{ lib, config, ... }:
let
  inherit (lib) mkIf mkOption types;
  cfg = config.smayzy.containers.nixos.unbound;
  net = config.smayzy.containers.networking;
in
{
  options.smayzy.containers.nixos.unbound = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "unbound nixos ct";
    };
    ip = mkOption {
      type = types.str;
      description = "ip addr e.g. (192.168.1.20)";
    };
  };
  
  config = mkIf cfg.enable {
    containers.unbound = {
      autoStart = true;
      privateNetwork = true;
      hostBridge = net.bridge;
      localAddress = cfg.ip;
      config = { ... }: {
        system.stateVersion = "25.11";

        services.unbound = {
          enable = true;
          settings = {
            server = {
              interface = [ "0.0.0.0" ];
              qname-minimisation = "yes";
              minimal-responses = "no";
              access-control = [
                "127.0.0.0/8 allow"
                "192.168.0.0/16 allow"
              ];
              private-domain = [ "internal.smayzy.ovh" ];
              local-zone = [ "internal.smayzy.ovh. static" ];
              local-data = [
                ''"npm-local.internal.smayzy.ovh. A 192.168.1.181"''
                ''"npm.internal.smayzy.ovh.       A 192.168.1.200"''
                ''"nfs-srv1.internal.smayzy.ovh.  A 192.168.1.48"''
                ''"traefik.internal.smayzy.ovh.   A 192.168.1.203"''

                ''"npm.internal.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."''
                ''"bazarr-anime.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."''
                ''"bazarr.internal.smayzy.ovh.       CNAME npm-local.internal.smayzy.ovh."''
                ''"lidarr.internal.smayzy.ovh.       CNAME npm-local.internal.smayzy.ovh."''
                ''"nzbget.internal.smayzy.ovh.       CNAME npm-local.internal.smayzy.ovh."''
                ''"prowlarr.internal.smayzy.ovh.     CNAME npm-local.internal.smayzy.ovh."''
                ''"qbittorrent.internal.smayzy.ovh.  CNAME npm-local.internal.smayzy.ovh."''
                ''"radarr.internal.smayzy.ovh.       CNAME npm-local.internal.smayzy.ovh."''
                ''"sonarr-anime.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."''
                ''"sonarr.internal.smayzy.ovh.       CNAME npm-local.internal.smayzy.ovh."''
                ''"srv1-proxmox.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."''
                ''"srv2-proxmox.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."''
              ];
            };
          };
        };
        networking.defaultGateway = net.gateway;
        networking.nameservers = net.dns;
        networking.firewall.allowedTCPPorts = [ 53 ];
        networking.firewall.allowedUDPPorts = [ 53 ];
      };
    };
  };
}