainsRPZ = lib.strings.concatStringsSep "\n" (builtins.map (domain: "${domain} CNAME ."));
+			#extraBlockedDomainsRPZFile = pkgs.writeText "extraBlockedDomains" ''
+			#	$TTL 300
+			#	@ SOA localhost. root.localhost. 1 43200 3600 86400 300
+			#		NS localhost.
+			#	${extraBlockedDomainsRPZ}
+			#'';
+			#extraBlockedDomainsRPZEntries = rpzEntry "extraBlockedDomains" extraBlockedDomainsRPZFile;
+			rpz = lib.mapAttrsToList rpzEntry cfg.blocklists;
+		in {
+			server.module-config = ''"respip validator iterator"'';  # Adds respip before validator and iterator. Needed for rpz config
+			inherit rpz;
+		};
+  };
+}
diff --git a/poweredge-pro outline b/poweredge-pro outline
index e40157c..11616d9 100644
--- a/poweredge-pro outline
+++ b/poweredge-pro outline
@@ -2,7 +2,7 @@ poweredge-pro
 
 SERVICES:
 - nfs/smb file shares
-- cronjobs
+- cronjobs / systemd units
   - zfs scrubbing
   - zfs snapshotting
 - services.smartd
@@ -10,6 +10,9 @@ SERVICES:
 - allow backup to truenas
 - virtual machines
   - virtual router opnsense
+- unbound + dnsmasq
+  - local hostname resolving e.g. ping poweredge-pro
+- router profile
 - web services
   - admin streamline (docker for now)
   - chexx-internal-webservices (docker)
@@ -34,9 +37,7 @@ SECURITY
   - encrypted zfs pools
 
 DISKS
-- boot disk
-  - zfs or btrfs
-- services disk
+- boot + services disk
   - zfs
   - encryption
   - datasets
diff --git a/todo b/todo
index 4c17016..d41233c 100644
--- a/todo
+++ b/todo
@@ -21,5 +21,6 @@ font improvements hinting etc home manager
 
 #
 zsh support
+zsh plugins installed via nix pkg manager instead of zplug
 headless virtual machines / view display with vnc in browser
 support office xerox printer properly