From 2cdfec2086caa0ac4dfe99f2bc6ae566f62c7f52 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Tue, 17 Mar 2026 17:59:52 +0100
Subject: [PATCH] blocking-nameserver: Init

---
 .../nixos/services/nameservers/blocking.nix   | 95 +++++++++++++++++++
 .../nixos/services/nameservers/recursive.nix  | 38 +++-----
 2 files changed, 106 insertions(+), 27 deletions(-)
 create mode 100644 modules/nixos/services/nameservers/blocking.nix

diff --git a/modules/nixos/services/nameservers/blocking.nix b/modules/nixos/services/nameservers/blocking.nix
new file mode 100644
index 0000000..2686bdc
--- /dev/null
+++ b/modules/nixos/services/nameservers/blocking.nix
@@ -0,0 +1,95 @@
+{
+  config,
+  lib,
+  allHosts,
+  ...
+}:
+let
+  cfg = config.custom.services.blocking-nameserver;
+  netCfg = config.custom.networking;
+
+  recursiveNameservers =
+    allHosts
+    |> lib.attrValues
+    |> lib.filter (host: host.config.custom.services.recursive-nameserver.enable)
+    |> lib.map (
+      host:
+      "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}"
+    );
+in
+{
+  options.custom.services.blocking-nameserver = {
+    enable = lib.mkEnableOption "";
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 53;
+    };
+    gui = {
+      domain = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        default = "";
+      };
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 58479;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      adguardhome = {
+        enable = true;
+        mutableSettings = false;
+
+        host = "127.0.0.1";
+        inherit (cfg.gui) port;
+
+        settings = {
+          dns = {
+            bind_hosts = [ netCfg.overlay.address ];
+            inherit (cfg) port;
+
+            upstream_dns =
+              if (recursiveNameservers != [ ]) then recursiveNameservers else [ "9.9.9.9#dns.quad9.net" ];
+            upstream_mode = "parallel";
+            bootstrap_dns = [
+              "1.1.1.1"
+              "8.8.8.8"
+            ];
+          };
+
+          filtering = {
+            protection_enabled = true;
+            filtering_enabled = true;
+          };
+          filters = lib.singleton {
+            enabled = true;
+            url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
+          };
+        };
+      };
+
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        inherit (cfg) port;
+        proto = "any";
+        host = "any";
+      };
+    };
+
+    systemd.services.adguardhome = {
+      enableStrictShellChecks = false;
+      requires = [ netCfg.overlay.systemdUnit ];
+      after = [ netCfg.overlay.systemdUnit ];
+    };
+
+    custom = {
+      services.caddy.virtualHosts.${cfg.gui.domain}.port = lib.mkIf (cfg.gui.domain != null) cfg.gui.port;
+
+      meta.sites.${cfg.gui.domain} = lib.mkIf (cfg.gui.domain != null) {
+        title = "Adguard Home";
+        icon = "sh:adguard-home";
+      };
+    };
+  };
+}
diff --git a/modules/nixos/services/nameservers/recursive.nix b/modules/nixos/services/nameservers/recursive.nix
index 894c2e1..5ce0e40 100644
--- a/modules/nixos/services/nameservers/recursive.nix
+++ b/modules/nixos/services/nameservers/recursive.nix
@@ -1,7 +1,5 @@
 {
   config,
-  inputs,
-  pkgs,
   lib,
   allHosts,
   ...
@@ -10,27 +8,21 @@ let
   cfg = config.custom.services.recursive-nameserver;
   netCfg = config.custom.networking;
 
-  blocklist =
-    pkgs.runCommand "blocklist.conf" { } ''
-      echo "server:" > $out
-      cat ${inputs.blocklist}/hosts \
-        | grep '^0.0.0.0 ' \
-        | awk '$2 != "0.0.0.0" {print "  local-zone: \"" $2 "\" refuse"}' \
-        >> $out
-    ''
-    |> toString;
-
   privateNameservers =
     allHosts
     |> lib.attrValues
-    |> lib.filter (host: host.config.custom.services.private-nameserver.enable);
+    |> lib.filter (host: host.config.custom.services.private-nameserver.enable)
+    |> lib.map (
+      host:
+      "${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}"
+    );
 in
 {
   options.custom.services.recursive-nameserver = {
     enable = lib.mkEnableOption "";
     port = lib.mkOption {
       type = lib.types.port;
-      default = 53;
+      default = 5336;
     };
     blockAds = lib.mkEnableOption "";
   };
@@ -41,13 +33,10 @@ in
         services = {
           unbound = {
             enable = true;
-            settings = {
-              server = {
-                interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
-                access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
-                prefetch = true;
-              };
-              include-toplevel = lib.mkIf cfg.blockAds blocklist;
+            settings.server = {
+              interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
+              access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
+              prefetch = true;
             };
           };
 
@@ -73,12 +62,7 @@ in
 
           stub-zone = lib.singleton {
             name = netCfg.overlay.domain;
-            stub-addr =
-              privateNameservers
-              |> lib.map (
-                host:
-                "${host.config.custom.networking.overlay.address}@${toString host.config.custom.services.private-nameserver.port}"
-              );
+            stub-addr = privateNameservers;
           };
         };
       })