From 373376dc84112ae0bb8ce002af8d5d868f72b4ac Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Mon, 29 Dec 2025 21:24:32 -0600
Subject: unbound blocklist module and unbound config + start router profile
 and poweredge-pro outline updates

---
 archetypes/profiles/router/default.nix | 15 ++++++++
 archetypes/profiles/router/unbound.nix | 70 ++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 archetypes/profiles/router/default.nix
 create mode 100644 archetypes/profiles/router/unbound.nix

(limited to 'archetypes/profiles')

diff --git a/archetypes/profiles/router/default.nix b/archetypes/profiles/router/default.nix
new file mode 100644
index 0000000..0818a6b
--- /dev/null
+++ b/archetypes/profiles/router/default.nix
@@ -0,0 +1,15 @@
+{ lib, pkgs, ... }: let
+	mkRouter = lib.mkOverride 800;
+
+	# TODO pass mkRouter
+	#imports = [
+	#	./unbound.nix
+	#];
+
+	nixosConfig = {};
+
+	homeConfig = {};
+in {
+	imports = [ (lib._mkProfileArchetype "router" nixosConfig homeConfig) ];
+}
+
diff --git a/archetypes/profiles/router/unbound.nix b/archetypes/profiles/router/unbound.nix
new file mode 100644
index 0000000..1322193
--- /dev/null
+++ b/archetypes/profiles/router/unbound.nix
@@ -0,0 +1,70 @@
+{
+	services.unbound = {
+		enable = true;
+		_blocklists = {
+			enable = true;
+			blocklists = {
+				hageziNSFW = [
+					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
+					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
+					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
+				];
+				hageziPro = [
+					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
+					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
+					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
+				];
+			};
+		};
+		settings = {
+			server = {
+				# Listen on all interfaces (or specify specific IPs)
+				interface = [ "0.0.0.0" "::0" ];
+
+				# Allow queries from local networks
+				access-control = [
+					"127.0.0.0/8 allow"
+					"192.168.0.0/16 allow"
+					"10.0.0.0/8 allow"
+					"172.16.0.0/12 allow"
+				];
+
+				## Enable DNSSEC validation
+				#auto-trust-anchor-file: "/var/unbound/root.key"
+
+				# Harden against out-of-zone data
+				harden-referral-path = true;
+				harden-dnssec-stripped = true;
+
+				# Privacy options
+				qname-minimisation = true;
+
+				# Cache settings
+				cache-min-ttl = 300;
+				cache-max-ttl = 86400;
+
+				# Hide version
+				hide-identity = true;
+				hide-version = true;
+
+				# Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
+				harden-glue = true;
+				use-caps-for-id = false;
+				prefetch = true;
+				edns-buffer-size = 1232;
+			};
+			# Forward unknown to public resolver via DoT
+			forward-zone = [
+				{
+					name = ".";
+					forward-addr = [
+						"9.9.9.9#dns.quad9.net"
+						"149.112.112.112#dns.quad9.net"
+					];
+					forward-tls-upstream = true;	# Encrypted DNS
+				}
+			];
+			remote-control.control-enable = true;
+		};
+	};
+}
-- 
cgit v1.2.3