{ lib, config, ... }: let inherit (lib) mkIf mkOption types; cfg = config.smayzy.containers.nixos.unbound; in { options.smayzy.containers.nixos.unbound = { enable = mkOption { type = types.bool; default = false; description = "unbound nixos ct"; }; bridge = mkOption { type = types.str; description = "the bridge to use e.g. (br0)"; }; ip = mkOption { type = types.str; description = "ip addr e.g. (192.168.1.20)"; }; }; config = mkIf cfg.enable { containers.unbound = { autoStart = true; privateNetwork = true; hostBridge = cfg.bridge; localAddress = cfg.ip; config = { ... }: { system.stateVersion = "25.11"; services.unbound = { enable = true; settings = { server = { interface = [ "0.0.0.0" ]; qname-minimisation = "yes"; access-control = [ "127.0.0.0/8 allow" "192.168.0.0/16 allow" ]; local-zone = [ "internal.smayzy.ovh. static" ]; local-data = [ ''"npm-local.internal.smayzy.ovh. A 192.168.1.181"'' ''"npm.internal.smayzy.ovh. A 192.168.1.200"'' ''"nfs-srv1.internal.smayzy.ovh. A 192.168.1.48"'' ''"bazarr-anime.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"bazarr.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"lidarr.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"nzbget.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"prowlarr.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"qbittorrent.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"radarr.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"sonarr-anime.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"sonarr.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"srv1-proxmox.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ''"srv2-proxmox.internal.smayzy.ovh. CNAME npm-local.internal.smayzy.ovh."'' ]; }; }; }; networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; }; }; }; }