From 109565579735b6f066b3b1a1252fd7857df526ec Mon Sep 17 00:00:00 2001
From: Caroline Larimore <caroline@larimo.re>
Date: Tue, 3 Mar 2026 20:51:31 -0800
Subject: unbound: initial setup

---
 modules/nixos/services/unbound/default.nix  | 55 +++++++++++++++++++++++++++++
 systems/x86_64-linux/copenhagen/default.nix |  2 ++
 2 files changed, 57 insertions(+)
 create mode 100644 modules/nixos/services/unbound/default.nix

diff --git a/modules/nixos/services/unbound/default.nix b/modules/nixos/services/unbound/default.nix
new file mode 100644
index 0000000..a926b55
--- /dev/null
+++ b/modules/nixos/services/unbound/default.nix
@@ -0,0 +1,55 @@
+{ options, config, lib, namespace, pkgs, ... }:
+
+with lib; with lib.${namespace}; let
+  cfg = config.${namespace}.services.unbound;
+  impermanence = config.${namespace}.system.impermanence;
+in {
+  options.${namespace}.services.unbound = with types; {
+    enable = mkEnableOption "unbound dns server";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    services.unbound = {
+      enable = true;
+      settings = {
+        server = {
+          logfile = "unbound.log";
+          verbosity = 3;
+
+          interface = [ 
+            "0.0.0.0"
+            "::0"
+          ];
+          access-control = [
+            "10.0.0.0/8 allow"
+            "192.168.0.0/16 allow"
+            "2001:DB8::/64 allow"
+          ];
+
+          do-not-query-localhost = false;
+
+          local-zone = ''"cxl.sh." redirect'';
+          local-data = [
+            ''"cxl.sh. 30 IN A 192.168.254.11"''
+          ];
+        };
+
+        forward-zone = [{
+          name = ".";
+          # sobbing
+          # forward-addr = [
+          #   "1.1.1.1@853#cloudflare-dns.com"
+          #   "1.0.0.1@853#cloudflare-dns.com"
+          # ];
+          forward-addr = [
+            "1.1.1.1"
+            "1.0.0.1"
+          ];
+        }];
+      };
+    };
+  };
+}
diff --git a/systems/x86_64-linux/copenhagen/default.nix b/systems/x86_64-linux/copenhagen/default.nix
index 3fc6f53..d0659c6 100644
--- a/systems/x86_64-linux/copenhagen/default.nix
+++ b/systems/x86_64-linux/copenhagen/default.nix
@@ -63,6 +63,8 @@ with lib; with lib.${namespace}; {
         adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDO8JxqS7B2n3YlNtlVMZGARi+GG/z7wLiiyl52qSZc caroline@larimo.re";
         host = "git.cxl.sh";
       };
+
+      unbound.enable = true;
     };
   };
 
-- 
cgit v1.2.3