pi/services/blocky.nix

{ config, pkgs, ... }:

let 
  net = import ../data/network.nix;
in
{
  # Enable Blocky
  services.blocky = {
    enable = true;
    settings = {
      # Listen on port 53 (standard DNS port)
      ports.dns = 53;
      
      # Custom DNS entries for your local services
      customDNS = {
        # This maps your domains to your Pi's IP
        mapping = net.dnsMappings;
        # mapping = dnsMappings;
      };

      conditional = {
        fallbackUpstream = false;
        mapping = builtins.mapAttrs (name: value: net.ips.router) net.dnsMappings;
      };
      
      # Upstream DNS servers (with fallback)
      upstreams = {
        groups = {
          default = 
            ["https://cloudflare-dns.com/dns-query"] ++ net.fallback_dns_servers;
        };
      };
      
      # Bootstrap DNS (for initially resolving DoH servers)
      bootstrapDns = {
        upstream = "https://1.1.1.1/dns-query";
        ips = ["1.1.1.1" "1.0.0.1"];
      };
      
      # Enable caching for better performance
      caching = {
        minTime = "5m";
        maxTime = "30m";
        prefetching = true;
      };
      
      # blocking = {
      #   denylists = {
      #     ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"];
      #   };
      #   clientGroupsBlock = {
      #     default = ["ads"];
      #   };
      # };
    };
  };
  
  # Allow DNS through the firewall
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
}