blob: 153f2c03421578ee85b0106094563a71cb1c7757 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
{ lib, config, pkgs, ... }: let
cfg = config.services.unbound._blocklists;
in {
options.services.unbound._blocklists = {
enable = lib.mkEnableOption "enable rpz blocklist generation in unbound";
blocklists = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
example = {
hageziNSFW = [
"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
];
hageziPro = [
"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
];
};
default = {};
description = "blocklist urls in response policy zone (rpz) format";
};
# TODO
#extraBlacklistedDomains = lib.mkOption {
# type = lib.types.listOf lib.types.str;
# example = [
# "example.com"
# "*.example.com"
# "elpmaxe.com"
# "*.elpmaxe.com"
# ];
# default = [];
# description = "additional domains to block";
#};
#extraWhitelistedDomains = lib.mkOption {
# type = lib.types.listOf lib.types.str;
# example = [
# "example.com"
# "*.example.com"
# "elpmaxe.com"
# "*.elpmaxe.com"
# ];
# default = [];
# description = "whitelist domains that would otherwise be blocked";
#};
};
config = lib.mkIf (cfg.enable && config.services.unbound.enable) {
# Configure rpz + blocklists in unbound
services.unbound.settings = let
# https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html
rpzEntry = name: url: { inherit name url; rpz-action-override = "nxdomain"; }; # TODO extra attrs option instead of adding rpz-action-override by default
## Generate extraBlockedDomains
#extraBlockedDomainsRPZ = lib.strings.concatStringsSep "\n" (builtins.map (domain: "${domain} CNAME ."));
#extraBlockedDomainsRPZFile = pkgs.writeText "extraBlockedDomains" ''
# $TTL 300
# @ SOA localhost. root.localhost. 1 43200 3600 86400 300
# NS localhost.
# ${extraBlockedDomainsRPZ}
#'';
#extraBlockedDomainsRPZEntries = rpzEntry "extraBlockedDomains" extraBlockedDomainsRPZFile;
rpz = lib.mapAttrsToList rpzEntry cfg.blocklists;
in {
server.module-config = ''"respip validator iterator"''; # Adds respip before validator and iterator. Needed for rpz config
inherit rpz;
};
};
}
|
