constants.nix

@@ -3,15 +3,12 @@ rec {
   intranet = "i." + domain;
   ca-fqdn = "ca." + intranet;
   hosts = {
-    sid = {
+    "16ach6".ip = "100.64.0.2";
-      ip = "100.64.0.6";
+    pc.ip = "100.64.0.5";
-    };
+    pixel6a.ip = "100.64.0.4";
-    rx4 = {
+    rx4.ip = "100.64.0.10";
-      ip = "100.64.0.10";
+    sid.ip = "100.64.0.6";
-    };
+    vde.ip = "100.64.0.1";
-    vde = {
-      ip = "100.64.0.1";
-    };
   };
   services = {
     docs = {

hosts/sid/services/coredns.nix

@@ -1,5 +1,19 @@
-{ constants, ... }:
+{ constants, pkgs, ... }:
 
+let
+  blockSrc = builtins.concatStringsSep " " (
+    with constants;
+    [
+      hosts."16ach6".ip
+      hosts.pc.ip
+      hosts.pixel6a.ip
+    ]
+  );
+
+  corednsCfgDir = "/etc/coredns";
+  blocklistFile = corednsCfgDir + "/blocklist.txt";
+  blocklistURL = "https://big.oisd.nl/";
+in
 {
   services.resolved.enable = false;
   networking.resolvconf.enable = false;
@@ -22,6 +36,14 @@
           ${hosts.vde.ip} vde.tail
           fallthrough
         }
+
+        acl {
+          allow src ${blockSrc} {
+            forward . 1.1.1.1 8.8.8.8
+            block { list ${blocklistFile} }
+          }
+        }
+
         forward . 1.1.1.1 8.8.8.8
         cache 30
         log
@@ -30,6 +52,23 @@
     '';
   };
 
-  networking.firewall.allowedUDPPorts = [ 53 ];
+  systemd.services.update-blocklist = {
-  networking.firewall.allowedTCPPorts = [ 53 ];
+    description = "Download CoreDNS blocklist";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      mkdir -p ${corednsCfgDir}
+      ${pkgs.curl}/bin/curl -s -o ${blocklistFile} ${blocklistURL}
+    '';
+  };
+
+  systemd.timers.update-blocklist = {
+    description = "Daily update of CoreDNS blocklist";
+    wantedBy = [ "timers.target" ];
+    after = [ "network-online.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+      RandomizedDelaySec = "1h";
+    };
+  };
 }