From f43160053288bdd1efde3c290fa02c726f7c602f Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Mon, 30 Nov 2020 02:03:58 +0100
Subject: [PATCH] Set up ad-block at the DNS level

---
 README.org             |  1 +
 configuration.nix      |  1 +
 modules/networking.nix | 25 +++++++++++++++++++++++--
 modules/periodic.nix   | 30 ++++++++++++++++++++++++++++++
 4 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 modules/periodic.nix

diff --git a/README.org b/README.org
index 184c7de..3c8870d 100644
--- a/README.org
+++ b/README.org
@@ -12,5 +12,6 @@
  - Web services and reverse proxy: webstack.nix
  - Development tools: devops.nix
  - Smartd: monitoring.nix
+ - Systemd services and timers: periodic.nix
 
  All the modules are imported in *configuration.nix*
diff --git a/configuration.nix b/configuration.nix
index 025273c..755fd91 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -107,6 +107,7 @@
     ./modules/webstack.nix
     ./modules/devops.nix
     ./modules/monitoring.nix
+    ./modules/periodic.nix
   ];
 
 }
diff --git a/modules/networking.nix b/modules/networking.nix
index a51d1f8..7bacf2e 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -33,11 +33,13 @@ in {
     allowedTCPPorts = [
       631 # Cups
       6566 # SANE
-      80
-      443
+      80 # HTTP
+      443 # HTTPS
+      53 # DNS
     ];
     allowedUDPPorts = [
       1194 # Wireguard
+      53 # DNS
     ];
     autoLoadConntrackHelpers = true;
     connectionTrackingModules = [ "sane" ];
@@ -77,5 +79,24 @@ in {
     };
   };
 
+  # DNS server with ad-block
+  services.dnsmasq = {
+    enable = true;
+    servers = [ "176.9.37.132" "116.203.147.31" ];
+    extraConfig = ''
+      domain-needed
+      bogus-priv
+      no-resolv
+
+      listen-address=127.0.0.1,192.168.1.2,10.8.0.1
+      bind-interfaces
+
+      cache-size=10000
+      local-ttl=300
+
+      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+    '';
+  };
+
 }
 
diff --git a/modules/periodic.nix b/modules/periodic.nix
new file mode 100644
index 0000000..c8a6210
--- /dev/null
+++ b/modules/periodic.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+let
+  stateDir = "/var/lib/dnsmasq";
+  blocklist = "${stateDir}/dnsmasq.blacklist.txt";
+
+in {
+  # Fetch hosts-blocklists daily
+  systemd.services.download-dns-blocklist = {
+    description = "Download hosts-blocklists";
+    wantedBy = [ "default.target" ];
+    path = with pkgs; [ curl ];
+    script =
+      "curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
+    serviceConfig = { Type = "oneshot"; };
+    postStop = ''
+      chown -R dnsmasq ${stateDir}
+      systemctl restart dnsmasq
+    '';
+  };
+
+  systemd.timers.download-dns-blocklist = {
+    description = "Daily download of hosts-blocklists";
+    wantedBy = [ "default.target" ];
+    timerConfig = {
+      OnCalendar = "02:00:00";
+      Unit = "download-dns-blocklist.service";
+    };
+  };
+}