nixos-servers/services/ns/resolver.nix

{ pkgs, ... }: {
  homelab.monitoring.scrapeTargets = [{
    job_name = "unbound";
    port = 9167;
  }];

  networking.firewall.allowedTCPPorts = [
    53
  ];
  networking.firewall.allowedUDPPorts = [
    53
  ];

  services.prometheus.exporters.unbound = {
    enable = true;
    unbound.host = "unix:///run/unbound/unbound.ctl";
  };

  # Grant exporter access to unbound socket
  systemd.services.prometheus-unbound-exporter.serviceConfig.SupplementaryGroups = [ "unbound" ];

  services.unbound = {
    enable = true;

    settings = {
      server = {
        access-control = [
          "127.0.0.0/8 allow"
          "0.0.0.0/0 allow"
        ];
        local-zone = "home.2rjus.net nodefault";
        domain-insecure = "home.2rjus.net";
        interface = "0.0.0.0";
        do-not-query-localhost = "no";
        port = "53";
        do-ip4 = "yes";
        do-ip6 = "no";
        do-udp = "yes";
        do-tcp = "yes";
        extended-statistics = true;

        # Recover faster from upstream failures (e.g. ISP outage)
        # Default 900s is too long - keeps marking servers as bad
        infra-host-ttl = 120;
        # Clean up stale TLS connections faster (default 60s)
        tcp-reuse-timeout = 15;
      };
      remote-control = {
        control-enable = true;
        control-interface = "/run/unbound/unbound.ctl";
      };
      stub-zone = {
        name = "home.2rjus.net";
        stub-addr = [
          "127.0.0.1@8053"   # Local NSD
          "10.69.13.5@8053"  # ns1
          "10.69.13.6@8053"  # ns2
        ];
      };
      forward-zone = {
        name = ".";
        forward-tls-upstream = "yes";
        # forward-addr = "1.1.1.1@853#cloudflare-dns.com";
        forward-addr = [
          "1.1.1.1@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
          "8.8.8.8@853#dns.google"
          "8.8.4.4@853#dns.google"
        ];
      };
    };
  };
}