Unbound recursive DNS - https://docs.pi-hole.net/guides/unbound/

acme.md

acme.sh

# root's required due to lighttpd perms and pihole struct
sudo -i

curl https://get.acme.sh | sh -s [email protected]
# Alternatively, clone and exec locally.

mkdir -p /etc/lighttpd/certs/pihole.mylab.domain/
cd /etc/lighttpd/certs/pihole.mylab.domain

# Ensure a high-enough entropy
openssl dhparam -out dhparam.pem -dsaparam 4096

export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Account_ID="xxxxxxxxxxxxx"
export CF_Zone_ID="xxxxxxxxxxxxx"

./acme.sh --issue --dns dns_cf -d pihole.mylab.domain

Edit the lighttpd proxy config (vim /etc/lighttpd/external.conf):

# external.conf

$HTTP["host"] == "pihole.mylab.domain" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/certs/pihole.mylab.domain/ssl.pem"
    ssl.ca-file = "/etc/lighttpd/certs/pihole.mylab.domain/ca.cer"
    ssl.dh-file = "/etc/lighttpd/certs/pihole.mylab.domain/dhparam.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }
  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" { 
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Create a post-renew install hook - vim /root/.acme.sh/pihole/hook.sh

#!/bin/bash

dom="pihole.mylab.domain"
dest="/etc/lighttpd/certs/pihole.mylab.domain"    #lighttpd ssl folder created in step one
croot="/root/.acme.sh/${dom}"                     #acme.sh root path for your domain

sslfile="${dest}/ssl.pem"
certfile="${croot}/${dom}.cer"
keyfile="${croot}/${dom}.key"
 
echo "Copying certificate"
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
echo "Settings perms"
chown root:root /etc/lighttpd/certs/pihole.mylab.domain/ssl.pem
chmod 400 /etc/lighttpd/certs/pihole.mylab.domain/ssl.pem
echo "Restarting lighttpd service"
/bin/systemctl restart lighttpd

Make the hook executable:

chmod +x /root/.acme.sh/pihole/hook.sh

Deploy certs and wire things up:

acme.sh --installcert -d pihole.mylab.domain \
--capath /etc/lighttpd/certs/pihole.mylab.domain/ca.cer \
--reloadcmd '/root/.acme.sh/pihole/hook.sh'

# verify autorenew cronjob has been installed
crontab -l

CloudKey

curl https://get.acme.sh | sh -s [email protected]
 
# change directory
cd .acme.sh

# optional - set letsencrypt as the default CA
acme.sh --set-default-ca --server letsencrypt
 
# set API key and email login env variables:
export CF_Key="Cloudflare_Global_API_Key"
export CF_Email="Your_Email_Accessing_Cloudflare"
 
# issue the desired certificate and deploy on keystore
./acme.sh --issue --dns dns_cf -d cloudkey.example.com
./acme.sh --deploy -d cloudkey.example.com --deploy-hook unifi

# verify autorenew cronjob has been installed
crontab -l

EdgeMax

WIP

blocklists.txt

https://hosts-file.net/exp.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/psh.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://v.firebog.net/hosts/Airelle-hrsk.txt
https://v.firebog.net/hosts/Shalla-mal.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt
http://www.networksec.org/grabbho/block.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
http://someonewhocares.org/hosts/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
http://www.joewein.net/dl/bl/dom-bl.txt
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt
https://v.firebog.net/hosts/static/SamsungSmart.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://hosts-file.net/ad_servers.txt 
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
https://v.firebog.net/hosts/Easylist.txt
https://v.firebog.net/hosts/AdguardDNS.txt

pihole.conf

server:
    verbosity: 1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # TTL bounds for cache
    cache-min-ttl: 3600
    cache-max-ttl: 86400

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 2

    # Ensure kernel buffer is large enough to not loose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8