{ ... }:

{
  # all unbound requests are just proxied to resolved served on 127.0.0.53
  services.resolved = {
    enable = true;
  };

  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 53 ];

  services.unbound = {
    enable = true;
    user = "unbound";
    group = "unbound";
    resolveLocalQueries = false;

    settings = {
      server = {
        verbosity = 5;

        # number of threads to create. 1 disables threading.
        num-threads = 1;

        # specify the interfaces to answer queries from by ip-address.
        # The default is to listen to localhost (127.0.0.1 and ::1).
        # specify 0.0.0.0 and ::0 to bind to all available interfaces.
        # specify every interface[@port] on a new 'interface:' labelled line.
        # The listen interfaces are not changed on reload, only on restart.
        # morj note: only answer queries as vpn server
        interface = [ "192.168.10.1" ];

        # enable this feature to copy the source address of queries to reply.
        # Socket options are not supported on all platforms. experimental.
        # interface-automatic: yes
        #
        # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
        # NOTE: Disabled per Fedora policy not to listen to * on default install
        # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
        interface-automatic = "no";

        # Prefer ipv4 upstream servers, even if ipv6 is available.
        prefer-ip4 = "no";

        # Maximum UDP response size (not applied to TCP response).
        # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
        # 3072 causes +dnssec any isc.org queries to need TC=1.
        # Helps mitigating DDOS
        max-udp-size = 3072;

        # Enable IPv4, "yes" or "no".
        do-ip4 = "yes";

        # Enable IPv6, "yes" or "no".
        do-ip6 = "yes";

        # morj note: same subnet we're listening on
        # control which clients are allowed to make (recursive) queries
        # to this server. Specify classless netblocks with /size and action.
        # By default everything is refused, except for localhost.
        # Choose deny (drop message), refuse (polite error reply),
        # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
        # allow_snoop (recursive and nonrecursive ok)
        # deny_non_local (drop queries unless can be answered from local-data)
        # refuse_non_local (like deny_non_local but polite error reply).
        access-control = [ "192.168.10.0/24 allow_snoop" ];
        # access-control: 0.0.0.0/0 refuse
        # access-control: 127.0.0.0/8 allow
        # access-control: ::0/0 refuse
        # access-control: ::1 allow
        # access-control: ::ffff:127.0.0.1 allow

        # print UTC timestamp in ascii to logfile, default is epoch in seconds.
        log-time-ascii = "yes";

        # if yes, the above default do-not-query-address entries are present.
        # if no, localhost can be queried (for testing and debugging).
        # morj note: important for my use case as a proxy DNS
        do-not-query-localhost = "no";

        # module configuration of the server. A string with identifiers
        # separated by spaces. Syntax: "[dns64] [validator] iterator"
        # most modules have to be listed at the beginning of the line,
        # except cachedb(just before iterator), and python (at the beginning,
        # or, just before the iterator).
        module-config = ''"validator iterator"'';

        # without this setting, requests to upstream servers fail with timeout
	tcp-upstream = "yes";
      };

      # Forward to systemd-resolved for all requests
      forward-zone = {
        name = ".";
        forward-addr = "127.0.0.53";
        forward-first = "no";
      };
    };
  };
}