From 555a489f7d6c3f363850788ad10ed39206e8a755 Mon Sep 17 00:00:00 2001
From: Crony Akatsuki <crony@cronyakatsuki.xyz>
Date: Sat, 27 Sep 2025 11:00:32 +0200
Subject: [PATCH] feat(tyr): setup local dns with blocky+unbound.

---
 hosts/tyr/configuration.nix     |  7 ++---
 modules/servers/tyr/default.nix |  1 +
 modules/servers/tyr/dns.nix     | 49 +++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 modules/servers/tyr/dns.nix

diff --git a/hosts/tyr/configuration.nix b/hosts/tyr/configuration.nix
index 69a4ff3..af5bcd5 100644
--- a/hosts/tyr/configuration.nix
+++ b/hosts/tyr/configuration.nix
@@ -26,13 +26,10 @@
     }
   ];
   networking.defaultGateway = "192.168.0.1";
-  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+  networking.nameservers = ["127.0.0.1"];
   services.resolved = {
     enable = true;
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    dnssec = "true";
-    dnsovertls = "true";
-    domains = ["~."];
+    fallbackDns = ["127.0.0.1"];
   };
 
   # Enable flakes
diff --git a/modules/servers/tyr/default.nix b/modules/servers/tyr/default.nix
index 1bebe48..01bd0ee 100644
--- a/modules/servers/tyr/default.nix
+++ b/modules/servers/tyr/default.nix
@@ -6,5 +6,6 @@
     ./wireguard.nix
     ./secrets.nix
     ./nfs-server.nix
+    ./dns.nix
   ];
 }
diff --git a/modules/servers/tyr/dns.nix b/modules/servers/tyr/dns.nix
new file mode 100644
index 0000000..4fe5ab1
--- /dev/null
+++ b/modules/servers/tyr/dns.nix
@@ -0,0 +1,49 @@
+{
+  services.resolved.extraConfig = ''
+    DNSStubListener=no
+  '';
+
+  # Setup blocky for adblocking
+  services.blocky = {
+    enable = true;
+    settings = {
+      ports.dns = 53;
+      connectIPVersion = "v4";
+
+      upstreams.groups.default = [
+        "127.0.0.1:553"
+      ];
+
+      blocking = {
+        denylists = {
+          "pro" = ["https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/wildcard/pro.txt"];
+          "tif" = ["https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/wildcard/tif.txt"];
+        };
+        clientGroupsBlock.default = ["pro" "tif"];
+      };
+
+      caching = {
+        prefetching = true;
+        minTime = "1m";
+      };
+    };
+  };
+
+  # Setup unbound for recursive dns
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        interface = ["127.0.0.1"];
+        port = 553;
+        do-ip4 = true;
+        do-ip6 = false;
+
+        prefetch = true;
+        cache-max-ttl = 60;
+        cache-max-negative-ttl = 60;
+        serve-original-ttl = true;
+      };
+    };
+  };
+}