pi/services/unbound.nix

{ config, pkgs, ... }:

let 
  net = import ../config/network.nix;
  dnsModel = import ../intermediate/dns.nix;
in
{
  services.unbound = {
    enable = true;
    settings = {

      server = {
        interface = ["0.0.0.0" "::0"];

        access-control = ["127.0.0.1 allow" "${net.network.subnet} allow"];

        local-zone = "\"${net.local_domain}.\" static";
        local-data = 
          (map (name: 
            let ip = dnsModel.dnsMappings.${name}; in
            "\"${name}. IN A ${ip}\""
          ) (builtins.attrNames dnsModel.dnsMappings));
      };

      forward-zone = {
        name = ".";
        forward-addr = net.fallback_dns_servers;
      };
    };
  };
  
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
}