From 38980a9f11f451f9dd0583ffc54408c415702b69 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Sun, 14 Jun 2026 13:37:23 -0500
Subject: unbound blocklists fixed

---
 nixos/services/router/blocklists.nix        | 35 -----------------------------
 nixos/services/router/unbound-blocklist.nix | 18 +++++++++++++--
 2 files changed, 16 insertions(+), 37 deletions(-)
 delete mode 100644 nixos/services/router/blocklists.nix

diff --git a/nixos/services/router/blocklists.nix b/nixos/services/router/blocklists.nix
deleted file mode 100644
index 753dd68..0000000
--- a/nixos/services/router/blocklists.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ config, lib, ... }: let
-	cfg = config.services._router.dnsDhcpConfig.blocklists;
-	hageziList = list: [
-		"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/${list}.txt"
-		"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/${list}.txt"
-		"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/${list}.txt"
-	];
-	mkHageziLists = lib.listToAttrs (
-		map (n: { name = "hagezi_${n}"; value = n; }) cfg.hageziBlocklists
-	);
-in {
-	options.services._router.dnsDhcpConfig.blocklists = {
-		enable = lib.mkEnableOption "enable unbound blocklists";
-		hageziBlocklists = lib.mkOption {
-			type = lib.types.listOf lib.types.str;
-			description = "hagezi blocklists to enable";
-			example = [ "pro" "nsfw" ];
-		};
-		extraBlocklists = lib.mkOption {
-			type = lib.types.attrsOf (lib.types.listOf lib.types.str);
-			description = "additional rpz blocklists to enable";
-		};
-	};
-	config = lib.mkIf cfg.enable {
-		services.unbound = {
-			_blocklists = {
-				enable = true;
-				blocklists = lib.map {
-					hageziNSFW = hageziList "nsfw";
-					hageziPro = hageziList "pro";
-				} // cfg.extraBlocklists;
-			};
-		};
-	};
-}
diff --git a/nixos/services/router/unbound-blocklist.nix b/nixos/services/router/unbound-blocklist.nix
index 153f2c0..27f2a04 100644
--- a/nixos/services/router/unbound-blocklist.nix
+++ b/nixos/services/router/unbound-blocklist.nix
@@ -1,9 +1,23 @@
 { lib, config, pkgs, ... }: let
 	cfg = config.services.unbound._blocklists;
+	hageziList = list: [
+		"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/${list}.txt"
+		"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/${list}.txt"
+		"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/${list}.txt"
+	];
+	hageziBlocklists = lib.listToAttrs (
+		map (n: { name = "hagezi_${n}"; value = n; }) cfg.hageziBlocklists
+	);
+	blocklists = hageziBlocklists // cfg.extraBlocklists;
 in {
 	options.services.unbound._blocklists = {
 		enable = lib.mkEnableOption "enable rpz blocklist generation in unbound";
-		blocklists = lib.mkOption {
+		hageziBlocklists = lib.mkOption {
+			type = lib.types.listOf lib.types.str;
+			description = "hagezi blocklists to enable";
+			example = [ "pro" "nsfw" ];
+		};
+		extraBlocklists = lib.mkOption {
 			type = lib.types.attrsOf (lib.types.listOf lib.types.str);
 			example = {
 				hageziNSFW = [
@@ -59,7 +73,7 @@ in {
 			#	${extraBlockedDomainsRPZ}
 			#'';
 			#extraBlockedDomainsRPZEntries = rpzEntry "extraBlockedDomains" extraBlockedDomainsRPZFile;
-			rpz = lib.mapAttrsToList rpzEntry cfg.blocklists;
+			rpz = lib.mapAttrsToList rpzEntry blocklists;
 		in {
 			server.module-config = ''"respip validator iterator"'';  # Adds respip before validator and iterator. Needed for rpz config
 			inherit rpz;
-- 
cgit v1.2.3