diff --git a/flake.nix b/flake.nix
index a5a5782..3a54375 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,6 +12,7 @@
         ./packages.nix
         ./users.nix
         ./networking/ssh.nix
+        ./networking/adblock.nix
       ];
     };
   };
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
index 1fff730..88509b6 100644
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@@ -4,29 +4,27 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/887383a8-555c-4156-9b62-337ae007ce51";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/887383a8-555c-4156-9b62-337ae007ce51";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/6979-163D";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6979-163D";
+    fsType = "vfat";
+    options = [ "fmask=0077" "dmask=0077" ];
+  };
 
   swapDevices =
-    [ { device = "/dev/disk/by-uuid/3fc91af7-13f4-4088-bb9a-7d6c8adf6d73"; }
-    ];
+    [{ device = "/dev/disk/by-uuid/3fc91af7-13f4-4088-bb9a-7d6c8adf6d73"; }];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -47,5 +45,6 @@
   # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
diff --git a/networking/adblock.nix b/networking/adblock.nix
new file mode 100644
index 0000000..3a4e98c
--- /dev/null
+++ b/networking/adblock.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+let
+  adblockLocalZones = pkgs.stdenv.mkDerivation {
+    name = "unbound-zones-adblock";
+
+    src = (pkgs.fetchFromGitHub {
+      owner = "StevenBlack";
+      repo = "hosts";
+      rev = "3.16.20";
+      sha256 = "sha256-z3VWoF5/evd0n97AmrWgSskaNqVaad0Ex2pn53JHkSk=";
+    } + "/hosts");
+
+    phases = [ "installPhase" ];
+
+    installPhase = ''
+      ${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u >  $out
+    '';
+
+  };
+in {
+  services.resolved.enable = false;
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        port = 53;
+        interface = [ "0.0.0.0" "127.0.0.1" ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "10.0.0.0/8 allow"
+          "172.16.0.0/12 allow"
+          "192.168.0.0/16 allow"
+        ];
+
+        include = [ "${adblockLocalZones}" ];
+
+        num-threads = 2;
+        so-reuseport = "yes";
+        hide-identity = "yes";
+        hide-version = "yes";
+        qname-minimisation = "yes";
+        harden-dnssec-stripped = "yes";
+        prefetch = "yes";
+        serve-expired = "yes";
+        rrset-roundrobin = "yes";
+        do-ip6 = "no";
+        do-udp = "yes";
+        do-tcp = "yes";
+      };
+      forward-zone = [{
+        name = ".";
+        forward-tls-upstream = "yes";
+        forward-addr = [
+          "1.1.1.1@853#cloudflare-dns.com"
+          "1.0.0.1@853#cloudflare-dns.com"
+          "8.8.8.8@853#dns.google"
+          "8.8.4.4@853#dns.google"
+        ];
+      }];
+    };
+  };
+
+  networking.resolvconf.enable = false;
+  environment.etc."resolv.conf".text = ''
+    nameserver 127.0.0.1
+    options edns0
+  '';
+}
diff --git a/networking/host.nix b/networking/host.nix
index 5e1add1..b99c866 100644
--- a/networking/host.nix
+++ b/networking/host.nix
@@ -10,9 +10,6 @@
     };
   };
 
-  # DNS server
-  services.resolved.enable = true;
-
   networking = {
     nameservers = [ "205.171.3.25" "8.8.8.8" ];
 
diff --git a/packages.nix b/packages.nix
index 429c32b..40b0ece 100644
--- a/packages.nix
+++ b/packages.nix
@@ -4,5 +4,7 @@
     vimPlugins.LazyVim
     git
     wget
+    nixfmt-classic
+    btop
   ];
 }
diff --git a/system.nix b/system.nix
index 14187b3..26818b5 100644
--- a/system.nix
+++ b/system.nix
@@ -2,4 +2,5 @@
   # System boots
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  nix.settings.experimental.features = [ "nix-commmand" "flakes" ];
 }
diff --git a/users.nix b/users.nix
index a31622b..8a3a5b6 100644
--- a/users.nix
+++ b/users.nix
@@ -7,7 +7,7 @@
 
     shell = pkgs.fish;
 
-    packages = with pkgs; [eza];
+    packages = with pkgs; [ eza ];
 
     hashedPassword =
       "$6$X.mw03yY/VFjDThj$t1I68HZz6NBihZGhiJ6Ct8ZuOufX6ZX9pydnK4puTjT1XKfMO1FY5VL1DwywJHrXOEJtohV99TmrABfjdBQY21";