Skip to content
/ unbound-blocklist Public

Nix flake that transforms StevenBlack blocklists into the unbound format

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mirosval/unbound-blocklist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 

Repository files navigation

DNS Blocklists for Unbound

.github/workflows/ci.yml Update blocklist FlakeHub

The amazing StevenBlack repo has block lists for various domains that have been known to serve ads and other malicious content.

However the blocklist is in /etc/hosts format that looks like this:

0.0.0.0 ck.getcookiestxt.com
0.0.0.0 eu1.clevertap-prod.com
0.0.0.0 wizhumpgyros.com
0.0.0.0 coccyxwickimp.com
0.0.0.0 webmail-who-int.000webhostapp.com

And if you want to use it with Unbound, you need to have it in a format like this:

local-zone: "ck.getcookiestxt.com." always_null
local-zone: "eu1.clevertap-prod.com." always_null
local-zone: "wizhumpgyros.com." always_null
local-zone: "coccyxwickimp.com." always_null
local-zone: "webmail-who-int.000webhostapp.com." always_null

So what this Nix flake does is convert the above format to the below format. Then it exposes the converted file as a package. It additionally exposes a NixOS Module that can be used to automatically configure Unbound to use this converted blocklist.

{
  description = "NixOS configuration with Unbound Blocklist";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    blocklist.url = "github:mirosval/unbound-blocklist";
  };

  outputs = inputs@{ nixpkgs, blocklist, ... }: {
    nixosConfigurations = {
      hostName = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./configuration.nix
          blocklist.nixosModules.default
          {
            services.unbound = {
                enable = true;
                # This line enables the blocklist
                blocklist.enable = true;
            };
          }
        ];
      };
    };
  };
}

What it exactly does is it adds an include statement to the server block of the /etc/unbound/unbound.conf file and points it to the blocklist.conf file generated by the package included in this flake.

TODO

There are some ways this could be extended:

  • Add the other optional lists from StevenBlack (rn it's just the ads + malware)
  • Add CI so that the blocklists are automatically updated

Updating

In order to reflect the latest changes to the upstream blocklists, take the following steps:

# Get the hash of the latest master
nix shell nixpkgs#nurl --command nurl https://github.com/StevenBlack/hosts master
> fetchFromGitHub {
  owner = "StevenBlack";
  repo = "hosts";
  rev = "master";
  hash = "sha256-fPMGNj1dXrbxJDxiC8U41NLz1vL5m3Ayw8uC1HJm4sU="; # <-- this
}

# Update it in flake.nix

About

Nix flake that transforms StevenBlack blocklists into the unbound format

Topics

dns nix blocklist unbound stevenblack nix-flake

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

36 tags

Packages

No packages published

Languages