underlay: Refuse DNS servers from DHCP

srv-core, vps-ns: Enable dns based ad blocking
nameservers/recursive: Add option to block ads
2026-03-23 21:18:27 +01:00 · 2026-03-04 15:58:54 +01:00 · 2026-03-04 15:15:53 +01:00 · 2026-03-04 15:14:27 +01:00
6 changed files with 51 additions and 6 deletions
--- a/flake.lock
+++ b/flake.lock
@ -16,6 +16,22 @@
        "type": "github"
      }
    },
    "blocklist": {
      "flake": false,
      "locked": {
        "lastModified": 1772371087,
        "narHash": "sha256-4exSkO2QcRy+yhQf2tV6jgO3noNNPvSeIad1YLxpazI=",
        "owner": "StevenBlack",
        "repo": "hosts",
        "rev": "484d3c71b9433e08fa887297e25a3b53c0c6fd57",
        "type": "github"
      },
      "original": {
        "owner": "StevenBlack",
        "repo": "hosts",
        "type": "github"
      }
    },
    "comin": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -293,6 +309,7 @@
    "root": {
      "inputs": {
        "betterfox": "betterfox",
        "blocklist": "blocklist",
        "comin": "comin",
        "disko": "disko",
        "dns": "dns",
--- a/flake.nix
+++ b/flake.nix
@ -75,6 +75,11 @@
      url = "github:iBigQ/radicale-birthday-calendar";
      flake = false;
    };
    blocklist = {
      url = "github:StevenBlack/hosts";
      flake = false;
    };
  };
  outputs =
--- a/hosts/srv-core/default.nix
+++ b/hosts/srv-core/default.nix
@ -21,7 +21,10 @@
      };
      services = {
-        recursive-nameserver.enable = true;
+        recursive-nameserver = {
          enable = true;
          blockAds = true;
        };
        private-nameserver.enable = true;
        syncthing = {
--- a/hosts/vps-ns/default.nix
+++ b/hosts/vps-ns/default.nix
@ -21,7 +21,10 @@
    };
    services = {
-      recursive-nameserver.enable = true;
+      recursive-nameserver = {
        enable = true;
        blockAds = true;
      };
      private-nameserver.enable = true;
      public-nameserver = {
        enable = true;
--- a/modules/nixos/networking/underlay.nix
+++ b/modules/nixos/networking/underlay.nix
@ -51,6 +51,7 @@ in
          matchConfig.Name = cfg.interface;
          linkConfig.RequiredForOnline = "routable";
          networkConfig.DHCP = lib.mkIf cfg.useDhcp "yes";
          dhcpV4Config.UseDNS = lib.mkIf cfg.useDhcp false;
          address = lib.optional (cfg.cidr != null) cfg.cidr;
          routes = lib.optional (cfg.gateway != null) {
            Gateway = cfg.gateway;
--- a/modules/nixos/services/nameservers/recursive.nix
+++ b/modules/nixos/services/nameservers/recursive.nix
@ -1,5 +1,7 @@
 {
  config,
  inputs,
  pkgs,
  lib,
  allHosts,
  ...
@ -8,6 +10,16 @@ let
  cfg = config.custom.services.recursive-nameserver;
  netCfg = config.custom.networking;
  blocklist =
    pkgs.runCommand "blocklist.conf" { } ''
      echo "server:" > $out
      cat ${inputs.blocklist}/hosts \
        | grep '^0.0.0.0 ' \
        | awk '$2 != "0.0.0.0" {print "  local-zone: \"" $2 "\" refuse"}' \
        >> $out
    ''
    |> toString;
  privateNameservers =
    allHosts
    |> lib.attrValues
@ -20,6 +32,7 @@ in
      type = lib.types.port;
      default = 53;
    };
    blockAds = lib.mkEnableOption "";
  };
  config = lib.mkIf cfg.enable (
@ -28,11 +41,14 @@ in
        services = {
          unbound = {
            enable = true;
-            settings.server = {
+            settings = {
              server = {
                interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
                access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
                prefetch = true;
              };
              include-toplevel = lib.mkIf cfg.blockAds blocklist;
            };
          };
          nebula.networks.mesh.firewall.inbound = lib.singleton {
Author	SHA1	Message	Date
SebastianStork	d9a85536a2	underlay: Refuse DNS servers from DHCP	2026-03-04 15:58:54 +01:00
SebastianStork	70140d0af4	srv-core, vps-ns: Enable dns based ad blocking	2026-03-04 15:15:53 +01:00
SebastianStork	fc6eafab59	nameservers/recursive: Add option to block ads	2026-03-04 15:14:27 +01:00