From a59b0277c85f030bf488c1c9dfaffecd4923ea05 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Mon, 4 May 2026 16:39:59 +0200
Subject: [PATCH] add dns with ip blocklist

---
 constants.nix                  | 14 ++++-------
 hosts/sid/services/coredns.nix | 45 +++++++++++++++++++++++++++++++---
 2 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/constants.nix b/constants.nix
index 3dc7ded..833e9ef 100644
--- a/constants.nix
+++ b/constants.nix
@@ -3,15 +3,11 @@ rec {
   intranet = "i." + domain;
   ca-fqdn = "ca." + intranet;
   hosts = {
-    sid = {
-      ip = "100.64.0.6";
-    };
-    rx4 = {
-      ip = "100.64.0.10";
-    };
-    vde = {
-      ip = "100.64.0.1";
-    };
+    "16ach6".ip = "100.64.0.2";
+    pc.ip = "100.64.0.5";
+    pixel6a.ip = "100.64.0.4";
+    rx4.ip = "100.64.0.10";
+    sid.ip = "100.64.0.6";
   };
   services = {
     docs = {
diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix
index 27896a5..f784a0d 100644
--- a/hosts/sid/services/coredns.nix
+++ b/hosts/sid/services/coredns.nix
@@ -1,5 +1,19 @@
-{ constants, ... }:
+{ constants, pkgs, ... }:
 
+let
+  blockSrc = builtins.concatStringsSep " " (
+    with constants;
+    [
+      "16ach6".ip
+      pc.ip
+      pixel6a.ip
+    ]
+  );
+
+  corednsCfgDir = "/etc/coredns";
+  blocklistFile = corednsCfgDir + "/blocklist.txt";
+  blocklistURL = "https://big.oisd.nl/";
+in
 {
   services.resolved.enable = false;
   networking.resolvconf.enable = false;
@@ -22,6 +36,14 @@
           ${hosts.vde.ip} vde.tail
           fallthrough
         }
+
+        acl {
+          allow src ${blockSrc} {
+            forward . 1.1.1.1 8.8.8.8
+            block { list ${blocklistFile} }
+          }
+        }
+
         forward . 1.1.1.1 8.8.8.8
         cache 30
         log
@@ -30,6 +52,23 @@
     '';
   };
 
-  networking.firewall.allowedUDPPorts = [ 53 ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
+  systemd.services.update-blocklist = {
+    description = "Download CoreDNS blocklist";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      mkdir -p ${corednsCfgDir}
+      ${pkgs.curl}/bin/curl -s -o ${blocklistFile} ${blocklistURL}
+    '';
+  };
+
+  systemd.timers.update-blocklist = {
+    description = "Daily update of CoreDNS blocklist";
+    wantedBy = [ "timers.target" ];
+    after = [ "network-online.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+      RandomizedDelaySec = "1h";
+    };
+  };
 }