Merge pull request #3077 from 30350n/unbound-confs-rework

Rework "Generate unbound configuration files from blocklist files (#2833)"
This commit is contained in:
Steven Black
2026-04-27 09:50:44 -04:00
committed by GitHub
3 changed files with 49 additions and 4 deletions

View File

@@ -52,6 +52,11 @@
python3Packages.requests
];
};
}
);
packages = forAllSystems (system: {
unbound = nixpkgsFor.${system}.callPackage ./unbound.nix { };
});
};
}

View File

@@ -386,8 +386,10 @@ To install hosts file on your machine add the following into your
### Nix Flake
NixOS installations which are managed through _flakes_ can use the hosts file
like this:
NixOS installations which are managed through _flakes_ can directly use the `flake.nix` in this repository as an input.
It contains a `nixosModule` that can be used to install the `hosts` file locally, as well as a package containing config files for the [Unbound](https://github.com/NLnetLabs/unbound) DNS server to be used as blocklists.
```nix
{
@@ -403,7 +405,9 @@ like this:
nixosConfigurations.my-hostname = {
system = "<architecture>";
modules = [
hosts.nixosModule {
# nixosModule to install hosts file locally:
hosts.nixosModule
{
networking.stevenBlackHosts = {
enable = true;
# optionally:
@@ -414,6 +418,19 @@ like this:
# blockSocial = true;
};
}
# configure unbound to use config as blocklist:
{
{
services.unbound = {
enable = true;
settings.server.include = [
"${hosts.packages.${system}.unbound}/hosts"
# alternates are also available, e.g. /fakenews, /fakenews-gambling etc.
];
};
}
}
];
};
};

23
unbound.nix Normal file
View File

@@ -0,0 +1,23 @@
{
lib,
runCommandLocal,
}:
let
toUnboundConf = ''awk 'NF == 2 && $1 == "0.0.0.0" && $2 != "0.0.0.0" { printf "local-zone: \"%s\" always_nxdomain\n", $2 }'\'';
in
runCommandLocal "stevenblack-hosts-unbound"
{
src = lib.sourceByRegex ./. [
"^hosts$"
"^alternates$"
"^alternates/[^/]+$"
"^alternates/[^/]+/hosts$"
];
}
''
mkdir $out
${toUnboundConf} < $src/hosts > $out/hosts
for file in $src/alternates/*/hosts; do
${toUnboundConf} < $file > $out/$(basename $(dirname $file))
done
''