From 44d7516aeb81bc1f7d6282f6baff99c57305a289 Mon Sep 17 00:00:00 2001 From: Yethal <26117918+Yethal@users.noreply.github.com> Date: Tue, 11 Mar 2025 18:44:50 +0100 Subject: [PATCH 1/5] Add unbound config nix package --- flake.nix | 7 ++++++- unbound.nix | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 unbound.nix diff --git a/flake.nix b/flake.nix index 27abbe1f3..342068f6b 100644 --- a/flake.nix +++ b/flake.nix @@ -52,6 +52,11 @@ python3Packages.requests ]; }; - }); + } + ); + + packages = forAllSystems (system: { + unbound = nixpkgsFor.${system}.callPackage ./unbound.nix { }; + }); }; } diff --git a/unbound.nix b/unbound.nix new file mode 100644 index 000000000..72551f221 --- /dev/null +++ b/unbound.nix @@ -0,0 +1,19 @@ +{ + stdenvNoCC, +}: +stdenvNoCC.mkDerivation { + name = "stevenblack-hosts-unbound"; + src = ./.; + + installPhase = + let + toUnboundConf = ''awk 'NF == 2 && $1 == "0.0.0.0" && $2 != "0.0.0.0" { printf "local-zone: \"%s\" always_nxdomain\n", $2 }'\''; + in + '' + mkdir $out + cat $src/hosts | ${toUnboundConf} > $out/hosts + for file in alternates/*/hosts; do + cat $file | ${toUnboundConf} > $out/$(basename $(dirname $file)) + done + ''; +} From f924014d99dbe12db3972fe0f82fdf95d86f0c6b Mon Sep 17 00:00:00 2001 From: Bobbe Date: Tue, 24 Mar 2026 15:59:11 +0100 Subject: [PATCH 2/5] Use runCommandLocal instead of mkDerivation, pipe instead of cat --- unbound.nix | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/unbound.nix b/unbound.nix index 72551f221..1e9aa3d70 100644 --- a/unbound.nix +++ b/unbound.nix @@ -1,19 +1,13 @@ { - stdenvNoCC, + runCommandLocal, }: -stdenvNoCC.mkDerivation { - name = "stevenblack-hosts-unbound"; - src = ./.; - - installPhase = - let - toUnboundConf = ''awk 'NF == 2 && $1 == "0.0.0.0" && $2 != "0.0.0.0" { printf "local-zone: \"%s\" always_nxdomain\n", $2 }'\''; - in - '' - mkdir $out - cat $src/hosts | ${toUnboundConf} > $out/hosts - for file in alternates/*/hosts; do - cat $file | ${toUnboundConf} > $out/$(basename $(dirname $file)) - done - ''; -} +let + toUnboundConf = ''awk 'NF == 2 && $1 == "0.0.0.0" && $2 != "0.0.0.0" { printf "local-zone: \"%s\" always_nxdomain\n", $2 }'\''; +in +runCommandLocal "stevenblack-hosts-unbound" { src = ./.; } '' + mkdir $out + ${toUnboundConf} < $src/hosts > $out/hosts + for file in alternates/*/hosts; do + ${toUnboundConf} < $file > $out/$(basename $(dirname $file)) + done +'' From db6c334e94d57d5df50f1741dae5d01e3aba88ce Mon Sep 17 00:00:00 2001 From: Bobbe Date: Wed, 25 Mar 2026 12:37:47 +0100 Subject: [PATCH 3/5] Fix building unbound configs for alternates --- unbound.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.nix b/unbound.nix index 1e9aa3d70..0727edb4a 100644 --- a/unbound.nix +++ b/unbound.nix @@ -7,7 +7,7 @@ in runCommandLocal "stevenblack-hosts-unbound" { src = ./.; } '' mkdir $out ${toUnboundConf} < $src/hosts > $out/hosts - for file in alternates/*/hosts; do + for file in $src/alternates/*/hosts; do ${toUnboundConf} < $file > $out/$(basename $(dirname $file)) done '' From 7adda9b685cda25038f0a5593c2b942809c86c39 Mon Sep 17 00:00:00 2001 From: Bobbe Date: Fri, 27 Mar 2026 19:11:15 +0100 Subject: [PATCH 4/5] Use lib.sourceByRegex to filter source files --- unbound.nix | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/unbound.nix b/unbound.nix index 0727edb4a..c34b50fa1 100644 --- a/unbound.nix +++ b/unbound.nix @@ -1,13 +1,23 @@ { + lib, runCommandLocal, }: let toUnboundConf = ''awk 'NF == 2 && $1 == "0.0.0.0" && $2 != "0.0.0.0" { printf "local-zone: \"%s\" always_nxdomain\n", $2 }'\''; in -runCommandLocal "stevenblack-hosts-unbound" { src = ./.; } '' - mkdir $out - ${toUnboundConf} < $src/hosts > $out/hosts - for file in $src/alternates/*/hosts; do - ${toUnboundConf} < $file > $out/$(basename $(dirname $file)) - done -'' +runCommandLocal "stevenblack-hosts-unbound" + { + src = lib.sourceByRegex ./. [ + "^hosts$" + "^alternates$" + "^alternates/[^/]+$" + "^alternates/[^/]+/hosts$" + ]; + } + '' + mkdir $out + ${toUnboundConf} < $src/hosts > $out/hosts + for file in $src/alternates/*/hosts; do + ${toUnboundConf} < $file > $out/$(basename $(dirname $file)) + done + '' From 66180dae893a1cadf1ef1da5cae5700f9a9ba33d Mon Sep 17 00:00:00 2001 From: Bobbe Date: Fri, 27 Mar 2026 19:11:49 +0100 Subject: [PATCH 5/5] Add documentation for unbound configs --- readme_template.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/readme_template.md b/readme_template.md index bab551805..4c66936f6 100644 --- a/readme_template.md +++ b/readme_template.md @@ -386,8 +386,10 @@ To install hosts file on your machine add the following into your ### Nix Flake -NixOS installations which are managed through _flakes_ can use the hosts file -like this: +NixOS installations which are managed through _flakes_ can directly use the `flake.nix` in this repository as an input. + +It contains a `nixosModule` that can be used to install the `hosts` file locally, as well as a package containing config files for the [Unbound](https://github.com/NLnetLabs/unbound) DNS server to be used as blocklists. + ```nix { @@ -403,7 +405,9 @@ like this: nixosConfigurations.my-hostname = { system = ""; modules = [ - hosts.nixosModule { + # nixosModule to install hosts file locally: + hosts.nixosModule + { networking.stevenBlackHosts = { enable = true; # optionally: @@ -414,6 +418,19 @@ like this: # blockSocial = true; }; } + + # configure unbound to use config as blocklist: + { + { + services.unbound = { + enable = true; + settings.server.include = [ + "${hosts.packages.${system}.unbound}/hosts" + # alternates are also available, e.g. /fakenews, /fakenews-gambling etc. + ]; + }; + } + } ]; }; };