{ config, lib, pkgs, ... }:

{
  services = {
    # Enable unbound dns resolver
    unbound = {
      enable = true;

      # Enable DNSSEC
      enableRootTrustAnchor = true;

      # Set control socket
      localControlSocketPath = "/run/unbound/unbound.ctl";

      # Allow queries from localhost
      resolveLocalQueries = true;

      # General configuration
      settings = {
        # Enable adblocking
        include = "/etc/unbound/big.conf";

        # Log requests
        logfile = "/var/log/unbound.log";
        log-queries = "yes";

        # Configure caching
        infra-cache-slabs = "4";
        key-cache-slabs = "4";
        msg-cache-size = "128525653";
        msg-cache-slabs = "4";

        # Prefetch popular cache elements
        prefetch = "yes";
        prefetch-key = "yes";

        # Listen on all private interfaces
        server = {
          interface = [
            "10.10.100.1@53"
            "10.10.104.1@53"
            "10.10.108.1@53"
            "10.10.112.1@53"
            "10.10.113.1@53"
            "10.25.0.12@53"
            "10.160.8.1@53"
            "127.0.0.1@53"
            "::1@53"
          ];
          access-control = [
            "10.10.100.0/22 allow"
            "10.10.104.0/22 allow"
            "10.10.108.0/22 allow"
            "10.10.112.0/24 allow"
            "10.10.113.0/24 allow"
            "10.25.0.0/24 allow"
            "10.160.8.0/22 allow"
            "127.0.0.0/8 allow"
            "::1 allow"
          ];
        };

        # Forward requests to Cloudflare and Quad9
        forward-zone = [
          {
            name = ".";
            forward-addr = [
              "1.1.1.1@853#cloudflare-dns.com"
              "2606:4700:4700::1111@853#cloudflare-dns.com"
              "9.9.9.9@853#dns.quad9.net"
              "2620:fe::fe@853#dns.quad9.net"
            ];
            forward-tls-upstream = true;
          }
        ];
      };
    };
  };
}