nixos-module: add blocklist-update

nixos-module.nix

@@ -3,11 +3,14 @@
 let
   cfg = config.services.caveman;
 
+  blocklistPath = "/etc/caveman.blocklist";
+
   hunterDefaultSettings = {
     redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
     hosts = [ "mastodon.social" "fosstodon.org" "chaos.social" "dresden.network" ];
     max_workers = 16;
     prometheus_port = 9101;
+    blocklist = blocklistPath;
   };
 
   hunterSettings = lib.recursiveUpdate hunterDefaultSettings cfg.hunter.settings;
@@ -265,5 +268,24 @@ in
         AmbientCapabilities = "CAP_NET_BIND_SERVICE";
       };
     };
+
+    systemd.services.blocklist-update = lib.mkIf cfg.hunter.enable {
+      requires = [ "network-online.target" ];
+      path = with pkgs; [ coreutils wget ];
+      script = ''
+        T=$(mktemp blocklistXXXX)
+        wget -O $T https://rapidblock.org/blocked_domains.csv
+        mv $T ${lib.escapeShellArg blocklistPath}
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        Restart = "on-failure";
+        RestartSec = 600;
+      };
+    };
+    systemd.timers.blocklist-update = lib.mkIf cfg.hunter.enable {
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "hourly";
+    };
   };
 }