{ flake, config, pkgs, lib, ... }: { age.secrets."unbound_control.key" = { file = "${flake.self}/secrets/unbound_control.key.age"; mode = "400"; owner = "unbound"; }; age.secrets."unbound_control.pem" = { file = "${flake.self}/secrets/unbound_control.pem.age"; mode = "400"; owner = "unbound"; }; age.secrets."unbound_server.key" = { file = "${flake.self}/secrets/unbound_server.key.age"; mode = "400"; owner = "unbound"; }; age.secrets."unbound_server.pem" = { file = "${flake.self}/secrets/unbound_server.pem.age"; mode = "400"; owner = "unbound"; }; networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ]; networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ]; services.resolved.enable = false; services.unbound = { enable = true; settings = { server = { include = [ "\"${pkgs.adlist.unbound-adblockStevenBlack}\"" ]; interface = [ "127.0.0.1" "::1" "10.13.12.7" "fd00:b12f:acab:1312:acab:7::" ]; access-control = [ "127.0.0.1/32 allow" # Allow from wireguard "10.13.12.0/24 allow" "fd00:b12f:acab:1312::/64 allow" ]; local-zone = [ "\"b12f.io\" transparent" ]; local-data = [ "\"droppie.b12f.io. 10800 IN A 10.13.12.3\"" "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" "\"backup.b12f.io. 10800 IN A 10.13.12.3\"" "\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" "\"media.b12f.io. 10800 IN A 10.13.12.3\"" "\"media.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" "\"pie.b12f.io. 10800 IN A 10.13.12.2\"" "\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" "\"firefly.b12f.io. 10800 IN A 10.13.12.2\"" "\"firefly.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" "\"firefly-importer.b12f.io. 10800 IN A 10.13.12.2\"" "\"firefly-importer.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" "\"paperless.b12f.io. 10800 IN A 10.13.12.2\"" "\"paperless.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" "\"invoicing.b12f.io. 10800 IN A 10.13.12.2\"" "\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" "\"vpn.b12f.io. 10800 IN A 128.140.109.213\"" "\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\"" "\"frikandel.b12f.io. 10800 IN A 10.13.12.7\"" "\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" "\"b12f.io. 10800 IN A 10.13.12.7\"" "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" "\"mail.b12f.io. 10800 IN A 10.13.12.7\"" "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" ]; tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; }; forward-zone = [ { name = "."; forward-addr = [ "193.110.81.0#dns0.eu" "2a0f:fc80::#dns0.eu" "185.253.5.0#dns0.eu" "2a0f:fc81::#dns0.eu" ]; forward-tls-upstream = "yes"; } ]; remote-control = { control-enable = true; control-key-file = config.age.secrets."unbound_control.key".path; server-cert-file = config.age.secrets."unbound_server.pem".path; server-key-file = config.age.secrets."unbound_server.key".path; control-cert-file = config.age.secrets."unbound_control.pem".path; }; }; }; }