From ffec6e9b2995b1057138ba5a5d40fbeacf05f576 Mon Sep 17 00:00:00 2001
From: smayzy <smayzy@smayzy.ovh>
Date: Thu, 28 Aug 2025 14:23:39 +0200
Subject: [PATCH] add unbound to server1

---
 hosts/server1/configuration.nix          | 15 +++++--
 modules/nix/containers/nixos/default.nix |  1 +
 modules/nix/containers/nixos/unbound.nix | 57 ++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 4 deletions(-)
 create mode 100644 modules/nix/containers/nixos/unbound.nix

diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix
index 9ca47e1..92cbee9 100644
--- a/hosts/server1/configuration.nix
+++ b/hosts/server1/configuration.nix
@@ -15,10 +15,17 @@
 
   smayzy = {
     server.enable = true;
-    containers.nixos.httpd = {
-      enable = true;
-      bridge = "br0";
-      ip = "192.168.1.201/24";
+    containers.nixos= {
+      httpd = {
+        enable = true;
+        bridge = "br0";
+        ip = "192.168.1.201/24";
+      };
+      unbound = {
+        enable = true;
+        bridge = "br0";
+        ip = "192.168.1.202/24";
+      };
     };
   };
 
diff --git a/modules/nix/containers/nixos/default.nix b/modules/nix/containers/nixos/default.nix
index 898eb13..b448ca4 100644
--- a/modules/nix/containers/nixos/default.nix
+++ b/modules/nix/containers/nixos/default.nix
@@ -2,5 +2,6 @@
 {
   imports = [
     ./httpd.nix
+    ./unbound.nix
   ];
 }
diff --git a/modules/nix/containers/nixos/unbound.nix b/modules/nix/containers/nixos/unbound.nix
new file mode 100644
index 0000000..4787111
--- /dev/null
+++ b/modules/nix/containers/nixos/unbound.nix
@@ -0,0 +1,57 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkIf mkOption types;
+  cfg = config.smayzy.containers.nixos.unbound;
+in
+{
+  options.smayzy.containers.nixos.unbound = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "unbound nixos ct";
+    };
+    bridge = mkOption {
+      type = types.str;
+      description = "the bridge to use e.g. (br0)";
+    };
+    ip = mkOption {
+      type = types.str;
+      description = "ip addr e.g. (192.168.1.20)";
+    };
+  };
+  
+  config = mkIf cfg.enable {
+    containers.unbound = {
+      autoStart = true;
+      privateNetwork = true;
+      hostBridge = cfg.bridge;
+      localAddress = cfg.ip;
+      config = { ... }: {
+        system.stateVersion = "25.11";
+
+        services.unbound = {
+          enable = true;
+          settings = {
+            server = {
+              interface = [ "0.0.0.0" ];
+              qname-minimisation = "yes";
+              access-control = [
+                "127.0.0.0/8 allow"
+                "192.168.0.0/16 allow"
+              ];
+              local-zone = [ "internal.smayzy.ovh. static" ];
+              local-data = [
+                ''"npm-local.internal.smayzy.ovh. A 192.168.1.181"''
+                ''"npm.internal.smayzy.ovh. A 192.168.1.200"''
+
+                ''"qbittorrent.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."''
+              ];
+            };
+          };
+        };
+        networking.firewall.allowedTCPPorts = [ 53 ];
+        networking.firewall.allowedUDPPorts = [ 53 ];
+      };
+    };
+  };
+}