2 changed files with 47 additions and 12 deletions
--- a/constants.nix
+++ b/constants.nix
@ -3,15 +3,11 @@ rec {
  intranet = "i." + domain;
  ca-fqdn = "ca." + intranet;
  hosts = {
-    sid = {
-      ip = "100.64.0.6";
-    };
-    rx4 = {
-      ip = "100.64.0.10";
-    };
-    vde = {
-      ip = "100.64.0.1";
-    };
+    "16ach6".ip = "100.64.0.2";
+    pc.ip = "100.64.0.5";
+    pixel6a.ip = "100.64.0.4";
+    rx4.ip = "100.64.0.10";
+    sid.ip = "100.64.0.6";
  };
  services = {
    docs = {
--- a/hosts/sid/services/coredns.nix
+++ b/hosts/sid/services/coredns.nix
@ -1,5 +1,19 @@
-{ constants, ... }:
+{ constants, pkgs, ... }:

+let
+  blockSrc = builtins.concatStringsSep " " (
+    with constants;
+    [
+      "16ach6".ip
+      pc.ip
+      pixel6a.ip
+    ]
+  );
+
+  corednsCfgDir = "/etc/coredns";
+  blocklistFile = corednsCfgDir + "/blocklist.txt";
+  blocklistURL = "https://big.oisd.nl/";
+in
 {
  services.resolved.enable = false;
  networking.resolvconf.enable = false;
@ -22,6 +36,14 @@
          ${hosts.vde.ip} vde.tail
          fallthrough
        }
+
+        acl {
+          allow src ${blockSrc} {
+            forward . 1.1.1.1 8.8.8.8
+            block { list ${blocklistFile} }
+          }
+        }
+
        forward . 1.1.1.1 8.8.8.8
        cache 30
        log
@ -30,6 +52,23 @@
    '';
  };

-  networking.firewall.allowedUDPPorts = [ 53 ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
+  systemd.services.update-blocklist = {
+    description = "Download CoreDNS blocklist";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      mkdir -p ${corednsCfgDir}
+      ${pkgs.curl}/bin/curl -s -o ${blocklistFile} ${blocklistURL}
+    '';
+  };
+
+  systemd.timers.update-blocklist = {
+    description = "Daily update of CoreDNS blocklist";
+    wantedBy = [ "timers.target" ];
+    after = [ "network-online.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+      RandomizedDelaySec = "1h";
+    };
+  };
 }