server.nix/services/blocky.nix

{ config, ... }: {
  services.blocky = {
    enable = true;
    settings = {
      caching = {
        minTime = "5m";
        maxTime = "30m";
        prefetching = true;
      };
      ports.dns = 53;
      upstreams.groups.default = [
        "1.1.1.1"
        "1.0.0.1"
      ];
      bootstrapDns = [
        "tcp+udp:1.1.1.1"
        "https://1.1.1.1/dns-query"
      ];
      customDNS =
        let
          localDomains = names: ip:
            builtins.listToAttrs (map
              (x: {
                name = x;
                value = ip;
              })
              names);
        in
        {
          mapping = localDomains [
            "files.internal"
            "qbittorrent.internal"
            "scrutiny.internal"
            "archive.internal"
            "sonarr.internal"
            "radarr.internal"
            "prowlarr.internal"
            "bazarr.internal"
            "lidarr.internal"
            "syncthing.internal"
          ] "100.93.150.89";
        };
      conditional =
        let
          opennic = names: ip:
            builtins.listToAttrs (map
              (x: {
                name = x;
                value = ip;
              })
              names);
        in
        {
          mapping = opennic [
            "epic"
            "geek"
            "chan"
            "fur"
            "cyb"
            "oss"
            "pirate"
            "neo"
            "libre"
            "dyn"
            "glue"
            "indy"
            "bbs"
            "gopher"
            "null"
            "o"
            "oz"
            "parody"
            "bazar"
            "coin"
            "lib"
            "emc"
            "ku"
            "uu"
            "ti"
            "te"
          ] "138.197.140.189";
        };
      blocking = {
        denylists = {
          ads = [
            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
          ];
        };

        clientGroupsBlock.default = [
          "ads"
        ];
      };
    };
  };

  networking.firewall = {
    allowedUDPPorts = [
      config.services.blocky.settings.ports.dns
    ];
    allowedTCPPorts = [
      config.services.blocky.settings.ports.dns
    ];
  };
}