From 7f48b82da9ea004abae291e29022814866d9d0ef Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Sat, 13 Jun 2026 14:02:17 -0500
Subject: router remove profile and add blocklists option and multiple lan
 interfaces etc

---
 archetypes/profiles/default.nix        |  1 -
 archetypes/profiles/router/default.nix | 37 ----------------------------------
 nixos/services/router/blocklists.nix   | 35 ++++++++++++++++++++++++++++++++
 nixos/services/router/default.nix      |  8 ++++++++
 nixos/services/router/dns-dhcp.nix     |  2 +-
 nixos/services/router/routing.nix      | 19 +++++++++--------
 6 files changed, 53 insertions(+), 49 deletions(-)
 delete mode 100644 archetypes/profiles/router/default.nix
 create mode 100644 nixos/services/router/blocklists.nix
 create mode 100644 nixos/services/router/default.nix

diff --git a/archetypes/profiles/default.nix b/archetypes/profiles/default.nix
index 3f5567d..23b5c05 100644
--- a/archetypes/profiles/default.nix
+++ b/archetypes/profiles/default.nix
@@ -4,7 +4,6 @@
 		./desktop
 		./headless
 		./pi
-		./router
 		./zfs
 	];
 }
diff --git a/archetypes/profiles/router/default.nix b/archetypes/profiles/router/default.nix
deleted file mode 100644
index 58e3407..0000000
--- a/archetypes/profiles/router/default.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ lib, pkgs, ... }: let
-	mkRouter = lib.mkOverride 800;
-
-	# https://wiki.nixos.org/wiki/Networking
-	nixosConfig = {
-		services.unbound = {
-			_blocklists = {
-				enable = true;
-				blocklists = let
-					hageziList = list: [
-						"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/${list}.txt"
-						"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/${list}.txt"
-						"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/${list}.txt"
-					];
-				in {
-					hageziNSFW = hageziList "nsfw";
-					hageziPro = hageziList "pro";
-				};
-			};
-		};
-		services._router = {
-			dnsDhcpConfig.enable = mkRouter true;
-			routing = {
-				enable = mkRouter true;
-				interfaces = {
-					lan = mkRouter "lan0";
-					wan = mkRouter "wan0";
-				};
-			};
-		};
-	};
-
-	homeConfig = {};
-in {
-	imports = [ (lib._mkProfileArchetype "router" nixosConfig homeConfig) ];
-}
-
diff --git a/nixos/services/router/blocklists.nix b/nixos/services/router/blocklists.nix
new file mode 100644
index 0000000..753dd68
--- /dev/null
+++ b/nixos/services/router/blocklists.nix
@@ -0,0 +1,35 @@
+{ config, lib, ... }: let
+	cfg = config.services._router.dnsDhcpConfig.blocklists;
+	hageziList = list: [
+		"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/${list}.txt"
+		"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/${list}.txt"
+		"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/${list}.txt"
+	];
+	mkHageziLists = lib.listToAttrs (
+		map (n: { name = "hagezi_${n}"; value = n; }) cfg.hageziBlocklists
+	);
+in {
+	options.services._router.dnsDhcpConfig.blocklists = {
+		enable = lib.mkEnableOption "enable unbound blocklists";
+		hageziBlocklists = lib.mkOption {
+			type = lib.types.listOf lib.types.str;
+			description = "hagezi blocklists to enable";
+			example = [ "pro" "nsfw" ];
+		};
+		extraBlocklists = lib.mkOption {
+			type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+			description = "additional rpz blocklists to enable";
+		};
+	};
+	config = lib.mkIf cfg.enable {
+		services.unbound = {
+			_blocklists = {
+				enable = true;
+				blocklists = lib.map {
+					hageziNSFW = hageziList "nsfw";
+					hageziPro = hageziList "pro";
+				} // cfg.extraBlocklists;
+			};
+		};
+	};
+}
diff --git a/nixos/services/router/default.nix b/nixos/services/router/default.nix
new file mode 100644
index 0000000..6ccb999
--- /dev/null
+++ b/nixos/services/router/default.nix
@@ -0,0 +1,8 @@
+{
+	imports = [
+		./blocklists.nix
+		./dns-dhcp.nix
+		./routing.nix
+		./unbound-blocklist.nix
+	];
+}
diff --git a/nixos/services/router/dns-dhcp.nix b/nixos/services/router/dns-dhcp.nix
index e35a906..1839b0f 100644
--- a/nixos/services/router/dns-dhcp.nix
+++ b/nixos/services/router/dns-dhcp.nix
@@ -32,7 +32,7 @@ in {
 				type = lib.types.attrsOf lib.types.str;
 				default = {};
 				example = {
-					"poweredge.home.lan" = "192.168.1.1";
+					"poweredge.home.lan" = "192.168.1.10";
 					"router.home.lan" = "192.168.1.1";
 					"example.com" = "192.168.1.100";
 				};
diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix
index 6682538..9534081 100644
--- a/nixos/services/router/routing.nix
+++ b/nixos/services/router/routing.nix
@@ -9,11 +9,10 @@ in {
 				default = "";
 				description = "wan interface";
 			};
-			# TODO allow multiple lan
 			lan = lib.mkOption {
-				type = lib.types.str;
+				type = lib.types.listOf lib.types.str;
 				default = "";
-				description = "lan interface";
+				description = "lan interfaces";
 			};
 		};
 	};
@@ -26,18 +25,18 @@ in {
 				enable = true;
 				backend = "nftables";  # Set explicitly
 
-				# Allow lan to access the router
-				trustedInterfaces = [ cfg.interfaces.lan ];
+				# Allow lan interfaces to access the router
+				trustedInterfaces = cfg.interfaces.lan;
 
-				# Allow lan to access the internet
-				extraForwardRules = ''
-					iifname "${cfg.interfaces.lan}" oifname "${cfg.interfaces.wan}" accept
-				'';
+				# Allow lan interfaces to access the internet
+				extraForwardRules = lib.concatMapStrings (lanIf: ''
+					iifname "${lanIf}" oifname "${cfg.interfaces.wan}" accept
+				'') cfg.interfaces.lan;
 			};
 			nat = {
 				enable = lib.mkDefault true;
 				externalInterface = lib.mkDefault cfg.interfaces.wan;
-				internalInterfaces = lib.mkDefault [ cfg.interfaces.lan ];
+				internalInterfaces = lib.mkDefault cfg.interfaces.lan;
 			};
 		};
 	};
-- 
cgit v1.2.3