From 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sun, 31 Mar 2024 21:29:27 +0300
Subject: 2024-03-31

---
 modules/nixos/unbound.nix | 151 +++++++++++++++++++++++++++-------------------
 1 file changed, 90 insertions(+), 61 deletions(-)

(limited to 'modules/nixos/unbound.nix')

diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 5aaf104..e71d48c 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.unbound;
-in {
+in
+{
   options.nixfiles.modules.unbound = {
     enable = mkEnableOption "Unbound";
 
@@ -18,11 +20,12 @@ in {
     };
   };
 
-  config = let
-    adblock-conf = "${config.services.unbound.stateDir}/adblock.conf";
-  in
+  config =
+    let
+      adblock-conf = "${config.services.unbound.stateDir}/adblock.conf";
+    in
     mkIf cfg.enable {
-      ark.directories = [config.services.unbound.stateDir];
+      ark.directories = [ config.services.unbound.stateDir ];
 
       nixfiles.modules.redis.enable = true;
 
@@ -45,40 +48,51 @@ in {
                 ipv6.address
               ];
 
-              local-zone =
-                concatLists
-                (mapAttrsToList (h: _: ["\"${h}.${cfg.domain}\" redirect"])
-                  my.configurations);
-              local-data = concatLists (mapAttrsToList (hostname: let
-                domain = "${hostname}.${cfg.domain}";
-              in
-                attr: (optionals (hasAttr "wireguard" attr) (with attr.wireguard;
-                  [
-                    "\"${domain} 604800 IN A ${ipv4.address}\""
-                    "\"${domain} 604800 IN AAAA ${ipv6.address}\""
-                    "\"${domain}. A ${ipv4.address}\""
-                    "\"${domain}. AAAA ${ipv6.address}\""
-                  ]
-                  ++ concatMap (domain: [
-                    "\"${domain}. A ${ipv4.address}\""
-                    "\"${domain}. AAAA ${ipv6.address}\""
-                  ])
-                  attr.domains)))
-              my.configurations);
-              local-data-ptr = concatLists (mapAttrsToList (hostname: let
-                domain = "${hostname}.${cfg.domain}";
-              in
-                attr: (optionals (hasAttr "wireguard" attr) (with attr.wireguard;
-                  [
-                    "\"${ipv4.address} ${domain}\""
-                    "\"${ipv6.address} ${domain}\""
-                  ]
-                  ++ concatMap (domain: [
-                    "\"${ipv4.address} ${domain}\""
-                    "\"${ipv6.address} ${domain}\""
-                  ])
-                  attr.domains)))
-              my.configurations);
+              local-zone = concatLists (
+                mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations
+              );
+              local-data = concatLists (
+                mapAttrsToList (
+                  hostname:
+                  let
+                    domain = "${hostname}.${cfg.domain}";
+                  in
+                  attr:
+                  (optionals (hasAttr "wireguard" attr) (
+                    with attr.wireguard;
+                    [
+                      "\"${domain} 604800 IN A ${ipv4.address}\""
+                      "\"${domain} 604800 IN AAAA ${ipv6.address}\""
+                      "\"${domain}. A ${ipv4.address}\""
+                      "\"${domain}. AAAA ${ipv6.address}\""
+                    ]
+                    ++ concatMap (domain: [
+                      "\"${domain}. A ${ipv4.address}\""
+                      "\"${domain}. AAAA ${ipv6.address}\""
+                    ]) attr.domains
+                  ))
+                ) my.configurations
+              );
+              local-data-ptr = concatLists (
+                mapAttrsToList (
+                  hostname:
+                  let
+                    domain = "${hostname}.${cfg.domain}";
+                  in
+                  attr:
+                  (optionals (hasAttr "wireguard" attr) (
+                    with attr.wireguard;
+                    [
+                      "\"${ipv4.address} ${domain}\""
+                      "\"${ipv6.address} ${domain}\""
+                    ]
+                    ++ concatMap (domain: [
+                      "\"${ipv4.address} ${domain}\""
+                      "\"${ipv6.address} ${domain}\""
+                    ]) attr.domains
+                  ))
+                ) my.configurations
+              );
 
               private-domain = map (domain: "${domain}.") [
                 cfg.domain
@@ -124,9 +138,19 @@ in {
               {
                 name = ".";
                 forward-tls-upstream = true;
-                forward-addr = let
-                  mkDnsOverTls = ips: auth: map (ip: concatStrings [ip "@" auth]) ips;
-                in
+                forward-addr =
+                  let
+                    mkDnsOverTls =
+                      ips: auth:
+                      map (
+                        ip:
+                        concatStrings [
+                          ip
+                          "@"
+                          auth
+                        ]
+                      ) ips;
+                  in
                   mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net";
               }
             ];
@@ -154,40 +178,45 @@ in {
 
       systemd = {
         services = {
-          unbound.after = ["unbound-adblock-update.service"];
+          unbound.after = [ "unbound-adblock-update.service" ];
 
           unbound-adblock-update = {
             serviceConfig = with config.services.unbound; {
               Type = "oneshot";
               User = user;
               Group = group;
-              ExecStart = getExe (pkgs.writeShellApplication {
-                name = "unbound-adblock-update";
-                runtimeInputs = [pkgs.curl package];
-                text = ''
-                  curl \
-                    -s \
-                    -o ${adblock-conf} \
-                    "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf"
-
-                  if [[ -f "${localControlSocketPath}" ]]; then
-                    unbound-control reload
-                  fi
-                '';
-              });
+              ExecStart = getExe (
+                pkgs.writeShellApplication {
+                  name = "unbound-adblock-update";
+                  runtimeInputs = [
+                    pkgs.curl
+                    package
+                  ];
+                  text = ''
+                    curl \
+                      -s \
+                      -o ${adblock-conf} \
+                      "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf"
+
+                    if [[ -f "${localControlSocketPath}" ]]; then
+                      unbound-control reload
+                    fi
+                  '';
+                }
+              );
             };
           };
         };
 
         timers.unbound-adblock-update = {
-          requires = ["network-online.target"];
-          after = ["network-online.target"];
+          requires = [ "network-online.target" ];
+          after = [ "network-online.target" ];
           timerConfig = {
             OnCalendar = "daily";
             Persistent = true;
             Unit = "unbound-adblock-update.service";
           };
-          wantedBy = ["timers.target"];
+          wantedBy = [ "timers.target" ];
         };
       };
 
-- 
cgit v1.2.3